Overview

overview

10

Static

static

7

53c46a3f65...6e.apk

android-9-x86

10

53c46a3f65...6e.apk

android-10-x64

10

53c46a3f65...6e.apk

android-11-x64

10

sConsole.html

windows7-x64

1

sConsole.html

windows10-2004-x64

1

Analysis

  • max time kernel
    4265155s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-20231023.1-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
  • submitted
    23-11-2023 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53c46a3f650e903192f0b094b3f063a8d3459713d80cfc2f2af5b389c165e76e.apk

  • Size

    4.9MB

  • MD5

    5629475dba989c8d00bfcd62396cab9c

  • SHA1

    c24a5a876affb9e62614a214e0480d11d920e9e5

  • SHA256

    53c46a3f650e903192f0b094b3f063a8d3459713d80cfc2f2af5b389c165e76e

  • SHA512

    25a6b0c9c971941d8e09a888a977048b9bb60b26c440b271c4101b0c6305339ff576294e0e4ebc0d1dac640deb70967528af7c91cf7a95c1d2afd09188fa7995

  • SSDEEP

    98304:RZ+geGajn0awMkSFqN6Dfy/UI+nhtf7QM4FSoD+zLRSMeu/IuFwAKLPND3Pdr1zf:RZ+gWjfnj0Ajy/mt1oYdPIuFwDBD3Vhf

Score
10/10
flubotbankerdiscoveryevasioninfostealerransomwarestealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Makes use of the framework's Accessibility service. 3 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.qiyi.video
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:5049

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qiyi.video/Hgu7gdFghp/ekUefesugG8jgry/tmp-base.apk.IqyttgI151761384110684069.G8y
    Filesize

    926KB

    MD5

    ae3c908e2a57ff0fc9d3b82f5d9787a0

    SHA1

    1e6dfff7b2617d03d9d667999720d91f99153896

    SHA256

    4775ab30db23a37f1c7402e9f43d2ab222dcd6468f549266ae5289757ba0bce6

    SHA512

    ba74eaf029ce14ec984be6babe5127e1cbd5761f1ba3f83f9510678dc1a08295e072ded7cfd83e13778219804dfd16286f75518bdaf7495172b074d7c2d12f53

    Download Submit

  • /data/user/0/com.qiyi.video/Hgu7gdFghp/ekUefesugG8jgry/base.apk.IqyttgI1.G8y
    Filesize

    2.0MB

    MD5

    dd7a0c8ade494523b9f57371533f6f3d

    SHA1

    cd6f7f8a0efbd76286d88207ba820adbf3b6adb3

    SHA256

    c601c0334ba5ebb03111b9d7290a677d094f1b90c6489d541f1845d25074f15f

    SHA512

    1ffd65dcc4eba1b6dd9f78daf6d921da2759844b1e2096716cd0404f11db6d511c8ead4e161ab637aab6ba21b70cd588db2d6c772b2800a400a1abad138ae0a9

    Download Submit