flubot | 78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25

Analysis

max time kernel
2314613s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25.apk
Size

4.8MB
MD5

23d92d04a25f2bfea3d2f147cd79be8e
SHA1

956308322bd9d64e9258986d9c5f64439a2c23a3
SHA256

78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25
SHA512

3dcd00d0eeed37f3a912922146cc867de568545ac721257d405154fb05628793f8fa13f340ece6c70a4dd982e95ba53a8b5a83dd17e98cc17be156a7839c17b2
SSDEEP

98304:y4zbjHHYuxJ8GfFaqFGYrVPl7ybvuGP3IpwK98g8ovvSWWZiW:yq3Yuxy4LGYRdun3IpwoV5qWWL

Score

10^/10

flubot banker evasion infostealer stealth trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4265-0.dex	family_flubot

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.snda.wifilocating
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.snda.wifilocating
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.snda.wifilocating

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4236	com.snda.wifilocating

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg	4265	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/oat/x86/base.apk.8ghjkfs1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg	4236	com.snda.wifilocating

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.snda.wifilocating

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.snda.wifilocating

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.snda.wifilocating

com.snda.wifilocating
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4236
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/oat/x86/base.apk.8ghjkfs1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4265

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/tmp-base.apk.8ghjkfs4911499899686830301.geg

Filesize
244KB

MD5
5ba70249045ff699b0043cd0104ce366

SHA1
787317edeec33df25737dfff640a901e05813530

SHA256
94c71d2f7a6954eb848bfa85ea4c88b213054b6bbe4347f8f17f88e63a46f96a

SHA512
cc1245e6a108c9a1f441375e3637f964ba7bcf1d85fcc159adc359fadf97cb348785d72a1d631d9c7284107361440aec7d832dd2cd133e0c644c08013b183142

Download Submit
/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg

Filesize
2.0MB

MD5
88b801e20e638b2477b2afeb558d1f12

SHA1
3899575ed8d71e86a138018551e3517b06b318b6

SHA256
298a2c754226c4c631c718c436be8d352037a85499b754b5a89865b6c40854b6

SHA512
34a5bacb591332049242de85c34aae63f923fe87e4e27de2fb8a92db5a29d5726ade581bb08015ccc8169545484c8a9fc6ccedf104fe581f4b8291d0c8eb10cb

Download Submit