Overview

overview

10

Static

static

6

8c9d734593...45.apk

android-9-x86

10

8c9d734593...45.apk

android-10-x64

10

8c9d734593...45.apk

android-11-x64

10

vk_dex.apk

android-9-x86

vk_dex.apk

android-10-x64

vk_dex.apk

android-11-x64

Analysis

  • max time kernel
    2510912s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20-12-2023 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c9d7345935d46c1602936934b600bb55fa6127cbdefd343ad5ebf03114dbe45.apk

  • Size

    5.5MB

  • MD5

    90960e63a4d5a871f2f5617f6e26c382

  • SHA1

    efe3f8785f17d1add3642a2607ef346ea9bbf962

  • SHA256

    8c9d7345935d46c1602936934b600bb55fa6127cbdefd343ad5ebf03114dbe45

  • SHA512

    b781b2a3882bbf2a86c6759be88a69a9260363f5d47c1da963946bf0d82c86de30edd1ca6b05f861aa4e828f5d0ff0e8a7b71b931ce00f031244b59be1d323bd

  • SSDEEP

    98304:2x2natN0Gwuybg0chHxA/PfECifHyUiCAnBT7rXxrZSFES2PHsQMnZvgnfe3W3S7:2x9735ypcJxA/oLArFSqPHsQMAe3P7

Score
10/10
flubotbankerinfostealertrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.snda.wifilocating
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4245
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/hiw4hjvhcd/ejloihYdv8o4fdY/base.apk.ojvrhf81.jnl --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/hiw4hjvhcd/ejloihYdv8o4fdY/oat/x86/base.apk.ojvrhf81.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.snda.wifilocating/hiw4hjvhcd/ejloihYdv8o4fdY/tmp-base.apk.ojvrhf88866155836699721492.jnl
    Filesize

    426KB

    MD5

    2d7d88fa6b2fb6281e1f8e5046c02785

    SHA1

    19d851053e95ac4d60e0dbed0e062e09f3f2b330

    SHA256

    5c3fe1b0a5d506e831c6b0b8eacd16e9c964b8e5af17defc931347e03a29e88b

    SHA512

    f7325df12a80c988a1c8e7000f7cb8e10fe6c1a3c3eac8b7ceae042345b4bf4c5c8c840290886b74bdea48cff7b31f917d7268d80fb14ef1025678bc95fe4c87

    Download Submit

  • /data/user/0/com.snda.wifilocating/hiw4hjvhcd/ejloihYdv8o4fdY/base.apk.ojvrhf81.jnl
    Filesize

    5.1MB

    MD5

    2523224ea72332eda17242335b1d5965

    SHA1

    e469987188975bad5210ea409a72af509aeafd4a

    SHA256

    ac1b9c1381fd71afedf0b8421bc173f9f9b4646233df94ff4f96643f0d75618d

    SHA512

    2947d2f841ab99ed860bce89c92d17f101e1bb62b787554fa7044bf81a807e37930ebed16fcfddb9ecf633e34769576245a770de7eae6254f262dfbc2c206522

    Download Submit