Analysis
-
max time kernel
2503910s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20231215-en -
resource tags
androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system -
submitted
20-12-2023 11:26
Static task
static1
Behavioral task
behavioral1
Sample
aa8a7563fe9255d52e5f4bd1e165c4fa71758acc6d20fd23ec2127137ff93751.apk
Behavioral task
behavioral2
Sample
aa8a7563fe9255d52e5f4bd1e165c4fa71758acc6d20fd23ec2127137ff93751.apk
Resource
android-x64-20231215-en
General
-
Target
aa8a7563fe9255d52e5f4bd1e165c4fa71758acc6d20fd23ec2127137ff93751.apk
-
Size
4.8MB
-
MD5
ff1a568ed2021ff708153e3fff1a8afb
-
SHA1
652ea29ae5cd4e6b91f6b3678928ac726221e7ea
-
SHA256
aa8a7563fe9255d52e5f4bd1e165c4fa71758acc6d20fd23ec2127137ff93751
-
SHA512
ad405cb69b808f934e1613076db5daa5b978fee04fdc3b9eca9c3d238c049260dbb791e47b4f30ccb8e5e72e17215a3a98f68aa2ab0c50985842550e12fecc01
-
SSDEEP
98304:68F3FGdInEZB7KOqdPval+28JDRpXvMJZJEvtIKMtlRM:nJRE2rdnoL8JvXkJjElgC
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.qq.reader/hugdtGr7je/rkUjgI7tgghIfgU/base.apk.8IfGHhg1.uhg family_flubot -
Makes use of the framework's Accessibility service 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.qq.readerdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.qq.reader Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.qq.reader Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qq.reader -
Processes:
com.qq.readerpid process 5056 com.qq.reader -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.qq.readerioc pid process /data/user/0/com.qq.reader/hugdtGr7je/rkUjgI7tgghIfgU/base.apk.8IfGHhg1.uhg 5056 com.qq.reader -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api64.ipify.org 6 api64.ipify.org -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.qq.readerdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.qq.reader
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD53db348c3b3c2c14e2e208472115ec0c6
SHA1b3cc48423dd83f7c0de6c0016ffc963165ffd786
SHA2565502ccc752dd2459f1014bc161a30c2a7d1ba180a0fd4d3ea61abdb3a19445ca
SHA5126c9a1cc5696dc9ea3f4407b767d02567b26cdd01860382b06cb98b2ec704f166babd56cda0bcfec9fadf63f793489f420df4a9b5c3e6db5894790fee121d2322
-
Filesize
2.0MB
MD523f41eab5a899060cd41d0738b98e464
SHA1acfa9b8fa72d332c95752a70b37f94d7aec9dcf8
SHA25663883a9d048cf0d6e2ded8d4d8baa9997c4cf3198c4c5619d2799ddfcbb84255
SHA51212f8c3805b198522befaed38dfbff247dd0947920f8d16aa3b3e9ecb18b79e66f7ed70658879de4cc1972adff3b02248373895ba84305540f8d14ef64d4857dd