flubot | c8912a4ea44e34d8abbd7a40e303d1c236e1b0ee8c37ad90c96c91f006da8eff

Analysis

max time kernel
2821661s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
22-12-2023 04:52

Target

68e7085eebe634fb54baaf20cd8d5cda.apk
Size

2.6MB
MD5

68e7085eebe634fb54baaf20cd8d5cda
SHA1

8a45da188ceb595d7564a904b0018e42e6cb6eda
SHA256

c8912a4ea44e34d8abbd7a40e303d1c236e1b0ee8c37ad90c96c91f006da8eff
SHA512

edd5f6acf650086cb3390cd2d9886544966cf92007387bf86f7c1c1019769e71093955e40b433e15c780ab50b047589b9d2e641e03bc059608ce0594b87217a2
SSDEEP

49152:nt6drmFXYEjfe1JVBm8V/nHMt9Nw2xO0Lav9QMmqW8bvtDkP31V:nirKZbSJVBdV/HYI2MP1QzsLtOV

Score

10^/10

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.qqmusic

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.qqmusic

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.tencent.qqmusic

ioc pid process

/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip 4492 com.tencent.qqmusic
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.qqmusic

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.qqmusic

ioc	pid	process
/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip	4492	com.tencent.qqmusic

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.qqmusic

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.3MB

MD5
2f84073f750cce3b9c61df0a3a769ceb

SHA1
b237b7305d30c408205b92188d3ecaa957301140

SHA256
4e4249a1ebd84edcce0c22ace40dead606579eb44f23b0bbf4c45c93c01cc4cf

SHA512
32f3d750c68c4e85f9e81f82c1a6232d66129843d437035cdf4eeafe5d90fcfd51f035d092e6bc266986b21eac083bf077dea4c2a69b0f495d77d199eef6348c

Download Submit
/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/tmp-base.apk.classes5227690479400659027.zip

Filesize
859KB

MD5
19be9ae6c2b5696ab64fd1531dcd60e9

SHA1
6fe596fa31c67e69216c66e8ad6fb64ec77e0234

SHA256
41b5a7d823737d439c4ed32534d846e382b977e5d0aeed7d785ae288b125cb28

SHA512
718ae4ac1ed5a792b3f56b5c353f6ba8d8f29d1dc1a19df2b588369c1cac756dbed162ceae8ae8034fc7e9faf0ac53e97eefbe0f95ff8aed848abecc465daac7

Download Submit