flubot | 139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e

Analysis

max time kernel
2881294s
max time network
158s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
23-12-2023 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e.apk
Size

6.8MB
MD5

77c1fcc802753a77f042dc14863f9900
SHA1

c56ec9ceafb44300acecaaf3a3049b64631ccd8f
SHA256

139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e
SHA512

0cf7d1e7c967210d027e1a945d2802e3baa458ca4cc77b3a1022890c005b627018cda5a226bf7185e742564707dff26503150d6c7faa935b60cdfb68141d4a81
SSDEEP

196608:A4YwqLsFVxbrKc6dIAmgzMDNUPJ+TIV0C2B40B:0wqemxGA5MDNUP4MTk40B

Score

10^/10

flubot banker discovery infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.tencent.mobileqq/app_DynamicOptDex/rib.json	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.mobileqq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json	4913	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json	4913	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4913

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mobileqq/app_DynamicOptDex/oat/rib.json.cur.prof

Filesize
2KB

MD5
dceca7af4570b5b916c62b6897d44296

SHA1
7bfc6a89e174e59e3f91f9dd99414ed27b772682

SHA256
c54cc2a82fbd5b444a70b465aed6442248a36834fb74218dad038c410d3106ce

SHA512
4ae3490fd2f4576d4d0a8a5808cfc560460d52cfde6f97679ab037da1f6a03de8595d95ae646f169582199f60b63c2646fa3fc59a2e1fb14247c619f0d94dfc8

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/rib.json

Filesize
3.1MB

MD5
048750ccea4e8472fdf66699916362fe

SHA1
4d9aed1259a2baecd95556a45cb922d68068b7e2

SHA256
8a7842ec65a1c14d3ecef7d0592542d532d0c018c28c0a5d14c82ab047615ad3

SHA512
4cbd447b17cd06205c8bc166a2ed201ee7d434bc74cf7d42170a9e6a05d706704321b3845ab4e8d22ae95f3279cd8d65f20d1f8b9403fc23932953b13b5ff636

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/rib.json

Filesize
3.1MB

MD5
9ad1a7c23a995877e63fc07849e6ce91

SHA1
27745c40b203282cdbdf80ec62883cafec45b5d8

SHA256
967edfd07f7757b4d723198ad5daf2080d4f942a6d21c2159a90a22f1421d296

SHA512
e229cd318ee8a2a1cb0ca6b88270a7e8870d84ba9a267679fb739ba4b861a0777c960490e8fab616c9da1e6b4a6c83fab77fa5199f88f47d3df0e7f65f5e81c6

Download Submit