flubot | 139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e

Analysis

max time kernel
2881397s
max time network
170s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
23-12-2023 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e.apk
Size

6.8MB
MD5

77c1fcc802753a77f042dc14863f9900
SHA1

c56ec9ceafb44300acecaaf3a3049b64631ccd8f
SHA256

139fca7c979e272ff720feffcaf686aeb1dd25a6347d34bbaa443031982d5f3e
SHA512

0cf7d1e7c967210d027e1a945d2802e3baa458ca4cc77b3a1022890c005b627018cda5a226bf7185e742564707dff26503150d6c7faa935b60cdfb68141d4a81
SSDEEP

196608:A4YwqLsFVxbrKc6dIAmgzMDNUPJ+TIV0C2B40B:0wqemxGA5MDNUP4MTk40B

Score

10^/10

flubot banker discovery infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.mobileqq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json	4603	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json	4603	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4603

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/rib.json.cur.prof

Filesize
2KB

MD5
d75e15cf610087981b143e632767be3b

SHA1
c14415f609e906a8ceaac3f126792da5f660160c

SHA256
736ed740ae8b6f7832c02b22ce7befa3b056216d0b101e5e9eb39cd22847f65d

SHA512
584e4c71e1584670de8bee4b42596473d2c215f1ac066eeda5e1433110eedc03ccc84ee38befa909a4ade4262713bc79fd83b768d0ffeab70550ecba273fd1ff

Download Submit
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json

Filesize
3.1MB

MD5
048750ccea4e8472fdf66699916362fe

SHA1
4d9aed1259a2baecd95556a45cb922d68068b7e2

SHA256
8a7842ec65a1c14d3ecef7d0592542d532d0c018c28c0a5d14c82ab047615ad3

SHA512
4cbd447b17cd06205c8bc166a2ed201ee7d434bc74cf7d42170a9e6a05d706704321b3845ab4e8d22ae95f3279cd8d65f20d1f8b9403fc23932953b13b5ff636

Download Submit
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/rib.json

Filesize
3.1MB

MD5
9ad1a7c23a995877e63fc07849e6ce91

SHA1
27745c40b203282cdbdf80ec62883cafec45b5d8

SHA256
967edfd07f7757b4d723198ad5daf2080d4f942a6d21c2159a90a22f1421d296

SHA512
e229cd318ee8a2a1cb0ca6b88270a7e8870d84ba9a267679fb739ba4b861a0777c960490e8fab616c9da1e6b4a6c83fab77fa5199f88f47d3df0e7f65f5e81c6

Download Submit