flubot | 4da397dcda35bd469b3af3c0f49ef7a2a4e19e3338f2b557560384d174b197fa

Analysis

max time kernel
2564603s
max time network
159s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
23-12-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da397dcda35bd469b3af3c0f49ef7a2a4e19e3338f2b557560384d174b197fa.apk
Size

6.7MB
MD5

528e717abda498c72a11370631410cad
SHA1

3a41286bdc3becf2f6eb6403c71ff4cce5dd6b0d
SHA256

4da397dcda35bd469b3af3c0f49ef7a2a4e19e3338f2b557560384d174b197fa
SHA512

0e054e89e39fa004580575002f6df4e484cc69bf5be6eabb968acd9d854ce34e77e3fb1aa47ef6c314885667d0419ac8c656af0bee5f64dd3872be8062a14e24
SSDEEP

196608:POeipkzfuE7GiqwZy9c9UlaxsXfZmV91g2ZbJolK0xxBk:meh7upiBZy90Ul/RmauolxxTk

Score

10^/10

flubot banker discovery infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 2 IoCs

Processes:

resource	yara_rule
/data/data/com.tencent.mobileqq/app_DynamicOptDex/oBN.json	family_flubot
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.mobileqq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/x86/oBN.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json	4266	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json	4293	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/x86/oBN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json	4266	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4266
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/x86/oBN.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4293

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mobileqq/app_DynamicOptDex/oBN.json

Filesize
3.1MB

MD5
50dd5aa3d270400f2a8b5ae821bc0146

SHA1
eff69432d8b2e72be0bb035b0d9f99abfd47680e

SHA256
c23e1e9350074d07bdd4478851401a53bff1acccb762a50f7e6fc6f9c8e5bb12

SHA512
99584f250854cdffbbce1890fec38b7a36716556983c11f5566ffbef885614a74b97f74b11da0aabf01160157b7a580aea5261f09b44e4f991026c3e3b623afa

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/oBN.json

Filesize
3.1MB

MD5
ad8465c129549af17e79674174d034f0

SHA1
68d7f89e3f976b5ad66fcf9eb9b881259a41c8fb

SHA256
41dd1e6416de4f990cfbc24ad3d9dc6bf830d2028adff42202bc5587fbf4c668

SHA512
84f87c7f23c9e73d342ef5aca9bacf25dcce00d1b76c38d01b2678cf72c82689a62e41adfc77060d80e170ea8aece7022bc407c5f38065c7f4873f14de9df29e

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/oat/oBN.json.cur.prof

Filesize
1KB

MD5
928f8c62f7523a36cb30e0ece58cae6a

SHA1
61096dd9051541ade25d2fdc53364df02f19d268

SHA256
bf9236671c7df84e801198b254293e01ef931251bfbc3cc83f26194aaf5ec4e5

SHA512
8c9657b382e296f3128a2539561af1defc9a2fd6805a6c2f9818e5c23103be2ab6c4851e78f7f4fc39040b32e38f6fa13577176214814686abdf56eeef2dabbf

Download Submit
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oBN.json

Filesize
3.1MB

MD5
e0ce873a45d32bd641a0a4981e46fbe8

SHA1
f5970c914d369b828ca047d7a82c09167718c85f

SHA256
6f28b5814816ab869a28068f78811a555fb51d6e686ead3241a5827be5fb708b

SHA512
6ab787cfab7a19aca2d9d6e5b216fb57922d394afb830cd627b44a9a0b1d914f813b5a69ff712609507e97203f2c9aeb2b5aa1bf01275b17ece3f84ac06f6ac9

Download Submit