flubot | 76190371f81113c07f2a176f26e61bea82f8f55debe2915c577f4ebe1b22f252

Analysis

max time kernel
2614667s
max time network
160s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
23-12-2023 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76190371f81113c07f2a176f26e61bea82f8f55debe2915c577f4ebe1b22f252.apk
Size

6.8MB
MD5

7a9a3c3c37885357227fb211984bbd40
SHA1

8046275ad75ef2bdbf1f21f6c64d36563d5b06f4
SHA256

76190371f81113c07f2a176f26e61bea82f8f55debe2915c577f4ebe1b22f252
SHA512

f854d84d80bed707e9252700cfc8dfdd53132a7a9e1db0a64fafc3b01568a7970e1d73c3a23f169a76ed709aef7b58988c2dff86281fbe0eb535bb7becdf9499
SSDEEP

98304:tRrQM+PuN/1PP1DD1P7meIS64D4YC6zo4g9ZCi74Oit3Qqv5x7vnKEZ:j+WN/19DMem04Z4Tr3Qw5dnKEZ

Score

10^/10

flubot banker discovery infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.tencent.mobileqq/app_DynamicOptDex/ycKc.json	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.mobileqq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/ycKc.json	5001	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/ycKc.json	5001	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:5001

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mobileqq/app_DynamicOptDex/oat/ycKc.json.cur.prof

Filesize
2KB

MD5
f2a5ad9d95564604ff5bf4e2ffcf5303

SHA1
a43c225f3b446b757c540a54c39c2d9b1ff035e5

SHA256
8047238e7ee8b971557dfd734f8edfcba2f8404645a665f8cbf076a6245a7663

SHA512
67bf93be301f3adf8b7d8b7b8eb28981a8f253c1806ee1071918ab73bde8f9eeb0fda9638e75f3871a99081e416b3380cc4eadb9763c842603db45845cea76e8

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/ycKc.json

Filesize
3.1MB

MD5
60c429c92b31cf2056b6b34a23762e5b

SHA1
5ce0b38b8a52c47002d21e32a7ac0a01e4c561c0

SHA256
5560970a6a5de549ccd9e28b851a5ee218449097b30e06529c6ea0fabd6f842a

SHA512
951c2286ab0e2824ab0dc5d5b21a7bfd8a4880ba9b53b8bb59e73ab2edf6797abdbd429110b18d48d4335111ac538436e38376339ab1aa526eb849f16d6529df

Download Submit
/data/data/com.tencent.mobileqq/app_DynamicOptDex/ycKc.json

Filesize
3.1MB

MD5
ad8465c129549af17e79674174d034f0

SHA1
68d7f89e3f976b5ad66fcf9eb9b881259a41c8fb

SHA256
41dd1e6416de4f990cfbc24ad3d9dc6bf830d2028adff42202bc5587fbf4c668

SHA512
84f87c7f23c9e73d342ef5aca9bacf25dcce00d1b76c38d01b2678cf72c82689a62e41adfc77060d80e170ea8aece7022bc407c5f38065c7f4873f14de9df29e

Download Submit