flubot | 7fab5ee06a6a5cc391b8b0e94b44bd253eb59e90fda924662534951dc21c9d67

Analysis

max time kernel
4030947s
max time network
159s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
09-01-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fab5ee06a6a5cc391b8b0e94b44bd253eb59e90fda924662534951dc21c9d67.apk
Size

4.4MB
MD5

b718f106e9085c2efe48ad20f475b9f4
SHA1

259aa2501a02f400fff56dd7f02d4b300846ce82
SHA256

7fab5ee06a6a5cc391b8b0e94b44bd253eb59e90fda924662534951dc21c9d67
SHA512

744f7dc20b23b5dbcb3ed43a70ed6f0505bb3afa1c2615928b2439c9d15da68b7fc9e5c4965daacc109bbaa4bf907ba429a86d9dccb04fba6a6bdc4041b64449
SSDEEP

98304:AkBUI5nk4YRl0wLpqPOJu5uIA1Ima4X6H0jJWnfrXnvfMD43W3sAu:AYUIiZhYPGuQj6HasHME39T

Score

10^/10

flubot banker discovery infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu	family_flubot
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.weishi

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.weishi

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/oat/x86/base.apk.eferhie1.odex --compiler-filter=quicken --class-loader-context=&com.tencent.weishi

ioc	pid	process
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu	4251	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/oat/x86/base.apk.eferhie1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu	4222	com.tencent.weishi

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.weishi

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.weishi

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.weishi

com.tencent.weishi
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4222
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/oat/x86/base.apk.eferhie1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4251

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/tmp-base.apk.eferhie4928275384474954111.wnu

Filesize
814KB

MD5
b150477d1e89e106b657a13d033ba308

SHA1
3136bd994b05cae99a90c99beee465fb78bfe47c

SHA256
6fe9bf96fad6824dac863c4ee53b560a35dc66d3a7d21186863135e85dda2b26

SHA512
7563529771c403a3d5815f2a5327fc1cf02c1a182f31599ca53909cc56a1102fce5d142058b5c1ce0783806d79450c8a117d9ef7c1c3b80c279ca0246adada28

Download Submit
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu

Filesize
2.2MB

MD5
1c0b216a29ff0a8359fdb96206f942a6

SHA1
810b7adfcb5f7fb7877b7fd820fdc6af2090d930

SHA256
85625420a36ec479f6c2d9f6321d665274e89d1263761f6cde8eee9c802cd927

SHA512
94732e0c3bf85bcf67a13ae475fbe3c499a40d6f7e56a1e69026fe419d054112e5b799158d4405e7f439c6d95479e53391c71c21563077c6fb7af96e5b59b4ab

Download Submit
/data/user/0/com.tencent.weishi/wkijhhz9sh/okeizeuv4kh8udi/base.apk.eferhie1.wnu

Filesize
2.2MB

MD5
2fc80a341e50499c6463d7eeb63c650d

SHA1
8d23e240ecce9cab95ddd4e131c2832462c2672b

SHA256
e23b74134415ebdc2d4df2d93eb5ee45fbd6491ea994c1f735fce0aba741c6d3

SHA512
6f1f8c5500f78fc3d2116250db13534f2de74533cba91895c203af6f926679feace03a89fd2b5d0dcdf4f73db8bee1396bcf02f519bbe0420963153c55e5c4db

Download Submit