flubot | 0f63caf808e459b8bf4da9355048ff3bdc47b03de2ceceeb813e494aa738c0f1

Analysis

max time kernel
4031330s
max time network
143s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
09-01-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f63caf808e459b8bf4da9355048ff3bdc47b03de2ceceeb813e494aa738c0f1.apk
Size

3.4MB
MD5

19a78be812d33fd3c0d57241763950df
SHA1

f47d6e3a31594424279429536551cd289b4be392
SHA256

0f63caf808e459b8bf4da9355048ff3bdc47b03de2ceceeb813e494aa738c0f1
SHA512

60a3d8614a7897aa83f2874a9e39c58e055e6e3f680175c77314a0377cbb492dc862fca77b3d8ee287fafef88692c64ad42cb223418c36b9288ac22dcc020391
SSDEEP

98304:DKidS+0YvujZRFJJAC7/B7KAQbS5hX4tNyu:/Szj7FJvZ7lQ0p4tNb

Score

10^/10

flubot banker infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	family_flubot
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	family_flubot
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	family_flubot

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mm/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4243	com.tencent.mm
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4272	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4243	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mm

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4243
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
113KB

MD5
b18a45382cc8f12501df8a20867afa8e

SHA1
4cecc7f4d6a42121d14f7717ce7f89d72430f8cd

SHA256
1a54843c23c4bc3c5fb1c6dbe5ff19fe473248eb941d00c8c1bb38ead5b91f10

SHA512
0930d38485d68974948bf7cf93e6a5341e1c7c5ad8b99749f15185a137f410f821fa9deaa228f511d017ef9808b5ccc4bbdb97a14ecee485fbfa8736ea6586e8

Download Submit
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
1.5MB

MD5
84bd7e9703c148c04dc0819da6f0fe49

SHA1
2f05e1251da72e6205d0c024458dd577e9605ad1

SHA256
8c46b81104dc577ff09389cdb4bdc2692e067c5f11ab346b7bcfac4668476f08

SHA512
ee1cde4cdc925fde101f0ea5e15b6f81fa63ab9b006836a3e699b67b91aa34f797849f45e482267c2f6c1ed53a90ae9c3c6b6aafbaecebafecb40dcf0b6b2f50

Download Submit
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
1.5MB

MD5
abd812d6646f6f9604d93a35048e6871

SHA1
d21d7a5afc5de88add9ea8a293ccd3b7a98022ca

SHA256
c7a229289ebaa761a7f96eb9d8abd0c3ae303a6fd99fd5dace4585ebe008b9fa

SHA512
c05f2db82271d4eda21f0ac0515a872754131bbb9ae6dc65f1914f5a316edeb72832d7290d6090c34f6ff72ba39bf6bc9b0f1df0011693466759869c6602bbc7

Download Submit