Overview

overview

10

Static

static

6

4859ab9cd5...8c.apk

android-11-x64

10

Resubmissions

03-07-2024 09:43

240703-lqbnts1bmq 10

11-10-2023 19:53

231011-ymcsyahh3z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c

  • Size

    6.0MB

  • Sample

    240703-lqbnts1bmq

  • MD5

    06371fc75740162de9e6275102012e6c

  • SHA1

    9b45243e89541ae26fea5ff2b9c7d14ff69044ed

  • SHA256

    4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c

  • SHA512

    c865d89143effb176c4be93fc16f54e06d248f5b7e22ffbf19754137f9da181f6d7f6019cdb28d2d7964375b1978a255c475dd3d17487fddb9fa0e4eda8bf248

  • SSDEEP

    98304:fC3rjZ1lQTKUHiLoQwaFaxCiFXzTVNeWr4kUCzwHrqrtQUn5HHOwBFyxrlV:fCvlLLNwaF8DhX4k9SrEbBFyN3

Score
10/10
flubotandroidbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Targets

    • Target

      4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c

    • Size

      6.0MB

    • MD5

      06371fc75740162de9e6275102012e6c

    • SHA1

      9b45243e89541ae26fea5ff2b9c7d14ff69044ed

    • SHA256

      4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c

    • SHA512

      c865d89143effb176c4be93fc16f54e06d248f5b7e22ffbf19754137f9da181f6d7f6019cdb28d2d7964375b1978a255c475dd3d17487fddb9fa0e4eda8bf248

    • SSDEEP

      98304:fC3rjZ1lQTKUHiLoQwaFaxCiFXzTVNeWr4kUCzwHrqrtQUn5HHOwBFyxrlV:fCvlLLNwaF8DhX4k9SrEbBFyN3

    Score
    10/10
    flubotbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencetrojan

    • FluBot

      FluBot is an android banking trojan that uses overlays.

      bankertrojaninfostealerflubot

    • FluBot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Requests changing the default SMS application.

      collectionimpact

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Requests enabling of the accessibility settings.

    behavioral1

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Tasks