flubot | 664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798

Analysis

max time kernel
169s
max time network
181s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
04-08-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798.apk
Size

3.8MB
MD5

ff0861b94469b50816dd80f3a8c5ddfa
SHA1

749f8aa6ab57f7c2059312e7304edecd5391cf30
SHA256

664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798
SHA512

76e658539bb17db06b03f6a13b7bae1b0852657cb956e8f1a365e06c01dc6ff1468b366b39e7f8a75b2edc76e0dd3979136ffe0ed8eed9343dd833b2af492a79
SSDEEP

98304:qKUkN1yVuEGZwi2T8fd1iNGhGQTEQu9fzdP:mk6IFqMbfXWrl

Score

10^/10

flubot banker collection credential_access discovery evasion impact infostealer stealth trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/fstream-1.dat	family_flubot

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

Processes:

com.tencent.mm

pid	Process
5052	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm

ioc	pid	Process
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	5052	com.tencent.mm
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	5052	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.tencent.mm

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.tencent.mm

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Uses Crypto APIs (Might try to encrypt user data)
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
3.1MB

MD5
5c58194c9290a3da97069125c255cddf

SHA1
a4f1b797dc3dccd81f30ff6fbac1cbbbe997fe28

SHA256
1bbade053c0a4aac93ba65af9d003c250ef2f1a19fcf01181bc7f125501ab6ab

SHA512
af10fed875066ac505ea7ef1a9aba0c9e242be70013e70c37b95ba5d46beee80b3a5c3bb5dc997f2cc275e618ec19567a59c8df0a2b005fbf6e681960cb1d0cf

Download Submit