Overview

overview

10

Static

static

6

664c1b4ef5...98.apk

android-9-x86

10

664c1b4ef5...98.apk

android-10-x64

10

664c1b4ef5...98.apk

android-11-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    180s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    04-08-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798.apk

  • Size

    3.8MB

  • MD5

    ff0861b94469b50816dd80f3a8c5ddfa

  • SHA1

    749f8aa6ab57f7c2059312e7304edecd5391cf30

  • SHA256

    664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798

  • SHA512

    76e658539bb17db06b03f6a13b7bae1b0852657cb956e8f1a365e06c01dc6ff1468b366b39e7f8a75b2edc76e0dd3979136ffe0ed8eed9343dd833b2af492a79

  • SSDEEP

    98304:qKUkN1yVuEGZwi2T8fd1iNGhGQTEQu9fzdP:mk6IFqMbfXWrl

Score
10/10
flubotbankercollectioncredential_accessdiscoveryevasionimpactinfostealerstealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4509

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin
    Filesize

    3.1MB

    MD5

    5c58194c9290a3da97069125c255cddf

    SHA1

    a4f1b797dc3dccd81f30ff6fbac1cbbbe997fe28

    SHA256

    1bbade053c0a4aac93ba65af9d003c250ef2f1a19fcf01181bc7f125501ab6ab

    SHA512

    af10fed875066ac505ea7ef1a9aba0c9e242be70013e70c37b95ba5d46beee80b3a5c3bb5dc997f2cc275e618ec19567a59c8df0a2b005fbf6e681960cb1d0cf

    Download Submit