flubot | b421cc0f878b4ed4a2e535d1e9d9e6ffd3c6b822b55e701bc137c2360fd5e7ee

Analysis

max time kernel
179s
max time network
191s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
04-08-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b421cc0f878b4ed4a2e535d1e9d9e6ffd3c6b822b55e701bc137c2360fd5e7ee.apk
Size

3.2MB
MD5

3bb9ad5acdbe20df21068ad42801c30d
SHA1

20a654d79cc6e5a6209f001601288b2209f54082
SHA256

b421cc0f878b4ed4a2e535d1e9d9e6ffd3c6b822b55e701bc137c2360fd5e7ee
SHA512

637535aa3034a425c40b3ef428ff51e3bd360e7a4317716887cc19e0755930ad22836dd8b7dc0fbfca977dce58342571ee15c1df8397c00e9bfcc24d9e502e6e
SSDEEP

49152:uYzaaObrX+7P0Fv7f0r9oj/tOLW93L2WhOhzOGNwNUWAvNDT66NnlqIbXob3GoO:uPbrO7P0FgGjEO3QyJNUxV1DqAVoO

Score

10^/10

flubot banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4482-0.dex	family_flubot

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.qq.reader/code_cache/secondary-dexes/base.apk.classes1.zip	4482	com.qq.reader

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.qq.reader

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.qq.reader

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.qq.reader

com.qq.reader
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
PID:4482

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.qq.reader/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.3MB

MD5
e8170ac6d96755570012d752a213969b

SHA1
86c14c3e8c46de00b21738447b326f3bc53d9582

SHA256
16c7fccdd1eb8b489943a98dd26d3448fe49a8cdd000de295f5b1c9d9139f6dc

SHA512
0c12ef816e7686000ec6d783155093b8dcecc3013c59882564c600b76d0f72d86f2eb4ee3c72954af9f11fad219dcdbd5d3d7327ca550f81efa40acf5a1ce492

Download Submit
/data/user/0/com.qq.reader/code_cache/secondary-dexes/tmp-base.apk.classes3472220675493014993.zip

Filesize
859KB

MD5
11623a9652d49007d0decc3589a32ebf

SHA1
4176835f8291859b5e511059bd85b1cea92f0e88

SHA256
9dfc548902590afe5014af37ff98e1d06f346b62f247f1bd6129967d964ad033

SHA512
e935bbb356e556d1d75145224131e4686ac5c1188ddf66ccb7807acb00905492845b93a6665848938ab01e009bdd3d00347f1aca6117ac776a109002940d0360

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads