flubot | e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014

Analysis

max time kernel
179s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
26-08-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Size

4.8MB
MD5

7acf525b37bd716b16b905d6a57fa500
SHA1

ce51de2b984ffd9ce64614efa52d2ad29547bd4e
SHA256

e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014
SHA512

67b8f3b6b781c1adad0be9b9a1a2d89f4133f28a17d3a617ca8980f16fda14e2755cfe2e11a6a08d436757c3c14bbfab576a45ac9d5b5b5c72dbdca3eaae1393
SSDEEP

98304:ifrlNqjQu3ltTcCysCtb/yP5JlP4cvVBzCOlx3c/BwxF3dHEB+1KBwJBRk:ifrlIlt0tTc5P5vVhCOkwf3dkYoB+g

Score

10^/10

flubot banker collection credential_access discovery evasion impact infostealer persistence stealth trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4277-0.dex	family_flubot

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4247	com.tencent.mobileqq

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7	4277	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/oat/x86/base.apk.7FjfUh71.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7	4247	com.tencent.mobileqq

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mobileqq

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mobileqq

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.tencent.mobileqq

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.tencent.mobileqq

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mobileqq

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mobileqq

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4247
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/oat/x86/base.apk.7FjfUh71.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4277

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/tmp-base.apk.7FjfUh71309980446537125918.fy7

Filesize
918KB

MD5
92a17c95b62516fa03a1bce7078c1347

SHA1
fac4fb202522b2edf068de81ea47ad6d0e711fcd

SHA256
52be0d32048188725166de8d1b4c0a61dbb505ccae03d7bdbbd5814b39f7d5e7

SHA512
30435e217d79313ae80c4b31bea38e4c29b429327d40327c9cd26b1abf1e2de228335d5eceb2560725c6beb21ad9edf5a730f1386311f4fc41ce562f804d808b

Download Submit
/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7

Filesize
2.0MB

MD5
28860a73d09a3a605f9cd9126a5dc187

SHA1
b0ca441db850e7a826e6e9078f79900ac56ebcee

SHA256
42527f144284424c65171dd1ce40cc10cec846c5ee920ce3d3aea77ca1587c5d

SHA512
e3f99db49e32f1cb265d4de315b3f5d81007da546b92965c364e18d1461f932c4caffbb22599ceafc9c9917f676cdc0eebd537164ad9301436e82b9d321e060c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads