Overview

overview

10

Static

static

6

e83fecae4b...14.apk

android-9-x86

10

e83fecae4b...14.apk

android-10-x64

10

e83fecae4b...14.apk

android-11-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    26/08/2024, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk

  • Size

    4.8MB

  • MD5

    7acf525b37bd716b16b905d6a57fa500

  • SHA1

    ce51de2b984ffd9ce64614efa52d2ad29547bd4e

  • SHA256

    e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014

  • SHA512

    67b8f3b6b781c1adad0be9b9a1a2d89f4133f28a17d3a617ca8980f16fda14e2755cfe2e11a6a08d436757c3c14bbfab576a45ac9d5b5b5c72dbdca3eaae1393

  • SSDEEP

    98304:ifrlNqjQu3ltTcCysCtb/yP5JlP4cvVBzCOlx3c/BwxF3dHEB+1KBwJBRk:ifrlIlt0tTc5P5vVhCOkwf3dkYoB+g

Score
10/10
flubotbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery

Processes

  • com.tencent.mobileqq
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    PID:5046

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/tmp-base.apk.7FjfUh72612950615186504296.fy7
    Filesize

    918KB

    MD5

    92a17c95b62516fa03a1bce7078c1347

    SHA1

    fac4fb202522b2edf068de81ea47ad6d0e711fcd

    SHA256

    52be0d32048188725166de8d1b4c0a61dbb505ccae03d7bdbbd5814b39f7d5e7

    SHA512

    30435e217d79313ae80c4b31bea38e4c29b429327d40327c9cd26b1abf1e2de228335d5eceb2560725c6beb21ad9edf5a730f1386311f4fc41ce562f804d808b

    Download Submit

  • /data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7
    Filesize

    2.0MB

    MD5

    28860a73d09a3a605f9cd9126a5dc187

    SHA1

    b0ca441db850e7a826e6e9078f79900ac56ebcee

    SHA256

    42527f144284424c65171dd1ce40cc10cec846c5ee920ce3d3aea77ca1587c5d

    SHA512

    e3f99db49e32f1cb265d4de315b3f5d81007da546b92965c364e18d1461f932c4caffbb22599ceafc9c9917f676cdc0eebd537164ad9301436e82b9d321e060c

    Download Submit