Analysis
-
max time kernel
66s -
max time network
186s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
26-08-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
-
Size
4.8MB
-
MD5
7acf525b37bd716b16b905d6a57fa500
-
SHA1
ce51de2b984ffd9ce64614efa52d2ad29547bd4e
-
SHA256
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014
-
SHA512
67b8f3b6b781c1adad0be9b9a1a2d89f4133f28a17d3a617ca8980f16fda14e2755cfe2e11a6a08d436757c3c14bbfab576a45ac9d5b5b5c72dbdca3eaae1393
-
SSDEEP
98304:ifrlNqjQu3ltTcCysCtb/yP5JlP4cvVBzCOlx3c/BwxF3dHEB+1KBwJBRk:ifrlIlt0tTc5P5vVhCOkwf3dkYoB+g
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
resource yara_rule behavioral2/memory/5046-0.dex family_flubot -
pid Process 5046 com.tencent.mobileqq -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 5046 com.tencent.mobileqq -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mobileqq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mobileqq -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 icanhazip.com 10 icanhazip.com 11 icanhazip.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mobileqq -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mobileqq
Processes
-
com.tencent.mobileqq1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
PID:5046
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/tmp-base.apk.7FjfUh72612950615186504296.fy7
Filesize918KB
MD592a17c95b62516fa03a1bce7078c1347
SHA1fac4fb202522b2edf068de81ea47ad6d0e711fcd
SHA25652be0d32048188725166de8d1b4c0a61dbb505ccae03d7bdbbd5814b39f7d5e7
SHA51230435e217d79313ae80c4b31bea38e4c29b429327d40327c9cd26b1abf1e2de228335d5eceb2560725c6beb21ad9edf5a730f1386311f4fc41ce562f804d808b
-
Filesize
2.0MB
MD528860a73d09a3a605f9cd9126a5dc187
SHA1b0ca441db850e7a826e6e9078f79900ac56ebcee
SHA25642527f144284424c65171dd1ce40cc10cec846c5ee920ce3d3aea77ca1587c5d
SHA512e3f99db49e32f1cb265d4de315b3f5d81007da546b92965c364e18d1461f932c4caffbb22599ceafc9c9917f676cdc0eebd537164ad9301436e82b9d321e060c