flubot | 4378c93a35083c348931837ef6be518e7c93642b1a5d2fa140115e6998db8c9e

Analysis

max time kernel
179s
max time network
188s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
26-08-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4378c93a35083c348931837ef6be518e7c93642b1a5d2fa140115e6998db8c9e.apk
Size

4.1MB
MD5

02f8b54203644f951c8c4b5827708949
SHA1

3a431dd74ca00c4c894ede7dbfb880b1d62cbbd7
SHA256

4378c93a35083c348931837ef6be518e7c93642b1a5d2fa140115e6998db8c9e
SHA512

fe1bbdf68ee485e0d010075d2aeda51e298cc29064604905eb47e6fa2120b85504b1fc2e60282f93fcbebc6e38b85c5c231e4e0a1eb07b57112a1a2531a78d23
SSDEEP

98304:wPtaEnsjva/3TefTpBd2pMSDBHG3SZ4/iKGJn2hE:wcLyvI2fGCTKgn2W

Score

10^/10

flubot banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4442-0.dex	family_flubot

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.baidu.searchbox/mfhbfvkfxj/hsspvbjhahjjhfh/base.apk.pndpmdd1.von	4442	com.baidu.searchbox

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.baidu.searchbox

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.baidu.searchbox

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.baidu.searchbox

com.baidu.searchbox
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
PID:4442

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.baidu.searchbox/mfhbfvkfxj/hsspvbjhahjjhfh/base.apk.pndpmdd1.von

Filesize
2.3MB

MD5
f73d6aea1f0261d2bec7ca8489fa4f9c

SHA1
34910f8e67d6bf0bd4d3d8035c7bc5b9f09c3915

SHA256
e8d163e50ca2b0391476fee78ce577baca0b299de4978576301c9c7437bbe488

SHA512
bae2a377e2b58b557b22e91785a2c750047daff5204b5666bad8961ed18ff5c421290a11c28280601a5e206d573b3f3da74688b001e547a03b0a4c6d14af539a

Download Submit
/data/user/0/com.baidu.searchbox/mfhbfvkfxj/hsspvbjhahjjhfh/tmp-base.apk.pndpmdd8080529183183946707.von

Filesize
859KB

MD5
5eae508a3697267a4149cddc854e7321

SHA1
36e307889a90e4c330e032ccbe7b8cd5157fb6dc

SHA256
eaec71adcd1d0120d891b7a254528b0f633a970f077d19422007a8b7a38b09e2

SHA512
f01ecc00821343253899702d08f95e02ec3625d06ff050db7e4bf8ce2804d596f49078ce570f7519c6189137e04e4319d239d91313a1cad477149ac0ced1916f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads