Overview

overview

10

Static

static

6

3865302b66...85.apk

android-9-x86

10

3865302b66...85.apk

android-10-x64

10

3865302b66...85.apk

android-11-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    02-09-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3865302b66b0efee4ab31130cefdeff55c2e269c7d6dd03c0673134f98254185.apk

  • Size

    3.4MB

  • MD5

    83c3142eeb1fc5a3d88807c0c738c543

  • SHA1

    f0e99360e5c78ed7b8b3d08abc58aaebc9daf4c8

  • SHA256

    3865302b66b0efee4ab31130cefdeff55c2e269c7d6dd03c0673134f98254185

  • SHA512

    94741012e99c9685cdf7354117074f40e1f3ac4f60f934279745ceb5146eccf31701a44b23d728ad3d9c52a95af6a00dbd5bc1366bc7fb9fa2a0127b27926bdd

  • SSDEEP

    98304:dKi5SaYvkjZRFJjAC7mc7KAndX42bIeIJ7l:tS6j7FJdx7lnh4kIDx

Score
10/10
flubotbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery

Processes

  • com.iqiyi.i18n
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    PID:4309
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4336

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin
    Filesize

    1.5MB

    MD5

    681a8c94879a5fba26735daa55551a7a

    SHA1

    ce3e25947da0b9fb718d915a332d9c9e2fa4faae

    SHA256

    c24523c719067daad805b1d68cfef8d2c377a5c5f52092b96093b4488e6e82a2

    SHA512

    19ccd60e41489072df2f84e67840875d3ad5c83914b4d3c5e1ce209a10dc17cfc086fd66d35aa907e7110a7ab51e7d2f84be34ca1f96461316a04e09a789f7f7

    Download Submit

  • /data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin
    Filesize

    1.5MB

    MD5

    920e9c8c3007d205a10bdf61a09261e2

    SHA1

    af519e106d34d675eb7e5dfd99d71251d07bc398

    SHA256

    24ae75b5c7a1e5c89b488547ab4e4d8e119c0cbe6ea23cc168f95ecc6683ff2a

    SHA512

    2c08d9f3dc722d863b9c15e0c2f52164ebdac96d6870debbb0dccb4a0c3e042f36b13968f26915536103ab705ff9249ec2c9f63c19db29950f07e500137c8a57

    Download Submit