Overview

overview

10

Static

static

6

496fc7c217...25.apk

 

496fc7c217...25.apk

android-10-x64

10

496fc7c217...25.apk

 

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    03-09-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    496fc7c217a81516c139b47c8ac97e83f8f1ae149a34ef3f84b4b388a9684825.apk

  • Size

    4.5MB

  • MD5

    873ea658869419d57eed1111ff20585c

  • SHA1

    a9d8d5f05be687db300a2e864a63c98e2bfcd06a

  • SHA256

    496fc7c217a81516c139b47c8ac97e83f8f1ae149a34ef3f84b4b388a9684825

  • SHA512

    2e2535385a1de262a62fd13183a7d47402816fc45ddfd733b566a3e0a5937a90c13868cc405f24d720d2a0d830dee7e375e425c31635f0a0f4d732f0e79bf8af

  • SSDEEP

    98304:1Ye8VKr2TJrvV8K7PxnPYPOfdfltw4XSnzw09xnmVOMRRp/0X:19r4JrvV8KlnPYPOfdfrwPvnmkq/0X

Score
10/10
flubotbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.tencent.mobileqq
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5237

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mobileqq/gIfhUgggkf/pffjfUqGGyyg8yr/tmp-base.apk.uyIs6gr739662342040953792.fg8
    Filesize

    918KB

    MD5

    3562af0a45f8011924eee1e9acd27376

    SHA1

    db2e312edf7723ad177c64699fa389a0078f8922

    SHA256

    1474952ff4524155e1b6417bc75efd5935bf6ff1d2ea359581f807c5d5dc1dd3

    SHA512

    aceafc62a3264a757207ead46f4319747728a1b350051c2c1543e1495d892a7612b5fa42a7834136e84e2c1060dbf51049b6a62978e41a474750d42e2e2d8500

    Download Submit

  • /data/user/0/com.tencent.mobileqq/gIfhUgggkf/pffjfUqGGyyg8yr/base.apk.uyIs6gr1.fg8
    Filesize

    2.0MB

    MD5

    1ac98351b806c5f5f1ac49b47ada2d3c

    SHA1

    7d71663a1567bee18bd42dbaa915e1d725e48a84

    SHA256

    10b52287adc8711789f976a5f9df0edf4ac20d6dbae875daff2c2133ecbb6953

    SHA512

    a298198715ad3088827439d660142ca373da4ba3b893668fa536eb6808c968518de7d136c78c38b812589b409bfb9e45a479740bf465736643b8f3c7f7772272

    Download Submit