flubot | 822f7878e84b144dc41bd5d2ed3a20df1078ea8a18b6fcc80283aac7137c8e47

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
03-09-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

822f7878e84b144dc41bd5d2ed3a20df1078ea8a18b6fcc80283aac7137c8e47.apk
Size

3.8MB
MD5

0f02594634a633ff2e2efca9760a06d5
SHA1

0e18d7a6e1c7cfdc4e7aa78edf6f12337599c5b2
SHA256

822f7878e84b144dc41bd5d2ed3a20df1078ea8a18b6fcc80283aac7137c8e47
SHA512

f70ce28dd8509c0aec437bb87f6c147fe9661c58f5c4f55f85884f5466a884efe05d4420270627379462813b215a4c97e4eae2193bc811c96c178af44d576c7d
SSDEEP

98304:qPTZq21ENBavGDspPfTOcPWx/SdgNwD3kLMS6:qbZqgEN4vmspTxoO

Score

10^/10

flubot banker collection credential_access discovery evasion impact infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4759-0.dex	family_flubot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mobileqq/code_cache/secondary-dexes/base.apk.classes1.zip	4759	com.tencent.mobileqq

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mobileqq

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mobileqq

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
PID:4759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mobileqq/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.4MB

MD5
9e185a0bab480be892ec9cadbf5bb591

SHA1
1e16c1543dcb7f0409ed39a12b775d94c3d5b97e

SHA256
6f0b5d517541bbe7534db5102da07008b6039e0380f4cb84cf193e72fcdae311

SHA512
87ee2836387306998ca63426323502c07b976b829307be7b7de2077fc6d1b7ee36de049f267e9ef19d88e92f299d622bf24b6881fae9181a6e32e853fb5bbb97

Download Submit
/data/user/0/com.tencent.mobileqq/code_cache/secondary-dexes/tmp-base.apk.classes7619775866020830280.zip

Filesize
879KB

MD5
5572f9d44b864b4e1d848b4de54a5700

SHA1
bd766e46b7c22ab3421567bf83750260698a7684

SHA256
afc5c4f43d697205834c3fd9b08154f30430f39df12c3286bd8d55751b8b0e41

SHA512
8b40aba4aa870106aeb2e68ac06f455ca2e5070f62712c0958fc1b70cfe41227e6097c20c286612f2be73374ab56e98dad94573e36a1fe44403b4ef3c7cf50a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads