Analysis
-
max time kernel
149s -
max time network
151s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
-
submitted
08-01-2025 06:09
General
-
Target
831334e1e49ec7a25375562688543ee75b2b3cc7352afc019856342def52476b.apk
-
Size
4.8MB
-
MD5
c10d38a63e776e5940d281bddbb497d4
-
SHA1
ac0561ee9acc38c138409d03a24bdd992a5b1d96
-
SHA256
831334e1e49ec7a25375562688543ee75b2b3cc7352afc019856342def52476b
-
SHA512
a9ddd9f1f370c0a15fc4f777ccd1bad8e2c3c6ad1236561fe8dc8e44690498e095fe86b755af68d43c14dc9a85cd0f9bbda452463e7dcad1e4bcdb2901ce3da5
-
SSDEEP
98304:5qBTEbLg6IcV1bVGgecr2uoyoqxQ7jjrXJ7dGK4z11GafG63W3KL:5BGcV1bVbjCuoyoqxIxGKk1QafN3BL
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
-
Flubot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.qiyi.video1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD57e079768ccb1b3921f7e5f259d628057
SHA11bd568284cc86cf8cb2fe7f769816116609d5c1a
SHA2561f5d1129e95cac98b3f7baba1b0c8cee8aced5cc89730b4e066e703aec3233b8
SHA5125d981ae7b2242d3077b91767b404912b244c5495a1a87b19a492f0731aed0a791377f7b66705a5e54eb25bf74655a536472ad293dcb0cb77f78d99b4c5b0a0dc
-
Filesize
814KB
MD534e1cca14b7a2311432f30a31cb53a2c
SHA1a9d2601230b64b6b864d84253c303f08beb63c49
SHA256126ef1e4e7eaa6a479fde35e8b3f9cfe3e25aae134e56f62c7f76e0292a0f1ad
SHA512518fdedb3139f5b28cde6ee45f101f20e18eab384b40bd4be66df8bf480c7bb43482939e1d83d626c986b1fc3f6a9dc9fdf0ddd397f4d2a7dcd174e5c083b7e8