Overview

overview

10

Static

static

6

0bc5b37b12...cb.apk

android-13-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb

  • Size

    2.9MB

  • Sample

    250227-a7ldtazms4

  • MD5

    eb4558531fd743d006db96d62b6eee5a

  • SHA1

    0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb

  • SHA256

    24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e

  • SHA512

    306fc3ad585cb2bb15fa0dc5534634f8c042e3c3fe421893fe7f13ca2be8ceb4a66e30a252ffec1020aefb137548a449f00ced2f2f8b7e5943cc849094d06466

  • SSDEEP

    49152:HVj5tbVhOhzswxyKr8qfqe+5HwOhIV2XYN5OHgGsUtThM05I/D0NcxZBQr:1j5x46Ud+wOSVdN5kiUtThM0HyxrC

Score
10/10
flubotandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Targets

    • Target

      0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb

    • Size

      2.9MB

    • MD5

      eb4558531fd743d006db96d62b6eee5a

    • SHA1

      0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb

    • SHA256

      24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e

    • SHA512

      306fc3ad585cb2bb15fa0dc5534634f8c042e3c3fe421893fe7f13ca2be8ceb4a66e30a252ffec1020aefb137548a449f00ced2f2f8b7e5943cc849094d06466

    • SSDEEP

      49152:HVj5tbVhOhzswxyKr8qfqe+5HwOhIV2XYN5OHgGsUtThM05I/D0NcxZBQr:1j5x46Ud+wOSVdN5kiUtThM0HyxrC

    Score
    10/10
    flubotbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

    • FluBot

      FluBot is an android banking trojan that uses overlays.

      bankertrojaninfostealerflubot

    • FluBot payload

    • Flubot family

      flubot

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Requests accessing notifications (often used to intercept notifications before users become aware).

      collectioncredential_access

    • Requests changing the default SMS application.

      collectionimpact

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion

    • Requests enabling of the accessibility settings.

    behavioral1

MITRE ATT&CK Mobile v15

Tasks