flubot | 24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
27/02/2025, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb.apk
Size

2.9MB
MD5

eb4558531fd743d006db96d62b6eee5a
SHA1

0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb
SHA256

24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e
SHA512

306fc3ad585cb2bb15fa0dc5534634f8c042e3c3fe421893fe7f13ca2be8ceb4a66e30a252ffec1020aefb137548a449f00ced2f2f8b7e5943cc849094d06466
SSDEEP

49152:HVj5tbVhOhzswxyKr8qfqe+5HwOhIV2XYN5OHgGsUtThM05I/D0NcxZBQr:1j5x46Ud+wOSVdN5kiUtThM0HyxrC

Score

10^/10

flubot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4337-0.dex	family_flubot

Flubot family
flubot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG	4337	com.tencent.qqmusic

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.qqmusic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.qqmusic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.qqmusic

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	icanhazip.com
19	icanhazip.com
20	ipinfo.io
21	ipinfo.io

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.qqmusic

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.qqmusic

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.qqmusic

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.tencent.qqmusic

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.tencent.qqmusic

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.qqmusic

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.qqmusic

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.qqmusic

com.tencent.qqmusic
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4337

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG

Filesize
2.0MB

MD5
71d3c225fe4bccb1c1e8fe4384b3d8a8

SHA1
6fe305c0dbc42ea3e26a62fed3861235a9486748

SHA256
510300af78b1c3d65dfc02ee7c00c97f371ed1915eb0b2babdb2cdc551059e38

SHA512
a66d8b6c9d95870f15a29f3151ab381b48377414ed325bc87e1f496dc94730a348657eb6c2da08792e97fdd71df6e06b313190c96aa3d5118ed84d369e961bfe

Download Submit
/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/tmp-base.apk.TwHh8yk4477487403641505066.IIG

Filesize
926KB

MD5
ec76ba1db42cca790b01f0a74bbda88b

SHA1
11850c7121807f15af8c3994f0ce96092ebfa744

SHA256
d1bcdf005ccb5925f631013db0c05b575cf32a8f88111f46daa617bc37c35f34

SHA512
268726cfb88ebc641549acb09a2c46be5cec9e736c98d7d551bd4540ad6059e70cd7fff655258f46cf2a2c5f3124a334c0b003b555fa5bcc4fe00a45a43a3ae5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads