flubot | 24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e

General

Target

0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb.apk
Size

2.9MB
MD5

eb4558531fd743d006db96d62b6eee5a
SHA1

0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb
SHA256

24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e
SHA512

306fc3ad585cb2bb15fa0dc5534634f8c042e3c3fe421893fe7f13ca2be8ceb4a66e30a252ffec1020aefb137548a449f00ced2f2f8b7e5943cc849094d06466
SSDEEP

49152:HVj5tbVhOhzswxyKr8qfqe+5HwOhIV2XYN5OHgGsUtThM05I/D0NcxZBQr:1j5x46Ud+wOSVdN5kiUtThM0HyxrC

Score

10^/10

flubot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4276-0.dex	family_flubot

Flubot family
flubot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG	4276	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/oat/x86/base.apk.TwHh8yk1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG	4219	com.tencent.qqmusic

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.qqmusic

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.qqmusic

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.qqmusic

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.qqmusic

com.tencent.qqmusic
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
PID:4219
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/oat/x86/base.apk.TwHh8yk1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4276

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Foreground Persistence

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/tmp-base.apk.TwHh8yk1849095310476454335.IIG

Filesize
926KB

MD5
b42ae331449a05736489626d65d51a88

SHA1
432a806c34159aa7f4a2438a6ba26b9c067cf388

SHA256
40e9c09e2ef90f52c97ec44f3cbb043cdcc6d1c83d0ed41ac89fbeadd12bd628

SHA512
6df9b2394d809588f58c9251a35987a078f08d3ed05ce1f43d1e629871abfeb2fbedeb937ca46d8965775b8a38e23e5e6f97a5b3699b980d2deb6c329cce776b

Download Submit
/data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG

Filesize
2.0MB

MD5
71d3c225fe4bccb1c1e8fe4384b3d8a8

SHA1
6fe305c0dbc42ea3e26a62fed3861235a9486748

SHA256
510300af78b1c3d65dfc02ee7c00c97f371ed1915eb0b2babdb2cdc551059e38

SHA512
a66d8b6c9d95870f15a29f3151ab381b48377414ed325bc87e1f496dc94730a348657eb6c2da08792e97fdd71df6e06b313190c96aa3d5118ed84d369e961bfe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads