Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    27/02/2025, 00:58

General

  • Target

    0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb.apk

  • Size

    2.9MB

  • MD5

    eb4558531fd743d006db96d62b6eee5a

  • SHA1

    0bc5b37b122d9f5335f2b2b3d6532af7538a1ccb

  • SHA256

    24ee0cd3a0841533e1a17fb8093509492094142010c324a078ac57ee7b8c032e

  • SHA512

    306fc3ad585cb2bb15fa0dc5534634f8c042e3c3fe421893fe7f13ca2be8ceb4a66e30a252ffec1020aefb137548a449f00ced2f2f8b7e5943cc849094d06466

  • SSDEEP

    49152:HVj5tbVhOhzswxyKr8qfqe+5HwOhIV2XYN5OHgGsUtThM05I/D0NcxZBQr:1j5x46Ud+wOSVdN5kiUtThM0HyxrC

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

  • FluBot payload 1 IoCs
  • Flubot family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.tencent.qqmusic
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4431

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/base.apk.TwHh8yk1.IIG

    Filesize

    2.0MB

    MD5

    71d3c225fe4bccb1c1e8fe4384b3d8a8

    SHA1

    6fe305c0dbc42ea3e26a62fed3861235a9486748

    SHA256

    510300af78b1c3d65dfc02ee7c00c97f371ed1915eb0b2babdb2cdc551059e38

    SHA512

    a66d8b6c9d95870f15a29f3151ab381b48377414ed325bc87e1f496dc94730a348657eb6c2da08792e97fdd71df6e06b313190c96aa3d5118ed84d369e961bfe

  • /data/user/0/com.tencent.qqmusic/kyuGhhqjgI/IgyGwIFgyutFhku/tmp-base.apk.TwHh8yk1128680755953369674.IIG

    Filesize

    926KB

    MD5

    b42ae331449a05736489626d65d51a88

    SHA1

    432a806c34159aa7f4a2438a6ba26b9c067cf388

    SHA256

    40e9c09e2ef90f52c97ec44f3cbb043cdcc6d1c83d0ed41ac89fbeadd12bd628

    SHA512

    6df9b2394d809588f58c9251a35987a078f08d3ed05ce1f43d1e629871abfeb2fbedeb937ca46d8965775b8a38e23e5e6f97a5b3699b980d2deb6c329cce776b