flubot | 1a569aee63ca83bea22dd2f3cbe00dadcb1e5a1cf32be959890f0ccc8ad10e81

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
25/03/2025, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc45b5f85cee56830a9f7e3001dca42026a9691445afa8f429b57203fc47a1b2.apk
Size

3.3MB
MD5

af9f032aecbb2c3a4f5eed9b5f675419
SHA1

a0ab0777891553d9c1dced5fdafe2b9e1d5b341e
SHA256

fc45b5f85cee56830a9f7e3001dca42026a9691445afa8f429b57203fc47a1b2
SHA512

abec508e52c01e4b2dd822d029629eb82304faba5b8f43c0cb3566f17490ef82e644ff5e270bcfdc595d49e81ca54d40e1c59341f659e5a66bf9f97792fbe2ed
SSDEEP

98304:Q7KGt3ZuI7y690JAD/oD4bSMI6/LTdCH93:QeGfuI7y2oDbV

Score

10^/10

flubot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4624-0.dex	family_flubot

Flubot family
flubot
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip	4624	com.tencent.qqmusic

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.qqmusic

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.qqmusic

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.qqmusic

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.qqmusic

com.tencent.qqmusic
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.4MB

MD5
8ea2dc64e9e7a2740c3e5effe242615e

SHA1
39882a484ee4dbb7ef46554893ce7822b5656eb1

SHA256
d52975758f8799644df1ab42958abe05c3cbb3bd2b436d4ec5c18c2961747300

SHA512
d598e0cd00e0cb25d3a6db7d9ca4226929f843647ccd08dacc0ff40d842d6dfbc3cb00760692787f21cc178d1b76c4ae1db67f44ff7615c66c6f46b705108390

Download Submit
/data/user/0/com.tencent.qqmusic/code_cache/secondary-dexes/tmp-base.apk.classes2870570467065062970.zip

Filesize
878KB

MD5
85ce9c4f12a1b300557210960273e837

SHA1
557a57f7ffff3dd39cdfe43690d1c30f85973e7d

SHA256
dc1f35b4dd1a14c99d1ae0727081c3de81f67a2a2c9e7706a986ffe5a93bdb88

SHA512
cecb0051363eb6c43b031ee5f2db559d38c6853727ccfea3e2099b1bfedebb1ce618a6ed8bd6750d3ac25a787e1050f3c8ea84dd34c312a49ab4fb609cd8ed54

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads