Overview

overview

10

Static

static

10

6a03efa4ff...5e.apk

android-9-x86

10

6a03efa4ff...5e.apk

android-10-x64

10

6a03efa4ff...5e.apk

android-11-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    145s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    25/03/2025, 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a03efa4ffa38032edfb5b604672e8c9e01a324f8857b5848e8160593dfb325e.apk

  • Size

    4.0MB

  • MD5

    1edd97885a8a7e88694be9971ac317e5

  • SHA1

    64c4b39176709a7fa9be936b925b17fb53544da9

  • SHA256

    6a03efa4ffa38032edfb5b604672e8c9e01a324f8857b5848e8160593dfb325e

  • SHA512

    2aa25bae46e2c3f1ebdd2360c378f711ebc40fe82f9541d6a52d48f3ee14f46801a7125d6b02afdeaa342dfd96b6b22017cf7011e81fad749ce864b1703a077a

  • SSDEEP

    98304:s5knISHh3FZNqsf44bTUIYiFZBrzXUpBJ1FS3VfTvOGn/Ms:oknhlj7bUIYi5rzXUbJ1FS3VOGn/Ms

Score
10/10
flubotbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 2 IoCs
  • Flubot family
    flubot
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.weico.international
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4334
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.weico.international/app_apkprotector_dex/5xae4yYD.aws --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.weico.international/app_apkprotector_dex/oat/x86/5xae4yYD.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4361

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.weico.international/app_apkprotector_dex/5xae4yYD.aws
    Filesize

    2.7MB

    MD5

    b1d614416713cac32114408e34bf65f8

    SHA1

    6d359cdd25d13b7e407c60301ceec5d276b3580c

    SHA256

    43aeff13359ef7e32a451cd4b92c92a0fe1e1379529908da360ad52ab536edee

    SHA512

    ef8b04cd045b89ef6ad4e1ecffa8dd45e7c7adc9a35e1f9648c13bc6c3fa1b916ef8fc592990806755801df460932c128a49836962d5a614858e3c695625786f

    Download Submit

  • /data/user/0/com.weico.international/app_apkprotector_dex/5xae4yYD.aws
    Filesize

    2.7MB

    MD5

    211744d04185befb1fe3cc2ecb18bda0

    SHA1

    40c7be59289933027008f8c8641e96b0225b9307

    SHA256

    75cf04cb3e7a6bc892becd152cb8d9bad274f4105361c3b03e6fcd7c9bffdb79

    SHA512

    052821d79614f4380ca774b39255e4dbe578db0681666fc0db4b44db61d959e31d5f8cf5c34ac87da966b632c3e1dcf1a2de34c889b87a993671443207a3ad6f

    Download Submit