flubot | 50d960ee19dada536fca4afa9602d29123a1e866b6d86ddfffb37e0104f5ff1e

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
26/03/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

831334e1e49ec7a25375562688543ee75b2b3cc7352afc019856342def52476b.apk
Size

4.8MB
MD5

c10d38a63e776e5940d281bddbb497d4
SHA1

ac0561ee9acc38c138409d03a24bdd992a5b1d96
SHA256

831334e1e49ec7a25375562688543ee75b2b3cc7352afc019856342def52476b
SHA512

a9ddd9f1f370c0a15fc4f777ccd1bad8e2c3c6ad1236561fe8dc8e44690498e095fe86b755af68d43c14dc9a85cd0f9bbda452463e7dcad1e4bcdb2901ce3da5
SSDEEP

98304:5qBTEbLg6IcV1bVGgecr2uoyoqxQ7jjrXJ7dGK4z11GafG63W3KL:5BGcV1bVbjCuoyoqxIxGKk1QafN3BL

Score

10^/10

flubot banker collection credential_access defense_evasion discovery evasion infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4788-0.dex	family_flubot

Flubot family
flubot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.qiyi.video/gJdedddiuw/dfhesukf9s8fjuj/base.apk.fvxfkd41.jn9	4788	com.qiyi.video

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.qiyi.video

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.qiyi.video

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.qiyi.video

com.qiyi.video
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
PID:4788

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.qiyi.video/gJdedddiuw/dfhesukf9s8fjuj/base.apk.fvxfkd41.jn9

Filesize
2.2MB

MD5
7e079768ccb1b3921f7e5f259d628057

SHA1
1bd568284cc86cf8cb2fe7f769816116609d5c1a

SHA256
1f5d1129e95cac98b3f7baba1b0c8cee8aced5cc89730b4e066e703aec3233b8

SHA512
5d981ae7b2242d3077b91767b404912b244c5495a1a87b19a492f0731aed0a791377f7b66705a5e54eb25bf74655a536472ad293dcb0cb77f78d99b4c5b0a0dc

Download Submit
/data/user/0/com.qiyi.video/gJdedddiuw/dfhesukf9s8fjuj/tmp-base.apk.fvxfkd41264159796001731012.jn9

Filesize
814KB

MD5
866243c49a7c0d2e71705008acad3ba2

SHA1
652466be861aaca5f97481f84dc0533e1b4ce022

SHA256
cc3399bebc26cc8b8b05b7b7644486d4c74f4c97d7669ae4f7b05a4661c89be3

SHA512
52cb7c2bf84d0d34de3cce1887faf342e55b18e65621d88a6961accd4e880e7efb44dba075b068d1ea6e520f6c921ab981e7ce9b9512b5446f382e7b2afe5c24

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads