Overview

overview

10

Static

static

6

df5944f919...fd.apk

android-9-x86

10

df5944f919...fd.apk

android-10-x64

10

df5944f919...fd.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    26/03/2025, 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df5944f9190614f04a8818a50438dfaf3339fa95289cdc0af54f8f239eb253fd.apk

  • Size

    5.0MB

  • MD5

    749510b3010a45fea2d2763476e17511

  • SHA1

    79589fd0ba7c1d0afc8c3d1e22ed60a38585348e

  • SHA256

    df5944f9190614f04a8818a50438dfaf3339fa95289cdc0af54f8f239eb253fd

  • SHA512

    b98e95c300068d9273a0e8143f2c9fec31abd8d806cd653dc83ed580a07bda1de6d442a0540e4db5a0abd86dbfd67f012aa6fdcc0ac1b6e9803b0c65bc11c3e4

  • SSDEEP

    98304:4mamSQUaXwpaqhRikhoWQafbXrXmZg5uQ+1xNGbFF8Djc13W3EAe:9SQUaXPSG9q5P+7NGbr8Ds3v

Score
10/10
flubotbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Flubot family
    flubot
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.snda.wifilocating
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5167

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.snda.wifilocating/oewkwyGGdh/lhkuwg5lw4eddfi/tmp-base.apk.hJywvwh3194696446362048274.exf
    Filesize

    925KB

    MD5

    78357617a7a1c726344d014a91519584

    SHA1

    ed9a75a295404be96dc340305e24707776508b1e

    SHA256

    260d359107da87dd8f46f0f9345b21d01c0350d417f49b5c02ad2ac5115e4976

    SHA512

    f5e72b35ee9df0820ea3c7a4ecf17a4e1e87552130df2e58a7edd3405a4d76a66ffb9a66c6b8dd622daf9bb0ce1bf44c2ba9e5f04d4c945da6572cc52de04b89

    Download Submit

  • /data/user/0/com.snda.wifilocating/oewkwyGGdh/lhkuwg5lw4eddfi/base.apk.hJywvwh1.exf
    Filesize

    2.0MB

    MD5

    8f6a03d58739d551ce97c9ffe60a856e

    SHA1

    273f2dacac5579c7f7c3af30a26ad90c1099ad6e

    SHA256

    094a8f367da97786cf701d25c3531d2d9cd525fa201566ecded842d3504c9702

    SHA512

    c1de4894812d9e1ca99bb49ecd3ec000b94803ca5858f846811dab7fb62e0a6867227635a16854f9861679ed440c1775db4242f590196acfa1bbae4c2fe492dc

    Download Submit