flubot | 8e4307f958ef3e5c62e3f0c75176044be90c4863fa546a19a716635379367b97

Analysis

max time kernel
125s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
09/04/2025, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4307f958ef3e5c62e3f0c75176044be90c4863fa546a19a716635379367b97.apk
Size

4.8MB
MD5

afa0e0d9a5a4c04cc27529611cc14e10
SHA1

2c7eda5dd664bca45e46366fd73f868f59aa498a
SHA256

8e4307f958ef3e5c62e3f0c75176044be90c4863fa546a19a716635379367b97
SHA512

6f8ec0148e7d4d016f23569d1777890b2fd5d24c8ee0bc4193311005e41faec97484c9b7ddb1981fb0fcd798c45a33254d2283297e8365a32bde90288dddb16f
SSDEEP

98304:nntSFACZS4YkeOocf0GyqUzhLvS2EuCgvTMPAgi8BFp/BZd4AnObpD1YsFn6:ntS/ZtYkNocf0GDGu2EuJvIPm8BFFdLf

Score

10^/10

flubot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence stealth trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4398-0.dex	family_flubot

Flubot family
flubot

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4370	com.tencent.mobileqq

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/base.apk.GGygUge1.yHI	4398	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/base.apk.GGygUge1.yHI --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/oat/x86/base.apk.GGygUge1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/base.apk.GGygUge1.yHI	4370	com.tencent.mobileqq

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mobileqq

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com
5	icanhazip.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mobileqq

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mobileqq

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mobileqq

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.tencent.mobileqq

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.tencent.mobileqq

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mobileqq

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mobileqq

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4370
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/base.apk.GGygUge1.yHI --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/oat/x86/base.apk.GGygUge1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4398

Network

MITRE ATT&CK Mobile v16

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/tmp-base.apk.GGygUge2849523847430769291.yHI

Filesize
926KB

MD5
3518269466786fb051a325bbbda1c503

SHA1
fd6de26618e4c43f79417f51b71d0f5ffe4c7ed7

SHA256
123891b598d35bbaedefa21bdd356a012d4f19200d222b0042a6da4119eeb36d

SHA512
a87552d7ba140aaa83a92eaf736c44e10bd4fd1c62d35e2734e4b2e5d112977dfc03d6a697913afff347c788206303a3b0057d19d108ae2d7da6c85f4e83fb94

Download Submit
/data/user/0/com.tencent.mobileqq/tfTfw8FftU/j8hrjgyuG8gegHg/base.apk.GGygUge1.yHI

Filesize
2.0MB

MD5
63d9afc3e175f404b88d33ca77d13bff

SHA1
666f529dfc341e945bb9a4c72e3489bb2979a4d1

SHA256
34162d3f6b5c4d97769abb4e753b1ff4581b4e60537c186836ffc1fe8116f0b0

SHA512
96ea57f78069528d731e5e2ae7d179c67c9be4f33fe590687451f72b34e831706b6325a472ed995ac54447d79b72518c71a155363d0001015f5faf32347b6c0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads