flubot | 215d1c859be950849f3fadd651bad0f7853e7340c34418c446175a488bb9d3f6

General

Target

Voicemail70.apk
Size

3.0MB
MD5

42dd6892c18c1490f098ed09e9faf7a1
SHA1

010403baebac87d5724a187668e3ece52e6075a8
SHA256

215d1c859be950849f3fadd651bad0f7853e7340c34418c446175a488bb9d3f6
SHA512

6b68c8f95996be209b2a988d9723bb57cce2d9d8d0d9ddf6602cd8df35a66fa1a716b39b8370df1cb4b4e0d93da45582b70327a9482b8bf9e8a23570bc2ced24

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine	family_flubot
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine	family_flubot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine	4079	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine	4079	com.tencent.mobileqq

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mobileqq
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

com.tencent.mobileqq

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.tencent.mobileqq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mobileqq

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

Uses reflection 64 IoCs

obfuscation

Processes:

com.tencent.mobileqq

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	4079	com.tencent.mobileqq
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4079	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4079

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine
MD5
547dfa7aaa61a3140114d6b87ecefaa7

SHA1
057a977768d395bd046833d35c486a7e00d2c8cc

SHA256
e7d1a98c60930ec21ddb5ac247498cdb3c7878f2bcfc214813f098ed0fe294ab

SHA512
6db6f5eb0ef8f32ab8a09c5083415ce380f550d07fb8cb322769f2522610f953a53812480ab2981474453b6e4058d90dd211649f64678c369e610994cd098ca3

Download Submit
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine
MD5
b7f0042ec0df3d2bef400ae49c2dced9

SHA1
24eb1be13ec89d2be6c55342873550b42237ca87

SHA256
7943d7ae747c50b2a8f31fbd4ba2e44ce0a363974d8460eb3a04112be1b4e100

SHA512
ab9953854a46c1821ea624967ca77be4e6f5538ed4bf43b5f6adf6d7faadc6c9251bd36549b326bc1d720128f25f15937a6644fbcc0930d86cdd698a2ef317e6

Download Submit
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/NkTk7ucV.wine
MD5
b7f0042ec0df3d2bef400ae49c2dced9

SHA1
24eb1be13ec89d2be6c55342873550b42237ca87

SHA256
7943d7ae747c50b2a8f31fbd4ba2e44ce0a363974d8460eb3a04112be1b4e100

SHA512
ab9953854a46c1821ea624967ca77be4e6f5538ed4bf43b5f6adf6d7faadc6c9251bd36549b326bc1d720128f25f15937a6644fbcc0930d86cdd698a2ef317e6

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/Voicemail.xml
MD5
7a41b8ae33c8f2becacf4d528ff1b139

SHA1
07ae40b560c85a6e1f4e6aec0204a501f996c706

SHA256
4f7fa55133c0e2c5fe7ce6e9eac86c2a040ed7b9264bb42473c3e47886e47bac

SHA512
f20d5b2fd3263d40ed437679d32f88b8c88e1191f7042df431eb6ecc24893ea00771e9bdd685f55d891438f9b445ad66d61d5ca2f69de0dacbd307f3ce7efa01

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/Voicemail.xml
MD5
df5f1a212e716c5a2d6a4996a1a43c57

SHA1
65d63a07974d10fedf75e576e0f6ccd946597898

SHA256
bd4f588bb55a4de7e85d92c83ea29ccc69dc62ead27e7029ba62139fa0b192e4

SHA512
339465aab71c372297c657c21a63ed6097ceccb692ae78cd7c1b3648949aeab826186a2b5a1ad565230b8692f84f373799f2d75484efff62a33497a2b26e246d

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/Voicemail.xml
MD5
e52b73076432ea73833792128e792794

SHA1
cb2c1f7e4b47776c07a793d420c325370dcb9f78

SHA256
97da9cec6c152642c0a63676f9a7d3b1051cd12cd8bc1636690fe1e1e92ee3f2

SHA512
bb7c43a420255d26d27a80ec860e8a7684e55d0f367b84ea059bacb11f0583386c777cd4ae33444a07dcab5ac113a8f763c6725bbc38324a5ace83bfe5cfa1b8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads