flubot | 5c4dc3463ce23ec3628f80cd65c90fae221bdab8e92631ef1e536704c2a47a60

General

Target

5c4dc3463ce23ec3628f80cd65c90fae221bdab8e92631ef1e536704c2a47a60.apk
Size

3.0MB
MD5

6a679f7d5a4681fb7e95e730aa7363a0
SHA1

3260270aea544eb415ca07861a75b17d1e2a1c61
SHA256

5c4dc3463ce23ec3628f80cd65c90fae221bdab8e92631ef1e536704c2a47a60
SHA512

724185620d7964d0ed5e08d8f4a0a95ddbcc55333b6ffabc98fa3ae759ed839d546044ef80acc5096d3e0b1213b73ca4d6ebba37d803be1bbd3a496c74c4cfbd

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king	family_flubot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king	4121	com.tencent.mobileqq
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king	4121	com.tencent.mobileqq

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mobileqq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

Uses reflection 64 IoCs

obfuscation

Processes:

com.tencent.mobileqq

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	4121	com.tencent.mobileqq
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4121	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4121

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king
MD5
96fa945437051c2ecd943f96ee78e426

SHA1
ad0815de970fdbbe51808c96af97d5649f4561cc

SHA256
a5e24d66712dd49434ddeb0e491ec415c809ae37bcc81c3327ef421f1a5cd1c9

SHA512
df44e8c2dd4b9dcd5aa651202ca62cecf52e37e9958ac9b2ca48e644f2d35f8101fb6b144c566d6522f5fff7b091b8c51c2c781a3d52d64c5586fb4310520406

Download Submit
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.tencent.mobileqq/app_apkprotector_dex/R46Z4rn2.king
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/Voicemail.xml
MD5
0f7922d154369edee4e429fc124b64b7

SHA1
3aeaec06291d1c136b7921614477c6ca49ffa5f7

SHA256
352a225a6cd54bd99d5f0039049e4aab7a1c717af983c3b6cf230af8b3795bf7

SHA512
7a4680fe37e58a2f7afa5609ba2a200ff9f65ed7f6cca71fb281b694dcd1a4e607fe30577d805f5fc16310164e7df9326fcd3c99bbcaba006535dd509a840604

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/Voicemail.xml
MD5
0c28cab7de0d1f619d88f93b6fc02741

SHA1
69db94e11c3d876c315cacc254e990da317def7f

SHA256
89e185d3bac4b5bb776e055e6461c4572dcc5b170d074980d0ca1dfefcb8ae47

SHA512
05ddd7f5062a4cce3a3ed216dfdcf938071c95cdd12ff0df329dba8812a9f8f54dcc04052aaa1a2857e6594469527ca360f6b117019e687742d1375c6e45b2cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads