flubot | 373c2b77c58c03b04d7972a004490306f28b83679a35deb104e53cb21918fa4b

General

Target

373c2b77c58c03b04d7972a004490306f28b83679a35deb104e53cb21918fa4b.apk
Size

3.0MB
MD5

3b2255d30c0219d4073fe73b4b65f00e
SHA1

1de2e5082e302242e768cc00d37283d93399e5c8
SHA256

373c2b77c58c03b04d7972a004490306f28b83679a35deb104e53cb21918fa4b
SHA512

68ebcb91c53bfd634e62b0f8c64f6463f7936a1da4978e8467762a5e72676606fd50321850782aedac02d6fccf9f4e84ae8b86953e4d73ecfa30360d4be5c65b

Score

10^/10

flubot banker infostealer obfuscation ransomware suricata trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot	family_flubot

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.xunmeng.pinduoduo

ioc	pid	process
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot	4078	com.xunmeng.pinduoduo
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot	4078	com.xunmeng.pinduoduo

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.xunmeng.pinduoduo

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.xunmeng.pinduoduo
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.xunmeng.pinduoduo

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.xunmeng.pinduoduo

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.xunmeng.pinduoduo

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.xunmeng.pinduoduo

Uses reflection 64 IoCs

obfuscation

Processes:

com.xunmeng.pinduoduo

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	4078	com.xunmeng.pinduoduo
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4078	com.xunmeng.pinduoduo

com.xunmeng.pinduoduo
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4078

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot
MD5
2b8bd704cd0664504f9fdb8dae05c957

SHA1
0ce4c4200453439ffa1aa38deafd288d61708dd6

SHA256
ccc7094f0482fa12e2847f2e01730f077c3b2f1d7d1d1991bd5435cfa77b9f0c

SHA512
c843d8912c23972efa9f8372e779bc6b8e94fadb5e28387aba1080a5643340ea968b9130dc5ca6443bea19a6626d04ee71105f2dc55d686642b14d6ffb4592bc

Download Submit
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/WqsTtsRz.iot
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.xunmeng.pinduoduo/shared_prefs/Voicemail.xml
MD5
dac00789dd6cb5e34b2f1dc4a35f9fa7

SHA1
39d1e3612a91f162b1039cc5a2116fc76a31e141

SHA256
2a907842edab86b6ac41ada50dd656a6e054662f18c03cd5dbfad3f008689e90

SHA512
279aa6dc89f15b37972d14dd38625825872ff6d07c0d997bf332ab93d489b4e439cb2c7473ef4f7b30a705eee78b670b66e425521f64bc07ab1fa531c502975e

Download Submit
/data/user/0/com.xunmeng.pinduoduo/shared_prefs/Voicemail.xml
MD5
04175aa3d2b67a08235aa2d534ad8871

SHA1
136891330acc4f839d57bd83d10d494cf46a5890

SHA256
2898648d41a6c2845922566e46efa50cd610a8b26d33ddd5718579714c403861

SHA512
fadbec4fbe604cd106a4c875d8ac496608d542f6416eaf717aa394c7eefd76f41f37ff0d31a9eec407dbecceabf074f69a012b591ecc58873e07bf9e64902c3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads