flubot | ae8877b889537821a10ca3151dd658e7405c769272b082befbede94e186de4f9

General

Target

ae8877b889537821a10ca3151dd658e7405c769272b082befbede94e186de4f9.apk
Size

3.4MB
MD5

80b71ae1e1240ca23b6843f698570b2a
SHA1

4b95f81ebb35c172043c20edee427812122f8e4b
SHA256

ae8877b889537821a10ca3151dd658e7405c769272b082befbede94e186de4f9
SHA512

70d0be1ce30a23ecff3df96ebef72495697707d648a69b0b7bb6b26b57f801d2d29e73709ef3ea2054be62f33b6063d1b4b99d7b3bbb01600bfdd653f31c7d47

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin	family_flubot
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin	family_flubot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.eg.android.AlipayGphone

ioc	pid	process
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin	3593	com.eg.android.AlipayGphone
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin	3593	com.eg.android.AlipayGphone

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.eg.android.AlipayGphone

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.eg.android.AlipayGphone
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

com.eg.android.AlipayGphone

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.eg.android.AlipayGphone
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.eg.android.AlipayGphone

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.eg.android.AlipayGphone

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.eg.android.AlipayGphone

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.eg.android.AlipayGphone

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.eg.android.AlipayGphone

Uses reflection 17 IoCs

obfuscation

Processes:

com.eg.android.AlipayGphone

description	pid	process
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3593	com.eg.android.AlipayGphone

com.eg.android.AlipayGphone
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:3593

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin
MD5
07f46dfd0ab168d4170b4b269193f737

SHA1
1e1ee6f7e2d92f3bbe096fabd4a8189101e4eda7

SHA256
5b7e51788f0d2c5cd4f4118a72e4152f8d0a9f594044a3f4df16f6c269d2d337

SHA512
0b979c4676896687796e1724eef9bd614dd27dea2294e93d99b92e4d082a15d18e8200fb1d30f6ddd06cc9184f32dd6b1e1f07c518027fa8a795b876710beeba

Download Submit
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/classes-v1.bin
MD5
31b104df2fdf33aa82a5ae2ef3fa4a46

SHA1
46edfd765550ba62ebb596dda034e52888df3c96

SHA256
174d09031b9e0f37ebceb010d87a70b45adfc519ff23e07846777b64a17a8454

SHA512
297448d26873756c69b8f3c6c0f1ef4c4bf82858de888074700095da90d1a12217fc7ced467461ce0ea0f4f2cd2bdd960231bcb3ba7ab18a9edf46906c2195b6

Download Submit
/data/user/0/com.eg.android.AlipayGphone/shared_prefs/DHL.xml
MD5
245154160ef31d6b81a10f79a9be62b0

SHA1
c917afa44c047d1e26a379c45a0db55e7125f0ff

SHA256
f5afbca88d6e151eeb74d3b7ebd0c0764bc74eed62c2a1fb744882b06f17e762

SHA512
08a24ff2bd4c7480fac3e819ac38edc762179475bcd6704c5821925f5a2e7fa143f122e05c9d0cc89757eaac67a558c167fcacb412afab8ee0dd4019f5793065

Download Submit
/data/user/0/com.eg.android.AlipayGphone/shared_prefs/DHL.xml
MD5
e506e7f7e7d4ac6590c6d3d27032bda1

SHA1
e4322c46ba1199e1073655dfce291a413036e8b0

SHA256
b3c8ea7a7025b112afbccc7eddccc3a7f0ae323f2d8fba7bee9970ff32f5ea8f

SHA512
6a4a784975331149d778566a8089cff34845219da92a733a2eb50d37d40dad5d7d8cd734eebd3618cff87c95637db105b1fe12b17f521ded546a8d29a39b3479

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads