flubot | 3f75ef05607ef774a67d166fa4c4423d78aa7261cf358349724becd61cfb60b9

General

Target

3f75ef05607ef774a67d166fa4c4423d78aa7261cf358349724becd61cfb60b9.apk
Size

3.3MB
MD5

9d86dcf5cfd1bb172a6545d16911b28f
SHA1

2246c62644637e835fc12fff779f55d04e99f081
SHA256

3f75ef05607ef774a67d166fa4c4423d78aa7261cf358349724becd61cfb60b9
SHA512

8a0350caf9da0cc304d3d2c78bbf15ccd85ac99ea2cc1dcecc171fe1585af3804c6525ee6cf38b059a4d0fccf9297c6b938777e64d9be060f6157f30c52fc56d

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip	family_flubot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.UCMobile.intl

ioc	pid	process
/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip	4098	com.UCMobile.intl
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip]	4098	com.UCMobile.intl

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.UCMobile.intl

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.UCMobile.intl
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

com.UCMobile.intl

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.UCMobile.intl
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.UCMobile.intl

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.UCMobile.intl

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.UCMobile.intl

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.UCMobile.intl

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.UCMobile.intl

Uses reflection 64 IoCs

obfuscation

Processes:

com.UCMobile.intl

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	4098	com.UCMobile.intl
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4098	com.UCMobile.intl

com.UCMobile.intl
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4098

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/MultiDex.lock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip
MD5
c9f85383915dd46b9f98d476a868b5a3

SHA1
1cec3033b8be4d75eb0ff79641300010ab4d4e9e

SHA256
80d6218368ed03a6869cc65ee40b5a623eab047bbef214ec02acd54230a7c41c

SHA512
06adeb9a4ac97b8e0fb1f45e6d3512ae9fc45a3375ca2b718a7446f6d7eb3b98e49f0e86e447a6e8ff1e651bce329d27e1d661a556f405041a389b68ac7917d1

Download Submit
/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/tmp-base.apk.classes1597708349828233114.zip
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.UCMobile.intl/shared_prefs/Voicemail.xml
MD5
ed74c32cd752336c4e42b90c1a6f1cf3

SHA1
e7ce57368f65372760a903431a5b9b4f426ebfcf

SHA256
98cba34622d109ebcd7658fa6dc986827db0a5a9e6a172236b77a100b0e559b1

SHA512
234e8507a3148d2024301fe5dfb6b56f32615fc38f27e8d2f8bc1a2b229310b181f548df77ea9d43920bccbb79ac1bef4fba94fda7c028be28719fc55e1e7097

Download Submit
/data/user/0/com.UCMobile.intl/shared_prefs/Voicemail.xml
MD5
588be452c62cb0606f138c2a758a3a1c

SHA1
783c843218dba70bd1059fb0e424b3ae6d8d5607

SHA256
c19dc94810bd038a56cef536a49e31a558b41cfec1b76ba8cfca945687d2eb0b

SHA512
01eaa74a6656d0537f2205cfe40a73ca4566c4a32f91c74337bc3ddb511b300b856efdf5cb5f12ac800f86d58529be8563758533b28111223e46e3e682c549ca

Download Submit
/data/user/0/com.UCMobile.intl/shared_prefs/Voicemail.xml
MD5
890852123b6a87bef47a1292b24f794c

SHA1
2ed8942523dcda6cd92ddf475e7204b3140a2a1e

SHA256
60d431a29e5eb054359ea7ef32fbc134da9969d7b9e57430d95a71a3a9d2d4b6

SHA512
58566ef063c13d4f957130140783f0b279de0dd14d4a891b5b190cf04055aab30f2a1f749b2ac7d0a44bfac469cf00341c5f5630b73591b3e7457d81b3ede81c

Download Submit
/data/user/0/com.UCMobile.intl/shared_prefs/multidex.version.xml
MD5
db2275fdf8a4ff12b62975968c1ce59e

SHA1
755eacb983f54f139233765817b7616e18a4901c

SHA256
00da735dab542bb913b9b1ae76e54fa53579b1be7f891c2187e8e5674b4ff730

SHA512
79f401f3d1e56e2d9550a264b69fbce6c0c2a146b62d91d75d3121890689ff5d9b09c159ce27bb1c3e2d977157b9152f90746386f29ce3100dcd304c27b5bd7b

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip]
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads