flubot | b3406beb0c6a2c9ed4e582be6857092235f29f34c0a22b1be5bfd911cf2e0026

General

Target

b3406beb0c6a2c9ed4e582be6857092235f29f34c0a22b1be5bfd911cf2e0026.apk
Size

3.0MB
MD5

6e08fd5dc3f9200b0cfa6290211df9c8
SHA1

827b804ab5d38216a9aec21da6d382dc77a6451f
SHA256

b3406beb0c6a2c9ed4e582be6857092235f29f34c0a22b1be5bfd911cf2e0026
SHA512

3ad6add02639ea6b40b04f3558d1e2f271ae32ecd34ed45a5f0deb5bd557963b37465dba0cce7a86a7246957380f676cb3be9377663d39c6c88c3ff30c00211e

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king	family_flubot
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king	family_flubot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.xunmeng.pinduoduo

ioc	pid	process
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king	3927	com.xunmeng.pinduoduo
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king	3927	com.xunmeng.pinduoduo

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.xunmeng.pinduoduo

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.xunmeng.pinduoduo
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

com.xunmeng.pinduoduo

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.xunmeng.pinduoduo
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.xunmeng.pinduoduo

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.xunmeng.pinduoduo

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.xunmeng.pinduoduo

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.xunmeng.pinduoduo

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.xunmeng.pinduoduo

Uses reflection 64 IoCs

obfuscation

Processes:

com.xunmeng.pinduoduo

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	3927	com.xunmeng.pinduoduo
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3927	com.xunmeng.pinduoduo

com.xunmeng.pinduoduo
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:3927

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king
MD5
7a23a69a864ed0a5929caa321ea2740f

SHA1
eae265c7e61526581a5b8bb9eb0d86926bb336c4

SHA256
2f468742e9f736a3fb2789a5518b20e0faeaef2d602179ed412251a712b170eb

SHA512
c463a4fcbadfd9a3d8cccec7a683770553f30aec2d43f9de39bc186230c8a2874fe106c886c4c75ca98aa42201c49d735f870b29b74b95262b9c0bc9290d3f49

Download Submit
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king
MD5
e1127742c5aca7f5975c96676cabd0c8

SHA1
f51390ea4377ab97e21714c767835dbed86bce0f

SHA256
d9e37c715c951299ac2e2af98a8471a39835fb96d7c017863dc16109c6606672

SHA512
7149751b2863e71ddef99e1ca06cd171cdddc4246067b11a36cc7f4c2649963c86695cc059f1a260ae02fb105cbf2374597096cc0675d63125212ba6b98bf332

Download Submit
/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/XoyN2M3V.king
MD5
e1127742c5aca7f5975c96676cabd0c8

SHA1
f51390ea4377ab97e21714c767835dbed86bce0f

SHA256
d9e37c715c951299ac2e2af98a8471a39835fb96d7c017863dc16109c6606672

SHA512
7149751b2863e71ddef99e1ca06cd171cdddc4246067b11a36cc7f4c2649963c86695cc059f1a260ae02fb105cbf2374597096cc0675d63125212ba6b98bf332

Download Submit
/data/user/0/com.xunmeng.pinduoduo/shared_prefs/Voicemail.xml
MD5
0ea5c502749f10dbc8d006a52e2efaa7

SHA1
e6a9dfb90f148424e0cc565243e21b8da3a9ffad

SHA256
62a9dc22ee05545944e39a23322c15d4a957d9be1984830889c3a664b0a68a95

SHA512
b7d7a9b49733efaa8b8760215509ac24fbcae742a940349bb47c33e8d654902da96bd5c2d2dbff0be9224dc50f1740d56980c4ceb10fc48315e535d057eae1a0

Download Submit
/data/user/0/com.xunmeng.pinduoduo/shared_prefs/Voicemail.xml
MD5
ff3fa23b717c5db51ec0088c6270ac22

SHA1
80a455a5a559fd727d0852b9cdc449f2866e7a0c

SHA256
86bf388392088593677b49dc49b015ff3b9420ed00a54012fd47b800a01977ec

SHA512
3f559a94596634a6bb26b072480dee3066930f2f514e7dc65936728816745571036e82f31d04e63c76057d7bb9401d401a352a7c6d133d146f919d523670d0fc

Download Submit
/data/user/0/com.xunmeng.pinduoduo/shared_prefs/Voicemail.xml
MD5
448e9648f7a132faa3fb3cb81dbda346

SHA1
54fb5653a9070a273197caec77f0934e44691640

SHA256
caf9a82ea52812f4112058d0849eeed5c6bfb9da33d76e418f9bff2c1ddb58bf

SHA512
005d22076a7e559470f0eab4b615f8ce43e75d41f7499f7a56bdc8618a8a12931f71e3257d3a19a931a2aacff38d6316701c9b3c8ed89211e619541930fa2bbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads