Malware Analysis Report

2025-01-19 05:42

Sample ID 210811-tgwaa53vdn
Target 275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95.apk
SHA256 275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95
Tags
flubot banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95

Threat Level: Known bad

The file 275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer ransomware trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Reads name of network operator

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-11 12:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-11 12:26

Reported

2021-08-11 12:28

Platform

android-x64

Max time kernel

892319s

Max time network

125s

Command Line

com.iqiyi.i18n

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin N/A N/A
N/A /data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads name of network operator

Description Indicator Process Target
Framework API call android.telephony.TelephonyManager.getNetworkOperatorName N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.iqiyi.i18n

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 216.239.35.8:123 time.android.com udp
N/A 1.1.1.1:853 tcp
N/A 194.58.112.174:80 sqhrpytcpudojpd.ru tcp
N/A 87.106.18.146:80 ivnxfjnsybvsbly.ru tcp
N/A 85.214.228.140:80 gfoafycavdytdrv.ru tcp
N/A 186.145.238.42:80 gjujgxolvbnjktc.ru tcp
N/A 186.145.238.42:80 gjujgxolvbnjktc.ru tcp
N/A 186.145.238.42:80 gjujgxolvbnjktc.ru tcp
N/A 186.145.238.42:80 gjujgxolvbnjktc.ru tcp
N/A 186.145.238.42:80 gjujgxolvbnjktc.ru tcp

Files

/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin

MD5 60b28e463f010c3c441ff7500fa07933
SHA1 452409673ac4a52fc967e9674718ebc92586e08a
SHA256 c878f569215f440bd8565092a3545c0b8d0beebd6cfdaa320177df035492ae6d
SHA512 832add4d164a6d4151993ce4622ab6cc399ccbe89d1a677af5fee50bde3c69c0d474a17492f0e3433a6cc46f016bf9daded39c1aad3d1785a4f7422214bd3f35

/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.iqiyi.i18n/shared_prefs/DHL.xml

MD5 07b8ad57428916ee7f8c8b17a4276132
SHA1 58337b4e4875965540df7e11c903e35b569b60f6
SHA256 f2ee57636483a367b2bb8b1d2bd732e4322e2cfed3a60da6fc257241707ab145
SHA512 4804e00b20ab81ea6d2ecd1c6f984c4fee8ebb2db4adb593524b5ec66dd9a1a5c890426f5418fd4c89b8f9f8afd401f77265e67a414da76ab470982da232018f

/data/user/0/com.iqiyi.i18n/shared_prefs/DHL.xml

MD5 1ab780fc32fce109eaf9e1ddf82038a9
SHA1 cb09a1d11a7c097304788424e2336e5d02dcfe15
SHA256 33b44613edaabece1c0e1fde1842146e88cda7673f44fee66bbe20e8b4e09bb6
SHA512 b28f1f8791b1558615690493f55f6bef5ab802fc18ae1cd5815b87f44c4de43d6cb277414dad4d062d36cc7cf6026dc8993154352c7c42abeed263c1bb26dedc