Analysis
-
max time kernel
1051715s -
max time network
157s -
platform
android_x64 -
resource
android-x64-arm64 -
submitted
13-08-2021 08:42
Static task
static1
Behavioral task
behavioral1
Sample
7d8ecd35868f24d7ebe3b0c3a3d234b4a4451e5b5c0675220e561026963ccd4f.apk
Resource
android-x64-arm64
0 signatures
0 seconds
General
-
Target
7d8ecd35868f24d7ebe3b0c3a3d234b4a4451e5b5c0675220e561026963ccd4f.apk
-
Size
4.9MB
-
MD5
3a7abc95848383dafb1457ec6716535a
-
SHA1
142c7f5587d64f04cbbecf5ea72fe900abf6fbbd
-
SHA256
7d8ecd35868f24d7ebe3b0c3a3d234b4a4451e5b5c0675220e561026963ccd4f
-
SHA512
09acc8888fe61f05a0ec93ad3dae16d21b1a4a0c05188376c18000171b430f8064193eeee1ed209119f3df6ad93a9b69630788362c264363e9d7e2a0b1044a1f
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot Payload 1 IoCs
resource yara_rule behavioral1/memory/3852-1.dex family_flubot -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/slight.glare.rail/app_DynamicOptDex/KfhdqoP.json 3852 slight.glare.rail /data/user/0/slight.glare.rail/app_DynamicOptDex/KfhdqoP.json 3852 slight.glare.rail -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS slight.glare.rail -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName slight.glare.rail -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal slight.glare.rail -
Uses reflection 11 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3852 slight.glare.rail