Malware Analysis Report

2025-01-19 05:42

Sample ID 210817-9khrv7hfyn
Target 991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469.apk
SHA256 991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469
Tags
flubot banker infostealer obfuscation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469

Threat Level: Known bad

The file 991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer obfuscation ransomware trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Reads name of network operator

Uses Crypto APIs (Might try to encrypt user data).

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-17 10:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-17 10:25

Reported

2021-08-17 10:27

Platform

android-x64

Max time kernel

1403458s

Max time network

117s

Command Line

com.tencent.mobileqq

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json N/A N/A
N/A /data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads name of network operator

Description Indicator Process Target
Framework API call android.telephony.TelephonyManager.getNetworkOperatorName N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.tencent.mobileqq

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 87.106.18.146:80 bmwedwslangtayb.ru tcp
N/A 194.58.112.174:80 eprwfthrquwdmlk.ru tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 216.239.35.12:123 time.android.com udp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 85.214.228.140:80 emkbnbttbufjhax.ru tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 104.16.249.249:443 tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp
N/A 179.38.113.242:80 gurjealmokihfsa.ru tcp

Files

/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json

MD5 c76a33c8c0cad41b82d0d8d6e88ec7ac
SHA1 ed844413b06f6e2fbba087cd8dfee9ce0d36b815
SHA256 2b5330a23d4fa7031d0d90e3146ec674d2353b25476d259c9d34ad429005fed8
SHA512 3e19d1ccdb5857a5f87092039f3d7a88e4655d4db53419b6e516a55baf594775bc0d44755df9d15f330b337638e5226c303096e75f664fcad4f5bf14bf03df68

/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json

MD5 4751e30d80997c4507c34d00e79f3df3
SHA1 1060c4762b297f401fa59cad99d3ba5d776c7e9a
SHA256 efe09ee103b3f8716493dba38909fb3b7b1c5ab71ce6a1eb1520cf861321ca56
SHA512 9ea225a3b0d9901f6002b2c28375f26fcb7b70e9bd97728507c082e91ac059e9ed73b323a0fb4aee6a106336c86a9ab7a9f7fba2b621919e71f1a3bd3bafbff9

/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json

MD5 c76a33c8c0cad41b82d0d8d6e88ec7ac
SHA1 ed844413b06f6e2fbba087cd8dfee9ce0d36b815
SHA256 2b5330a23d4fa7031d0d90e3146ec674d2353b25476d259c9d34ad429005fed8
SHA512 3e19d1ccdb5857a5f87092039f3d7a88e4655d4db53419b6e516a55baf594775bc0d44755df9d15f330b337638e5226c303096e75f664fcad4f5bf14bf03df68

/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/btJiFwP.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.tencent.mobileqq/shared_prefs/UPS.xml

MD5 3667e937146afe85c8eb06938d8c1a5d
SHA1 1cbb6b198af375e1c10b9dfdde6ecd5cc18b1289
SHA256 69a71982a4e729dc2acdc7f317ae987dee9fd49e85a1b7e7a312e2f0b66284c7
SHA512 3625426d6e511cc95ce1ff4c518eee24b3f4846f58f5dfead471fc37716b96fa58e033266ae89fa1da0feed48dd7671fe4c833009f243817080af650eb3c0d59

/data/user/0/com.tencent.mobileqq/shared_prefs/UPS.xml

MD5 cf57012bd2d221b3d8499f27e44a58c5
SHA1 d077b9a5f9964f16a9da8d886d1d096a442f0c5d
SHA256 2a37fa9c321a101751e90eafded02b80224461d3e9a718532c983db4a0401575
SHA512 087191cef4ebe404f6fd8ab2ac2ea4378ccb62e0c141a5ba1e27e84b0c908975c3bea9d789715fe004d0209a52081b62942e942fdf223891fd572847aa7255cf