Malware Analysis Report

2025-01-19 05:42

Sample ID 210817-9skblqfx9x
Target 6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8.apk
SHA256 6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8
Tags
flubot banker infostealer obfuscation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8

Threat Level: Known bad

The file 6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer obfuscation ransomware trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Reads name of network operator

Uses Crypto APIs (Might try to encrypt user data).

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-17 07:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-17 07:30

Reported

2021-08-17 07:33

Platform

android-x64

Max time kernel

1392958s

Max time network

125s

Command Line

com.tencent.mm

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin N/A N/A
N/A /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads name of network operator

Description Indicator Process Target
Framework API call android.telephony.TelephonyManager.getNetworkOperatorName N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 216.239.35.0:123 time.android.com udp
N/A 1.1.1.1:853 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 104.16.248.249:443 tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp
N/A 61.36.14.230:80 updolikflgqtabg.ru tcp

Files

/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

MD5 7b8948d91629874c0f306a7ded0f6fb6
SHA1 1ddfa9be8cc79d4829de6ca14f7e3c80f2334092
SHA256 543aef990fd57ca3af8c272018106620fd9316e0b3dbb3383baae53f567c04f0
SHA512 19c5c7515913bc841d3c04a632ac0bc6f71f5b6c02ef740683241b32e021bb0c7c98116f1958bbeecb1bfafce92749e9333ffceebab8deed5790ac3b83bc9326

/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

MD5 dd00ec74f90316b4c1eb5ac57865d66b
SHA1 1744e7524664a7a08c803b7799370e783163529b
SHA256 d078d295308ac9fc559fe8ef64ed7b0daeffa220fff82352cbf8a751828e1ddd
SHA512 8c835227df714e7fa601b9dabac5aad73a6b13fdfbf5306e1fd963570a0715f56c7895dc53b934d4b6bfd9cb73742b55729f41a635113a7e3f0dc40cdf1080f8

/data/user/0/com.tencent.mm/shared_prefs/DHL.xml

MD5 36c873b969b85fabda42da460d1ea8ed
SHA1 7f3b2b8743aaf097c41d72c81c46acb878fd395b
SHA256 f8fde7c479073cfc40bf3ee74399c14f06793d3cb744bf87daf771575b8e486a
SHA512 587a95de103554d0756ff73031102701c278faa65b52d4c26b49368f9ce2fd5d8ee6220f6af059e29092a16b0b6ad1c620e58484298deb1025ed8808cd232d6c

/data/user/0/com.tencent.mm/shared_prefs/DHL.xml

MD5 5a5b8fd486b8c27d6cea8ce6315a6c3c
SHA1 97ffd8c5a36ac44239a143fb5a2ec88a0362b2ab
SHA256 d7dc18dee4930d9c83fcc01708419303b3651e271b841dda6b78cac0f76348ba
SHA512 d43f0993a05050707e6fd73f4fa7aae69e9397d9c34f81e758eed7383036274f41f122ef4a4732afbae958a2b198384b09d00a13e5f9e717d42f16470a642f10