Malware Analysis Report

2025-01-19 05:42

Sample ID 210817-ve6cwfekzx
Target a0181864eed9294cac0d278fa0eadabe68b3adb333eeb2e26cc082836f82489d
SHA256 a0181864eed9294cac0d278fa0eadabe68b3adb333eeb2e26cc082836f82489d
Tags
flubot banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0181864eed9294cac0d278fa0eadabe68b3adb333eeb2e26cc082836f82489d

Threat Level: Known bad

The file a0181864eed9294cac0d278fa0eadabe68b3adb333eeb2e26cc082836f82489d was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer obfuscation trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-17 11:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-17 11:08

Reported

2021-08-17 12:20

Platform

android-x86-arm

Max time kernel

1410232s

Command Line

com.didiglobal.passenger

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows N/A N/A N/A

Processes

com.didiglobal.passenger

com.didiglobal.passenger

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/tmp-base.apk.classes8317233690247608572.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/oat/x86/base.apk.classes1.vdex

MD5 370164212a03953b69d37a50616f1738
SHA1 b8e4aaf32eed6cebb900864a29f725fe9d2d86c1
SHA256 982d38b3502769c6a583fccd898024a23021cbe5332fd87700596caaa1223022
SHA512 3540ee9a04ccf2ac695f280f19f47f05b1b86a62383ddabc26aff85dbf4ea07bb3b0cb8380863c427b90d1c60dd88926b5771b03cad01df24c047c1ae5867309

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex

MD5 25fd6c99341237f25064323d903b4484
SHA1 a9fc10505cf5cc5defe3f2b680ebcc966676c812
SHA256 e6ceeb6f10120cb8c8ecf671b6e9d56e96efc5fbf707cb161c1674bafe0c53ea
SHA512 393ffdaf14ca41134302e1b9c84b750ae18f694b9493ccabf2553a7d683300aec1ef52c129466f5c93d333f56933077f6c84aed9fae59991da8dc6849ccf9dde

/data/user/0/com.didiglobal.passenger/shared_prefs/multidex.version.xml

MD5 a641000d8050599d08ee4bab047d9f9b
SHA1 4cd57ff9e4050f236b03f1fb450a9658af17e301
SHA256 7d3263345bfb656d80f224a7c558fe4ebb3559858fc741c2436a0c6b8494b2d6
SHA512 1c01a5568cbc0edead12e5be2285cc0c0030456da573c3e79bdbf2df55c02bc35833d2127d05a3a862741740aac658c7d715f5513ea7bff30231dd5a6ad528d9

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 79992f0852cb9aa77c086c2c8a4b89ba
SHA1 58645d7ba402abf54a1045e209a9257c83d8640e
SHA256 18c71efffdbe40af161c649f2ce03ade10f9e7f4079efea6480617bc024c2f9d
SHA512 ee08b7e30010d8e0873499c35fac29b0e817ced6720220175e4b55679e72cd791d74524d435e95c15ad11fb00f1b389a8d3e16181e715432784e9377ec21b667

/data/user/0/com.didiglobal.passenger/shared_prefs/Voicemail.xml

MD5 28757d3945c932c125fe4a28a6ac4034
SHA1 5bf9292f3b887ffbc7aba79fd25c430709d6f496
SHA256 b073e6ba02cb6078d79e7c1d5fd5e50c9ec128621065b7870811a4ff71e0d64e
SHA512 43960c7b9cfa271633ad27e59e707cb536bd7b5d7d6c90fe30bf53237454efd53dfe84d56a87e9a6de55d60a9aa10a68d374c1974031dd723a693ee6ee4ce78f

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-17 11:08

Reported

2021-08-17 12:20

Platform

android-x64-arm64

Max time kernel

1410227s

Max time network

315s

Command Line

com.didiglobal.passenger

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows N/A N/A N/A

Processes

com.didiglobal.passenger

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:853 tcp
N/A 172.217.16.228:443 udp
N/A 216.239.35.0:123 time.android.com udp
N/A 172.217.169.74:443 udp
N/A 172.217.169.74:443 udp
N/A 172.217.16.238:443 udp
N/A 142.250.187.232:443 tcp
N/A 1.1.1.1:853 tcp
N/A 142.250.180.3:443 udp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp

Files

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/tmp-base.apk.classes5229399370719062229.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 225a4f4ef23e049c8eeef4d9188e5559
SHA1 c9bce30752acf148b0941e187ccf94bd9b410004
SHA256 e2c47c6eaca1f0b8454ec5091a37000e351b1565c20636e30b209d0cbf1de077
SHA512 615d9d1ffc81728a0b5c4f77ef20444f563aa6c81aaaacce3286f99f1c76d737da63750110fb3cf78c187d800d9116c261ac6c26b7038e5cfe33e741f936b0d7

/data/user/0/com.didiglobal.passenger/shared_prefs/multidex.version.xml

MD5 7d3b5d1e51fcbcb28fe42f3a695557cf
SHA1 c77dfb92a2c58a153642b1ddb49343825bc5de3f
SHA256 6b7bda3ddb157263f196c220e92ae51d54a2e66700766c120d2b4562c71b1081
SHA512 7c0d6fb25a7c03cb1aeca519c49cf304e8878dc020c81697734514c0e65ab7af27d40a0e045adc5c846c244d149e26265cff8d61221c97ba209e0a9a1a55a94f

/data/user/0/com.didiglobal.passenger/shared_prefs/Voicemail.xml

MD5 140b49b6378de59e206ecffb7f37e586
SHA1 b90eb5ae946e85b55da1c4ca3b4b0509cdb94a2f
SHA256 b55d5c4b61349b3d5afe8ba3a208a3af68841d9a3bfd3b0cf6a5601876fe3011
SHA512 d4cdf82ce6e2ccd5153cf5210930e14d49b7ea538fbe267ca69df8e8fd92723f6cdd62ac36326ea11ba4a64fa926a2ad7aa2edac77b5fbbc0033b4ab84f6e66f

Analysis: behavioral3

Detonation Overview

Submitted

2021-08-17 11:08

Reported

2021-08-17 12:20

Platform

android-x64

Max time kernel

1410208s

Max time network

50s

Command Line

com.didiglobal.passenger

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows N/A N/A N/A

Processes

com.didiglobal.passenger

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 216.239.35.4:123 time.android.com udp

Files

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/tmp-base.apk.classes3090857284597658648.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.didiglobal.passenger/shared_prefs/multidex.version.xml

MD5 a61aa170e1621e6e104dd6bc29318cb3
SHA1 b5202e2ebc214588735f7ca666ab7cbfa6bf062c
SHA256 9de9672a8da7758d93e7ae7a1e8399050fdda61d193ba8449fa4b3defc1e43f4
SHA512 a5b987c9e9f03a6327712236e848f05352249fad726902ab27ba6d66a6381bb3d592797197fd7c70d415fe67e7d103a7d7eb980500910d3dd47928f3c1127b7a

/data/user/0/com.didiglobal.passenger/shared_prefs/Voicemail.xml

MD5 dff1368a0af336c1ce0a2a74c46d0a19
SHA1 34db6921aeefecd279e6446e65854d61b8aa4aab
SHA256 2b07ebd25737269e22e823ad49c044398e8382bcd944244118ba4b1950a95779
SHA512 d35b2a74b4868760f08fa79ada298178ac8d7801b788292b713771f53691167656d9fc2be828077e1c9f013b5132879ee9c36ad38449f51af8c55c0577029f0a