Malware Analysis Report

2025-01-19 05:40

Sample ID 211014-nbs1nsghbk
Target cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083.apk
SHA256 cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083
Tags
flubot banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083

Threat Level: Known bad

The file cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer obfuscation trojan

FluBot

FluBot Payload

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-10-14 11:13

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-14 11:13

Reported

2021-10-14 11:18

Platform

android-x86-arm

Max time kernel

2122704s

Command Line

com.qiyi.video

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo N/A N/A
N/A /data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows N/A N/A N/A
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A

Processes

com.qiyi.video

com.qiyi.video

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/jYhsdbcz.fcla

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/tmp-base.apk.sljnmpo1270896663472615045.bxo

MD5 b8a504c91d38b2fe121a096bc93fd3b0
SHA1 5c032a5f279aab096d1365cce9b3f25c9d793247
SHA256 658a89a0a33688cfa23ea3ed8a6337951646e9d21068601873307a446a9c9295
SHA512 f6e7f6ecb448ffd810024216d1a15533c2b29ae0bb7e76773295bb8a4768c0567a925222dd5b082b4b792ee715d15065308147a43e103cba6a3fb988dbfdf881

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/oat/x86/base.apk.sljnmpo1.vdex

MD5 28e86720ba6b6e8dad72c76fe0724b0e
SHA1 5fead6e876b958ccf4e300771f7edfd7af9e9750
SHA256 890505d257f65c1711a571e1da7e4de37fd6e145cdf92bc29b78445050ecec6a
SHA512 c09934c005f7b1dc24821420bcb8f9dbfaaff5df81b1d2acddff128a1dcf711751cc365561b22998593b3b378c5f557e3cfa5fdbcd9654e54c2cecb4cb20a31b

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/oat/x86/base.apk.sljnmpo1.odex

MD5 f32d4ae497029986c696a158d1dba3ac
SHA1 b791f8539b6efbe3d02b3a468f06c5cbc9f957cd
SHA256 ebc1b876739db362fc068952079d65be80be253789cbd975f686f2e535cfcf67
SHA512 08e2e59b875290e2da8c4fdfae9f89a47afc2289109f4f5d88eda2a02d0f2fac2044cfaec9f9aba1738b333d5551c8393e31a8e4e9454a56b22778ceb6b1e874

/data/user/0/com.qiyi.video/shared_prefs/multidex.version.xml

MD5 e43e4f33f603f953b750dea6b275716c
SHA1 5338594754a79538ca991c7b828798e8d814581a
SHA256 fcff6383ce4d1a31f98c34cd47c1988410d7d2fcee40042abae6be48f6a60fa8
SHA512 25831b1f78a7fb64446d5b6733ed2482a6cce15d5903f95f698dcc2cfd7eb5f41fcebbc7b10c073071e1b7cb41b7b3dd99ecfa1c7720bca770dc7194b42f8437

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo

MD5 fffdd50a8dc902d0f846980583a076b3
SHA1 65b4d0a8ef7c248f2c7a358eccb209b7ce6b9a82
SHA256 1abb3e36860ec47e0d7ecab2215e0934474e4f55809280157e1edaba6e47eee3
SHA512 aa5d323ee4145ee26f5665bcca4ec99115e5d37d2b2def9406e88638f6bb5d57208a994b3023571499014a06db29bcb1efc23760bed5f301a814f87fdde6a529

/data/user/0/com.qiyi.video/shared_prefs/Voicemail.xml

MD5 1e4db15344c6ee6c03af017a28a623c2
SHA1 3ee89880a99c198553d5dc0e1cc6adc85ee4bdb0
SHA256 31aed20dd8d8dba7f8309db8e50dbe135eb4f37f398a6b1b03516fe8e316c1cf
SHA512 54f8f09f71c756455b18727b3f54503b9a050077ca86d11aabca054e71a0c21b69fbdeb9e2b9aac667990da8f3d73503a2d7478c394c97aadfdc865ca82aa316