flubot | 1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89

General

Target

1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89.apk
Size

4.1MB
MD5

45767dc1a56de15fcb761395114b18b7
SHA1

e7d930b1c824ecbade93df44f6139d6e2334427b
SHA256

1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89
SHA512

7e2bd248bb48548f4cbb2edb8b286cdfd6532438d196c054d901b1e1bed9e4ffbe5c39f9e81db8b54fc3a1e6e695462ad1b68887c8829f3bf0beee7d7644beeb

Score

10^/10

flubot banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY	family_flubot

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.baidu.searchbox

ioc pid process

/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY 3776 com.baidu.searchbox
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.baidu.searchbox

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.baidu.searchbox
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.baidu.searchbox

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.baidu.searchbox

ioc	pid	process
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY	3776	com.baidu.searchbox

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.baidu.searchbox

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.baidu.searchbox

Uses reflection 64 IoCs

obfuscation

Processes:

com.baidu.searchbox

description	pid	process
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows	3776	com.baidu.searchbox
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3776	com.baidu.searchbox

com.baidu.searchbox
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY
MD5
c9bb380d82552712b0b690d8888c4ee6

SHA1
e541cfefb00e67ee94bebc3344acf3b8e1dc40b6

SHA256
227f7f46e0c88513b8b6271107393206416aa965b36a86ad163aae5cd752861c

SHA512
8fc922bbf5c7e1ee8b4fa00b770229a2631a30e45ee7092ea2f1c6e210468605849373d0a5de9df072116e58136d75829202faf58d0b58c7ae57a386c58337d4

Download Submit
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/hhnjbbkv.hfnv
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/tmp-base.apk.vaahjhh7091069683015108147.axY
MD5
a728e9558ac38fb0c295941f09ec9ad2

SHA1
728a1ac7bb6dc23983cdea72309e196f6a4fe8a1

SHA256
c8acadfdd77f8c17b8387a3bd959c47809152c7e0b22c6ff1d7a27c22eeb9c68

SHA512
84c651e2f358da34bc44b37dfcfaea25c5cd7697a578d19875ac2f044374ac008da23fae6d89e7b5541a9ffdfe94b7d47425362892005dafb3996a8d362b6bb7

Download Submit
/data/user/0/com.baidu.searchbox/shared_prefs/Voicemail.xml
MD5
6b6897b5f1e6a107e043a4296ffc73e4

SHA1
705fbc49326703925f8d142c8713d9de93649934

SHA256
03e5dcf5d7d4ea07b99816ff36d089627fae98b5b30f76f955c057711341ca08

SHA512
ec37f3fd66f536e2f02dbfc9469e26fa7adb70c52ebf9d68a231347036712b45bbc573c630a89389de8f0677fee5aa2ee7d08b0a4e9ea43b79b4be1fd47222fe

Download Submit
/data/user/0/com.baidu.searchbox/shared_prefs/multidex.version.xml
MD5
10d623321ea28c71503618611a240ab0

SHA1
7583a866268a0a97b43cfd213c92b6ad5d149b60

SHA256
7d72da0f94623a6f3fc1ad2aa03ceb7a80641c16aabf48bce72973c9fbbc9fe5

SHA512
df741568a3914f48866f81a615e4d7f1d91a1ac322436a4df9a267f44d707bdb4c117f001c2f243e2850354e861f01d07ffacfcd90a13c9d038bc014419cbe53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads