flubot | 1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89

Analysis

Target

1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89.apk
Size

4.1MB
MD5

45767dc1a56de15fcb761395114b18b7
SHA1

e7d930b1c824ecbade93df44f6139d6e2334427b
SHA256

1547e5669f2cbb2391c6f6790298eda5502dde28819985f131138a2d25fc0f89
SHA512

7e2bd248bb48548f4cbb2edb8b286cdfd6532438d196c054d901b1e1bed9e4ffbe5c39f9e81db8b54fc3a1e6e695462ad1b68887c8829f3bf0beee7d7644beeb

Score

10^/10

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY	family_flubot

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.baidu.searchbox

ioc pid process

/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY 3683 com.baidu.searchbox
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.baidu.searchbox

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.baidu.searchbox

ioc	pid	process
/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY	3683	com.baidu.searchbox

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.baidu.searchbox

com.baidu.searchbox
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:3683

/data/user/0/com.baidu.searchbox/hhjsGGofgz/hclmgvlGfsmphbh/base.apk.vaahjhh1.axY
MD5
c9bb380d82552712b0b690d8888c4ee6

SHA1
e541cfefb00e67ee94bebc3344acf3b8e1dc40b6

SHA256
227f7f46e0c88513b8b6271107393206416aa965b36a86ad163aae5cd752861c

SHA512
8fc922bbf5c7e1ee8b4fa00b770229a2631a30e45ee7092ea2f1c6e210468605849373d0a5de9df072116e58136d75829202faf58d0b58c7ae57a386c58337d4

Download Submit