Malware Analysis Report

2025-01-19 05:44

Sample ID 211022-pl9xlscebm
Target 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67.bin.sample.gz
SHA256 4d04c922d7d03c53e603ec4c155ce497a945d86c41f6747e3eed39e4e06d43b9
Tags
flubot banker infostealer ransomware trojan suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d04c922d7d03c53e603ec4c155ce497a945d86c41f6747e3eed39e4e06d43b9

Threat Level: Known bad

The file 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67.bin.sample.gz was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer ransomware trojan suricata

FluBot

FluBot Payload

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-10-22 12:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-22 12:26

Reported

2021-10-22 12:46

Platform

android-x86-arm

Max time kernel

2819203s

Command Line

com.tencent.mm

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

com.tencent.mm

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 e8b100462913641b3b3ff92e25c28952
SHA1 b6f14c00f93608112d45b67cee5b8b981e575785
SHA256 863a1018014257e0c569c7217dccbd5d810f236e2bb9ffaee02a7e9b3b006437
SHA512 7524ee74a85dfa1c8c4488618e73e56d9e24db1bf99bd03fcea053cbe5c5a26340d1acf0a6d7cac0714e794544b1b551265e8db0176c5d5aa497856f28659974

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-22 12:26

Reported

2021-10-22 12:47

Platform

android-x64-arm64

Max time kernel

2818099s

Max time network

1238s

Command Line

com.tencent.mm

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 142.250.187.228:443 udp
NL 142.250.179.138:443 udp
US 142.250.187.234:80 play.googleapis.com tcp
NL 142.250.179.138:443 udp
US 172.217.168.238:443 udp
NL 142.250.179.168:443 tcp
US 216.239.35.12:123 time.android.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca

Analysis: behavioral3

Detonation Overview

Submitted

2021-10-22 12:26

Reported

2021-10-22 12:47

Platform

android-x64

Max time kernel

2819247s

Max time network

1251s

Command Line

com.tencent.mm

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A
N/A /data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.226:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.225:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 216.239.35.4:123 time.android.com udp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.211:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.205:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 85.17.31.82:80 tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
NL 85.17.31.122:80 tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
DE 178.162.203.226:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.211:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
NL 5.79.71.225:80 idjtehxygfvdtnx.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.225:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.205:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.205:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.217.107:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
NL 5.79.71.225:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.217.107:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp
ES 193.146.253.40:80 frdepagmscgdtif.com tcp
US 1.1.1.1:853 tcp
DE 85.214.228.140:80 nohfmeovkioqbft.ru tcp
DE 87.106.18.146:80 yngijnpyddlvrpg.ru tcp
NL 72.26.218.86:80 bfmsgphtnkvbyqp.ru tcp
DE 178.162.203.202:80 idjtehxygfvdtnx.com tcp

Files

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca

/data/user/0/com.tencent.mm/app_DynamicOptDex/fBbBL.json

MD5 9176c3e392a554fec7890533a61886ab
SHA1 74f83c8167c59c65ad1b508055dfac445bc08c25
SHA256 27ed9910cd1e4f2357df3d687bb8a375b97c1a8655cf0c30a64eff495a9b3b1c
SHA512 ffc4182c020c35d5a44eaf413943115d093ed4640bf9c9fa750c8fd8c6cca8947c1ddce3581b842bdb28588ce7af829dc4e23d1cb7f0b668f5c16c21adb3cbca