Malware Analysis Report

2025-01-19 05:40

Sample ID 211108-t63fgscfh8
Target 0874e9f71ea55cb76a638029e5978f3f5a39504d0c0bb752ca676b095552cab4.apk
SHA256 0874e9f71ea55cb76a638029e5978f3f5a39504d0c0bb752ca676b095552cab4
Tags
flubot banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0874e9f71ea55cb76a638029e5978f3f5a39504d0c0bb752ca676b095552cab4

Threat Level: Known bad

The file 0874e9f71ea55cb76a638029e5978f3f5a39504d0c0bb752ca676b095552cab4.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer trojan

FluBot

FluBot Payload

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-08 16:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-08 16:41

Reported

2021-11-08 16:44

Platform

android-x86-arm

Max time kernel

3701s

Command Line

com.UCMobile.intl

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.UCMobile.intl

com.UCMobile.intl

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 916a86edb93b502ce8bddbb448921f3e
SHA1 2616e0abe1073bdb42dd0a29461046a12d1a2e98
SHA256 12947442fc6d45ef970e04a16158d011726a0cd814c00769bd63f8643e82df31
SHA512 0596ae796f2dacca8769aa0fc41cc4d851e228e9c5e0262c3696c82175a68ecd14f8d7c6024c04d11041c95f8bdbc86b48031d490e17a5f250c2801364fdc9a1

/data/user/0/com.UCMobile.intl/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 02b6923636d3b380a244caeec652e7e3
SHA1 111a7e7163056da20d5903fcb41f70ae09ddbd2d
SHA256 2cc3bc9a39f20f7d493a85c8877fd3ccb7034dbe75d41bc9ac5c2db3026d0edd
SHA512 84c33fee6e7634f00a57cd324c176802e9eb1ecff381a3f6bd03261518394844f275175c088c6f61d1aa3794e506a08a1930272313bab5acc4c93a32059e85b5