Malware Analysis Report

2025-01-19 05:44

Sample ID 211116-ptl6hsager
Target a18e4fce4c2b255880cb1db34004c6a906dcfeafc77f1e7f10f80f0d919dbf94.apk
SHA256 a18e4fce4c2b255880cb1db34004c6a906dcfeafc77f1e7f10f80f0d919dbf94
Tags
flubot banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a18e4fce4c2b255880cb1db34004c6a906dcfeafc77f1e7f10f80f0d919dbf94

Threat Level: Known bad

The file a18e4fce4c2b255880cb1db34004c6a906dcfeafc77f1e7f10f80f0d919dbf94.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer ransomware trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Loads dropped Dex/Jar

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-16 12:37

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-16 12:37

Reported

2021-11-16 12:38

Platform

android-x64-arm64

Max time kernel

683750s

Max time network

48s

Command Line

com.eg.android.AlipayGphone

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk N/A N/A
N/A /data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk N/A N/A
N/A /data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.eg.android.AlipayGphone

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 216.58.208.100:443 udp
US 216.239.35.0:123 time.android.com udp
US 142.251.36.46:443 udp
US 172.217.168.200:443 tcp

Files

/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk

MD5 e2de540252e8bc96286db854df3291f5
SHA1 5a7c9e04d430862709b3e6cee6fcff45e7cf54b1
SHA256 2cb046d81f5b6e003e8c75e43f98ca0679b81ae4c98c741ed5bb495456d9eb7c
SHA512 29fe687812911752e8f47887f135c13cb8fc1aa8fb97700d843111cd808311ff03b3417215eda3ce6bea46a462347c0cc42d47e7494c6409e0219971f29317b0

/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk

MD5 e2de540252e8bc96286db854df3291f5
SHA1 5a7c9e04d430862709b3e6cee6fcff45e7cf54b1
SHA256 2cb046d81f5b6e003e8c75e43f98ca0679b81ae4c98c741ed5bb495456d9eb7c
SHA512 29fe687812911752e8f47887f135c13cb8fc1aa8fb97700d843111cd808311ff03b3417215eda3ce6bea46a462347c0cc42d47e7494c6409e0219971f29317b0

/data/user/0/com.eg.android.AlipayGphone/app_apkprotector_dex/d8NUsiMZ.elk

MD5 e2de540252e8bc96286db854df3291f5
SHA1 5a7c9e04d430862709b3e6cee6fcff45e7cf54b1
SHA256 2cb046d81f5b6e003e8c75e43f98ca0679b81ae4c98c741ed5bb495456d9eb7c
SHA512 29fe687812911752e8f47887f135c13cb8fc1aa8fb97700d843111cd808311ff03b3417215eda3ce6bea46a462347c0cc42d47e7494c6409e0219971f29317b0