Analysis Overview
SHA256
ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0
Threat Level: Known bad
The file ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0.apk was found to be: Known bad.
Malicious Activity Summary
FluBot
FluBot Payload
Loads dropped Dex/Jar
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-11-22 14:55
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-22 14:55
Reported
2021-11-22 14:56
Platform
android-x64-arm64
Max time kernel
1210449s
Max time network
44s
Command Line
Signatures
FluBot
FluBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl | N/A | N/A |
| N/A | /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl | N/A | N/A |
| N/A | /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl | N/A | N/A |
| N/A | /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.tencent.qqlivei18n.us
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:853 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.250.179.170:80 | play.googleapis.com | tcp |
| US | 216.239.35.12:123 | time.android.com | udp |
| NL | 142.250.179.142:443 | udp | |
| NL | 142.250.179.195:443 | udp | |
| NL | 142.250.179.200:443 | tcp |
Files
/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl
| MD5 | c7d36158fb3ba9a9d411d16b676e6ac1 |
| SHA1 | 75f2856ded90b109db6658175c9ad015412d1650 |
| SHA256 | 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9 |
| SHA512 | 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb |
/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl
| MD5 | c7d36158fb3ba9a9d411d16b676e6ac1 |
| SHA1 | 75f2856ded90b109db6658175c9ad015412d1650 |
| SHA256 | 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9 |
| SHA512 | 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb |
/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl
| MD5 | c7d36158fb3ba9a9d411d16b676e6ac1 |
| SHA1 | 75f2856ded90b109db6658175c9ad015412d1650 |
| SHA256 | 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9 |
| SHA512 | 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb |
/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl
| MD5 | c7d36158fb3ba9a9d411d16b676e6ac1 |
| SHA1 | 75f2856ded90b109db6658175c9ad015412d1650 |
| SHA256 | 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9 |
| SHA512 | 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb |