Malware Analysis Report

2025-01-19 05:44

Sample ID 211122-sat9kaagf4
Target ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0.apk
SHA256 ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0
Tags
flubot banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0

Threat Level: Known bad

The file ba274a54526796abfa85c40a552e127df31522732094eba2851e1a59138990d0.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer ransomware trojan

FluBot

FluBot Payload

Loads dropped Dex/Jar

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-22 14:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-22 14:55

Reported

2021-11-22 14:56

Platform

android-x64-arm64

Max time kernel

1210449s

Max time network

44s

Command Line

com.tencent.qqlivei18n.us

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl N/A N/A
N/A /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl N/A N/A
N/A /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl N/A N/A
N/A /data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.qqlivei18n.us

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 142.250.179.170:80 play.googleapis.com tcp
US 216.239.35.12:123 time.android.com udp
NL 142.250.179.142:443 udp
NL 142.250.179.195:443 udp
NL 142.250.179.200:443 tcp

Files

/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl

MD5 c7d36158fb3ba9a9d411d16b676e6ac1
SHA1 75f2856ded90b109db6658175c9ad015412d1650
SHA256 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9
SHA512 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb

/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl

MD5 c7d36158fb3ba9a9d411d16b676e6ac1
SHA1 75f2856ded90b109db6658175c9ad015412d1650
SHA256 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9
SHA512 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb

/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl

MD5 c7d36158fb3ba9a9d411d16b676e6ac1
SHA1 75f2856ded90b109db6658175c9ad015412d1650
SHA256 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9
SHA512 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb

/data/user/0/com.tencent.qqlivei18n.us/app_apkprotector_dex/DLV3csHF.gl

MD5 c7d36158fb3ba9a9d411d16b676e6ac1
SHA1 75f2856ded90b109db6658175c9ad015412d1650
SHA256 2872c16bb6a6b5918de6c84b8d7406b6938bd53ecdaeae281e30d8a6ae23a3c9
SHA512 41176baf18a4946caef2f2f517d6e9218a8243d3898bf6d112acc84057d501e53d5297007bd5f8c7ec3171c72aa2192bae35fe71aafb532c4387cfff353536cb