Malware Analysis Report

2025-01-19 05:40

Sample ID 211124-nctctscecn
Target 446631292a2670814ea0110ab4942c7625627bc13fbd577d62fe4c100856de9b.apk
SHA256 446631292a2670814ea0110ab4942c7625627bc13fbd577d62fe4c100856de9b
Tags
flubot banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

446631292a2670814ea0110ab4942c7625627bc13fbd577d62fe4c100856de9b

Threat Level: Known bad

The file 446631292a2670814ea0110ab4942c7625627bc13fbd577d62fe4c100856de9b.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer ransomware trojan

FluBot

FluBot Payload

Loads dropped Dex/Jar

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-24 11:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-24 11:15

Reported

2021-11-24 11:16

Platform

android-x86-arm

Max time kernel

1366443s

Command Line

com.bilibili.app.in

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av N/A N/A
N/A /data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av N/A N/A
N/A /data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bilibili.app.in

com.bilibili.app.in

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av

MD5 d988f5e407bae7499bc1b0b1a3184f5c
SHA1 0b772e095aa1d70a54f7ef3d4b47dad5b1ea0a54
SHA256 ea53fd30259591de1bc7426bdc4784d290938de43887aad6c3d9016a04a34646
SHA512 61a6ebf71119f1882913eb109532c99f1d56f4a03699924be88b9a53f6078d2c47551024db1a2686feea6ec0c7da82610a4a06fc43b4a241c14d31f00d90996a

/data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av

MD5 d988f5e407bae7499bc1b0b1a3184f5c
SHA1 0b772e095aa1d70a54f7ef3d4b47dad5b1ea0a54
SHA256 ea53fd30259591de1bc7426bdc4784d290938de43887aad6c3d9016a04a34646
SHA512 61a6ebf71119f1882913eb109532c99f1d56f4a03699924be88b9a53f6078d2c47551024db1a2686feea6ec0c7da82610a4a06fc43b4a241c14d31f00d90996a

/data/user/0/com.bilibili.app.in/app_apkprotector_dex/adB5wyVZ.av

MD5 e4a9a07629604827adca076a3679b7b1
SHA1 72ec1fb73e830131b1b75a8ae9986446728443fe
SHA256 0f30343d42c84e09b432ff9eb48ad86d8217263ca0af5eb9c3581e42ad1d890c
SHA512 a6b8755a2e4b228df14f48e8c98f6538f75af94eb461d799dc1f73711356bbe0689db9b886210ac052adf107ac1fbd240b96a51334a4570068a3491fb5cc6773