flubot | 8f30f7c01116af14f9050220f10732634badcb8b57e91b7fa06c85cf1d92ef06

Resubmissions

26-04-2022 11:10

220426-m9z17scbg7 10

26-04-2022 11:08

220426-m8wx6acbg2 10

Analysis

max time kernel
1704143s
max time network
143s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
26-04-2022 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemail.apk
Size

5.8MB
MD5

60cb380846833a5cdfc47a97569af235
SHA1

a6762bb66b6015308d9e0d0c2b04785cce353d7e
SHA256

8f30f7c01116af14f9050220f10732634badcb8b57e91b7fa06c85cf1d92ef06
SHA512

978808876eda2784657884fb61f1651820a9f6c61dbc7e951d5b34103e4776ba8e24d4d27413d7278ade9901e3c6c08fd77f87a1098a08beab982486ce2b9965

Score

10^/10

flubot banker evasion infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

resource	yara_rule
behavioral3/memory/5392-0.dex	family_flubot
behavioral3/memory/5270-0.dex	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.iqiyi.i18n

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.iqiyi.i18n

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.iqiyi.i18n

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq	5392	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/oat/x86/base.apk.pggIifU1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq	5270	com.iqiyi.i18n

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	api64.ipify.org

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.iqiyi.i18n

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.iqiyi.i18n

com.iqiyi.i18n
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5270
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/oat/x86/base.apk.pggIifU1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq

Filesize
2.0MB

MD5
a0a59902d5bd33ad5d5d9b7605a61f29

SHA1
64a3c053d9ab1850f7d7f2fda4edfef836108577

SHA256
aba33c9bb845eb2dc36d307bb63ae69eebdddc613337488927f8c937c233d164

SHA512
e35034ad4ead67cd3acbb178085c431ac239a8342514431dedabdb02facde65a65e437b1ed6afeb4aa1342029ea0be805b1753700a8cbc94d8420ac8f6451a39

Download Submit
/data/user/0/com.iqiyi.i18n/gfHejrGur8/68gjgU98uHjgGIk/base.apk.pggIifU1.kHq

Filesize
2.0MB

MD5
a0a59902d5bd33ad5d5d9b7605a61f29

SHA1
64a3c053d9ab1850f7d7f2fda4edfef836108577

SHA256
aba33c9bb845eb2dc36d307bb63ae69eebdddc613337488927f8c937c233d164

SHA512
e35034ad4ead67cd3acbb178085c431ac239a8342514431dedabdb02facde65a65e437b1ed6afeb4aa1342029ea0be805b1753700a8cbc94d8420ac8f6451a39

Download Submit