flubot | 97b06e81c5aff31d6742403e2c2eee8375725141cd60468ad204b3b33ae638af

Resubmissions

24-05-2022 16:23

220524-tv7aasdban 10

12-05-2022 07:29

220512-jbdhrsbae3 10

Analysis

max time kernel
3076878s
max time network
144s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
12-05-2022 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739616a8a8b6081d3a28d8aae27aa54f2345529cf804a039ba840286c65b5cdc.apk
Size

5.4MB
MD5

88bd05585cfd9d2dca31db8d259bda3a
SHA1

fd80eb218428687a88af0d2f309c0200de79b3e5
SHA256

739616a8a8b6081d3a28d8aae27aa54f2345529cf804a039ba840286c65b5cdc
SHA512

e0356ba5b902a411242f55a04dce8fe494cd9c7f093e8d0f7537612fcea8fe383ce09a140e776ced79ebae0966188cccb72e10648a337bf5a8f5e603a478ee25

Score

10^/10

flubot banker evasion infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

resource	yara_rule
behavioral1/memory/5188-0.dex	family_flubot
behavioral1/memory/5133-0.dex	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mobileqq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.tencent.mobileqq

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mobileqq

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr	5188	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/oat/x86/base.apk.afyggId1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr	5133	com.tencent.mobileqq

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	ipinfo.io
74	ipinfo.io

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.tencent.mobileqq

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5133
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/oat/x86/base.apk.afyggId1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr

Filesize
2.1MB

MD5
8e2e73a141007888b4a35907150e0827

SHA1
ba52b588dcd9b3bda0f7809a841cc84746b73905

SHA256
49a7acf87393e2926d3165f89ed8d7aea806a54161a1608321e88c20cd64ae11

SHA512
1d9e9fbdfb808ac78640e020ef0a4f999e46b08facf1759071a6bba4b1d8d6aee3c52246584f9f6ababbcbc8500371f927581cbda5efc0666ba724fe38a90ee6

Download Submit
/data/user/0/com.tencent.mobileqq/yfjgfwgj8u/F8Gtjep8dgeggu7/base.apk.afyggId1.hgr

Filesize
2.1MB

MD5
8e2e73a141007888b4a35907150e0827

SHA1
ba52b588dcd9b3bda0f7809a841cc84746b73905

SHA256
49a7acf87393e2926d3165f89ed8d7aea806a54161a1608321e88c20cd64ae11

SHA512
1d9e9fbdfb808ac78640e020ef0a4f999e46b08facf1759071a6bba4b1d8d6aee3c52246584f9f6ababbcbc8500371f927581cbda5efc0666ba724fe38a90ee6

Download Submit