flubot | 32d11dd0c65f101499a7c94eeae319afc43bfd0f730733a3357d294ef94c9a11

Resubmissions

26-05-2022 16:15

220526-tp7c4sghbm 10

27-04-2022 14:06

220427-rehkwscdel 10

Analysis

max time kernel
19898s
max time network
607s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
26-05-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemail.apk
Size

5.8MB
MD5

77da191edf9bd56bd550c47d28519848
SHA1

526856561d862131a8866732bcd8c63b70069968
SHA256

32d11dd0c65f101499a7c94eeae319afc43bfd0f730733a3357d294ef94c9a11
SHA512

3719b675353c3bb78dc1aa4cf79ae4da1df192762a422b586545bad6a724db55bbc9a9e5ec3d76253816af97276d967afa7689783d6f2bc0ea9cc51475975406

Score

10^/10

flubot banker discovery evasion infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

resource	yara_rule
behavioral1/memory/5157-0.dex	family_flubot
behavioral1/memory/5038-0.dex	family_flubot

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.iqiyi.i18n

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig	5157	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/oat/x86/base.apk.HIgUj9d1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig	5038	com.iqiyi.i18n

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
97	icanhazip.com
98	icanhazip.com

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.iqiyi.i18n

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.iqiyi.i18n

com.iqiyi.i18n
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5038
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/oat/x86/base.apk.HIgUj9d1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5157

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig

Filesize
2.0MB

MD5
c94a8e51f5f020a29e564ebaac030fa1

SHA1
ba8aaa636710a9e6dc422c8bb1309c121530cc0c

SHA256
7762f00fef1ea68540b0ca501e2cfda764a6d4d0f325d3088811bdab9ecca294

SHA512
d2ede4c6cb5916356571379b86ccac1d874813c510c55eb02ab6c049b97884a89926f6452ef2dba1c846f6e73392a7db140e62a9a12891734ad88efbf25fe300

Download Submit
/data/user/0/com.iqiyi.i18n/uig88UggjG/t8kug78sjifqUGj/base.apk.HIgUj9d1.8Ig

Filesize
2.0MB

MD5
c94a8e51f5f020a29e564ebaac030fa1

SHA1
ba8aaa636710a9e6dc422c8bb1309c121530cc0c

SHA256
7762f00fef1ea68540b0ca501e2cfda764a6d4d0f325d3088811bdab9ecca294

SHA512
d2ede4c6cb5916356571379b86ccac1d874813c510c55eb02ab6c049b97884a89926f6452ef2dba1c846f6e73392a7db140e62a9a12891734ad88efbf25fe300

Download Submit