flubot | 093a65f30e9340b2a0e27228fe678426295ff97b934024eda5b8d080a8987d3e

General

Target

093a65f30e9340b2a0e27228fe678426295ff97b934024eda5b8d080a8987d3e.apk
Size

4.0MB
MD5

4807de51d4e79f4f00c72bbe8fda93c2
SHA1

4127a83ca90d142234e00d5b931a43506e190102
SHA256

093a65f30e9340b2a0e27228fe678426295ff97b934024eda5b8d080a8987d3e
SHA512

17b05948361d5aa8233b97c18e36ccfb58bf97986aa118016bc0de3262fdedce0e2543ca40a72ff9832659abc33cd61cfb447d34610bc7a1dc0c89d138b90fb9

Score

10^/10

flubot banker infostealer ransomware suricata trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 3 IoCs

resource	yara_rule
behavioral1/memory/5044-0.dex	family_flubot
behavioral1/memory/5073-0.dex	family_flubot
behavioral1/memory/5044-1.dex	family_flubot

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	slender.business.jacket
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	slender.business.jacket
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	slender.business.jacket

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json	5044	slender.business.jacket
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json	5073	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/slender.business.jacket/app_DynamicOptDex/oat/x86/RbAGHUu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json	5044	slender.business.jacket

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	slender.business.jacket

slender.business.jacket
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:5044
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/slender.business.jacket/app_DynamicOptDex/oat/x86/RbAGHUu.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5073

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json

Filesize
1.5MB

MD5
6d6d70c312e57eb5f7cc8fdea7eb014f

SHA1
5a4d80d7242a95252a7d43811b06b2cd1c14420c

SHA256
fcc7a4b426e381576049ce1a6b9dae71c287bc99bf18243eae8100f61f05dd18

SHA512
51f98dc32c77e71d16bc114d25e4e8432325f34301e2687a7b473b22f1aa45ffb30ee5df33b02cfa3a1815ce12e14eeca35455e71bc0ae3088ba6a2b6c2ef5e6

Download Submit
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json

Filesize
1.5MB

MD5
40bc23344a0f46f04cf0533ae12c86b4

SHA1
4330aa71cc6bce9eac084368d207f1aeeabbec50

SHA256
e89d9804064dfff2a9890e595825a3074f88ffcbfe7c21800a9464d2aa9ab832

SHA512
e2e32639b3080412ee5a4f898c7ed8f422e854bd8e759402d21eb2620333a60170f80e21998dbe3e2ec652a3c7dc1ff8528c52d5df7a95a35046811b752d4f45

Download Submit
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json

Filesize
1.5MB

MD5
3e7d7af34d3504f26ca435e0cf106313

SHA1
d369bca4ec601a934969bb69909cd04c7ef526a7

SHA256
5502f89b316171cfa3c79aba4b6729c859e84f328a7f6535ec67fb13b2294b50

SHA512
c6728241a5dba91c843771489ddc6b73619307c467089da1d4317b24852f008f62aa72b31ff3b691af68688cf46eea381517a5ef2907e7e67739bf2c7fa45efb

Download Submit
/data/user/0/slender.business.jacket/app_DynamicOptDex/RbAGHUu.json

Filesize
1.5MB

MD5
40bc23344a0f46f04cf0533ae12c86b4

SHA1
4330aa71cc6bce9eac084368d207f1aeeabbec50

SHA256
e89d9804064dfff2a9890e595825a3074f88ffcbfe7c21800a9464d2aa9ab832

SHA512
e2e32639b3080412ee5a4f898c7ed8f422e854bd8e759402d21eb2620333a60170f80e21998dbe3e2ec652a3c7dc1ff8528c52d5df7a95a35046811b752d4f45

Download Submit

Analysis

Sharing