flubot | c22c7b1f473939ebaa1ae8f891065633a767a4ad84b804e1c61faa7d8ad22763

Analysis

max time kernel
381553s
max time network
610s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
26-10-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22c7b1f473939ebaa1ae8f891065633a767a4ad84b804e1c61faa7d8ad22763.apk
Size

3.8MB
MD5

c136b8d59db8d91ec022aa0151028e05
SHA1

9eae5b7351e1cfb35d67a78d441b9c612dce491f
SHA256

c22c7b1f473939ebaa1ae8f891065633a767a4ad84b804e1c61faa7d8ad22763
SHA512

34b0c0947f321ba8b785ed36412bbc7a59c77438962afaf0d67179232e36ab7c1d885c9f83e0384900c0c1723249f29cd8fc7548423ff647a01678d349b08fe3
SSDEEP

98304:tNerged/OIfZCj2e2GVoEnyAXaJMTp/fGCpQDM:t4rgtj2+/p93pQDM

Score

10^/10

flubot banker discovery evasion infostealer trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/base.apk.classes1.zip	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.iqiyi.i18n

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.iqiyi.i18n
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.iqiyi.i18n

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.iqiyi.i18n

ioc pid process

/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/base.apk.classes1.zip 4536 com.iqiyi.i18n
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.iqiyi.i18n

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.iqiyi.i18n
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.iqiyi.i18n

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.iqiyi.i18n
Removes a system notification. 1 IoCs
evasion

Processes:

com.iqiyi.i18n

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.iqiyi.i18n

ioc	pid	process
/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/base.apk.classes1.zip	4536	com.iqiyi.i18n

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.iqiyi.i18n

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.iqiyi.i18n

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.iqiyi.i18n

com.iqiyi.i18n
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/MultiDex.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.4MB

MD5
97dda0e8d28f6defb1950d05e650b4b4

SHA1
9883c2bf6cba5d1b46fcba54baf01342f2adb7a1

SHA256
2a7d1f5b88741377488ac0bf0c22b81573803a7729738c3a7dc081fefcb88c7d

SHA512
7b7c75790dc77ac71f3b9bfbfea4bd48cddb03347d6ce33cb1266a3b1af0e9759249c800b57f084353fa6a9ecc41c90149060a0e3cb8136b801cab6743219127

Download Submit
/data/user/0/com.iqiyi.i18n/code_cache/secondary-dexes/tmp-base.apk.classes4598431459789542246.zip

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.iqiyi.i18n/shared_prefs/Voicemail.xml

Filesize
133B

MD5
9c7bc0a610a508f645ebaff67429f7a4

SHA1
71d88e4ab2b2119a764dece124022543d589ad42

SHA256
676ccaab54f14765e03d91e0c8e4729b57e608faedbf6a1cac4105481fa20418

SHA512
40495f26a44cb4c49204272a7b031be063fbe231240bb0b7b32719e2d1b453489dee7c354c80e521e8e3ab4cc15fc9a62d134b36220b8601371085514dc0c729

Download Submit
/data/user/0/com.iqiyi.i18n/shared_prefs/Voicemail.xml

Filesize
197B

MD5
623fa588989db34f504502810b09f90d

SHA1
084e490d4f17129b33b8f9909040a0ad05dcdbf1

SHA256
5950178ef9999d9289d8df5aa13fe2e78b61f05729ac0c421874af1a30ecb839

SHA512
a56c99c39fab724542c1d63c3d11746058c95958288ab8dcf4c63877842dbecac4450f9767edf1634a992e858b0dd9364161c41f896327938772794f9e0e32fa

Download Submit
/data/user/0/com.iqiyi.i18n/shared_prefs/multidex.version.xml

Filesize
307B

MD5
f54e06f41f1e4e37a9a8ecfbdb5dd582

SHA1
eeaa3db7b32c121b32287d41a91bc1c86cad9511

SHA256
1e0946c939419d4a99175b5a06a34cce61e5aa0cbb6c068459ecdb81f983e6d6

SHA512
5570980e492823ed114206319941acb5bcdce73ab6589f75f8d4cfc6e090763dfa4c5c33f7b7e36bfc8538ddbb7af6a9c9ffbc3840d599874eac2c937a187738

Download Submit