flubot | df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f

Resubmissions

02-11-2022 04:23

221102-ezznpahcd9 10

Analysis

max time kernel
916043s
max time network
161s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
02-11-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42331cf55ee2174ac0d137d27633f7ea.apk
Size

5.5MB
MD5

42331cf55ee2174ac0d137d27633f7ea
SHA1

c67ce535777198f1bac3a7b7bd34817255c05e13
SHA256

df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f
SHA512

ffef78b5f7507cf444f9b1b03f5d655b4c88b6c9d00fa10455179d63003d2cd52b120d5ec81fa031bd920f711f5a3cf42d804da51f418314779de4e508336d32
SSDEEP

98304:f++ca+O+GSgUvtRZb9WFbto/q5qb3S1B3Y70sOyrDrfK/+xyxrUh4:W+cRODULN++S5qbOsOqCmxyNUh4

Score

10^/10

flubot banker evasion infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG	family_flubot
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]	family_flubot
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.tencent.mobileqq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mobileqq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mobileqq

Loads dropped Dex/Jar 9 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mobileqq

ioc	pid	process
/data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG	4624	com.tencent.mobileqq
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]	4624	com.tencent.mobileqq
/apex/com.android.art/javalib/core-oj.jar	4624	com.tencent.mobileqq
/apex/com.android.conscrypt/javalib/conscrypt.jar	4624	com.tencent.mobileqq
/apex/com.android.art/javalib/okhttp.jar	4624	com.tencent.mobileqq
/apex/com.android.art/javalib/core-libart.jar	4624	com.tencent.mobileqq
/apex/com.android.art/javalib/core-oj.jar	4624	com.tencent.mobileqq
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]	4624	com.tencent.mobileqq
/apex/com.android.conscrypt/javalib/conscrypt.jar	4624	com.tencent.mobileqq

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.tencent.mobileqq

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mobileqq
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ipinfo.io
64 api64.ipify.org
65 api64.ipify.org
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.tencent.mobileqq

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mobileqq
Removes a system notification. 1 IoCs
evasion

Processes:

com.tencent.mobileqq

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.tencent.mobileqq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.tencent.mobileqq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mobileqq

flow	ioc
59	ipinfo.io
64	api64.ipify.org
65	api64.ipify.org

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mobileqq

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.tencent.mobileqq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mobileqq

com.tencent.mobileqq
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/apex/com.android.art/javalib/core-libart.jar

Filesize
644KB

MD5
479f44584d4c8c9a652e5f6e476045d8

SHA1
e4f8cb84ad8cc560d253b946c48edab08b9792a9

SHA256
55a31a6bb685edcd6dd13905ec0ab746198c0c58ba5a01cbd205a0bf768bd8fe

SHA512
0c206643716a9224c657860d8100b3e15eadb062e64f873e74f7bd8e490f592259a1dadfd03d1621cd77614207dcdc7c97373aa216108609899729bca5002cbb

Download Submit
/apex/com.android.art/javalib/core-oj.jar

Filesize
4.7MB

MD5
17bf082d9e9a6eb8b5d62d82f4af5476

SHA1
a401c7fbd8feea319dbcece5b4b3f6a254e71fb3

SHA256
4df590b764f65c16b51176ff394458d0b3a866ca75a4f912d6f76b7793043c1c

SHA512
f1a2673bf5c478176de0fceec8419434ab0606a14343c3b7fe1e2b181b0a2ff8f00c888ea1dcb8e711c4eb14aa1294919440adc63ce7735a67e93da21a0f7ae7

Download Submit
/apex/com.android.art/javalib/core-oj.jar

Filesize
4.7MB

MD5
17bf082d9e9a6eb8b5d62d82f4af5476

SHA1
a401c7fbd8feea319dbcece5b4b3f6a254e71fb3

SHA256
4df590b764f65c16b51176ff394458d0b3a866ca75a4f912d6f76b7793043c1c

SHA512
f1a2673bf5c478176de0fceec8419434ab0606a14343c3b7fe1e2b181b0a2ff8f00c888ea1dcb8e711c4eb14aa1294919440adc63ce7735a67e93da21a0f7ae7

Download Submit
/apex/com.android.art/javalib/okhttp.jar

Filesize
395KB

MD5
2f737c10c13ddf1f3fe95054827891ca

SHA1
39233441365dbb7da364b4e75912f80e3b3abca5

SHA256
4214986fc39f65f743d77a4df6c79e12b969f173efc88ede281dd9b33c55d0df

SHA512
49907944fbc14692bba4587693cf2f9b1bbc9723b5e48fb641b6fde7f4cfe0f5813d3231d204a774fa3333ce7deb411fa0cbb33382e04bdc70791f4d9de436ba

Download Submit
/apex/com.android.conscrypt/javalib/conscrypt.jar

Filesize
429KB

MD5
ef9180f2d6baa6c7214403ec8f3b7ec5

SHA1
0da13630b0c13810bcea946dd88ec66774fcd502

SHA256
e56c2ca20f560f0c18610d592394f6aeae28a5838d03c7bcbcc5904a56b8e04b

SHA512
aa76abfe5d0d76ce1630d99b0b1ed133e782d30725169c9090529ac93c81251389a68153299013aa7a89af0d0430475d52310b7639ca048cb1cc516fa8ce879a

Download Submit
/apex/com.android.conscrypt/javalib/conscrypt.jar

Filesize
429KB

MD5
ef9180f2d6baa6c7214403ec8f3b7ec5

SHA1
0da13630b0c13810bcea946dd88ec66774fcd502

SHA256
e56c2ca20f560f0c18610d592394f6aeae28a5838d03c7bcbcc5904a56b8e04b

SHA512
aa76abfe5d0d76ce1630d99b0b1ed133e782d30725169c9090529ac93c81251389a68153299013aa7a89af0d0430475d52310b7639ca048cb1cc516fa8ce879a

Download Submit
/data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG

Filesize
2.0MB

MD5
ad656fc403c35b6a716e073bcd6d7824

SHA1
eb6b8c513a3abe5906a07d2fd3aed39a0de0cbd6

SHA256
a72640470a5611a7c6864eafe02e2ed8bf589dfb88a7195a66423327c924953e

SHA512
5c1c15c79ffdb4be81e7a7804d3dfa22122f9931ceff8e8a515d981aa8fee3211ad8acf08f02d946e7bb997ef016ddbe3f592ba742cc62712fd39c44725b3568

Download Submit
/data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/ktfgfg7u.8jHp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/tmp-base.apk.geIqgyG7758614885980489056.dUG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/DHL.xml

Filesize
133B

MD5
4306856b36206d5d12e47dbced468407

SHA1
72465a6ac52c2e1aa94680c178633323e274a9a2

SHA256
f24be8fbe572b2f1fd9db240ff2ff5d2413d1d88cefcb4f97bd3dde48ea5eeb1

SHA512
db275fe2d0d512d58acbdc1124d5b422db1dd3f82a923ad239f3cf87ad1a39d71703960e5ca52933f68283e650d136a798573435db19ca994deba63653a94ed0

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/DHL.xml

Filesize
197B

MD5
a3e54cd58f98a7890ce4ed9a343d5652

SHA1
7f33d01b0420802b61fc1fedd1a9f0823603b29b

SHA256
03c5236944c1da5fe02ba90689386818494f754ab51734534e8e081088e9c533

SHA512
dc3db04974a1dfe3a658fb4eb781a246f813f71fc63f18b7cb8ffac08797148ce096503491ab64754b76a7c2ddcdecee7900ab43f34736fa27e62f08dbdc776a

Download Submit
/data/user/0/com.tencent.mobileqq/shared_prefs/DHL.xml

Filesize
240B

MD5
754254cf4b6697d837094c44a130a380

SHA1
a4b17fd5068c3e9fc69358afe65222c3ac3a8e69

SHA256
30abe2bcd5d09e92974506fb289ff3baab0bfc42f4923c177823d6d0ff7e7bf8

SHA512
953094bdc744dffdafc6c007c416f74497493a58232b8cd4cac9275203ae50c1e8cf57e15aed3ed18b5bb1e2263755327b8d8cefc716e8a9ee0276410b842e80

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]

Filesize
2.0MB

MD5
ad656fc403c35b6a716e073bcd6d7824

SHA1
eb6b8c513a3abe5906a07d2fd3aed39a0de0cbd6

SHA256
a72640470a5611a7c6864eafe02e2ed8bf589dfb88a7195a66423327c924953e

SHA512
5c1c15c79ffdb4be81e7a7804d3dfa22122f9931ceff8e8a515d981aa8fee3211ad8acf08f02d946e7bb997ef016ddbe3f592ba742cc62712fd39c44725b3568

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mobileqq/jG8seijrgu/8f8IjGUrgjhhrUf/base.apk.geIqgyG1.dUG]

Filesize
2.0MB

MD5
ad656fc403c35b6a716e073bcd6d7824

SHA1
eb6b8c513a3abe5906a07d2fd3aed39a0de0cbd6

SHA256
a72640470a5611a7c6864eafe02e2ed8bf589dfb88a7195a66423327c924953e

SHA512
5c1c15c79ffdb4be81e7a7804d3dfa22122f9931ceff8e8a515d981aa8fee3211ad8acf08f02d946e7bb997ef016ddbe3f592ba742cc62712fd39c44725b3568

Download Submit