flubot | 1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7

Analysis

max time kernel
1544736s
max time network
159s
platform
android_x64
resource
android-x64-20220823-en
resource tags

androidarch:x64arch:x86image:android-x64-20220823-enlocale:en-usos:android-10-x64system
submitted
09-11-2022 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7.apk
Size

5.5MB
MD5

c090102914f9d558dca69c875428946f
SHA1

4887d7a53823bee74d8610f6ba8d0a6163064c33
SHA256

1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7
SHA512

1d47e0dd3c8045944cb3a1cf8595f30fd17229f394f0a526d4a7d0f83bdae57c62869cf801a9aa12e5635feea5d3598985101f2e39fdf8e0cf4c051f8683f59b
SSDEEP

98304:lPXp1mY2iKPrYVisH/NhSQUtOejEgFIMKhUC7Q8MK4ShyxrB:NXTmR/YVisFUtdAgS7TMkhyNB

Score

10^/10

flubot banker infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8	family_flubot

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.qq.reader

ioc pid process

/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8 4753 com.qq.reader
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

90 api64.ipify.org
111 icanhazip.com
193 icanhazip.com
194 icanhazip.com
195 ipinfo.io
264 ipinfo.io
265 ipinfo.io
59 api64.ipify.org
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.qq.reader

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.qq.reader

ioc	pid	process
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8	4753	com.qq.reader

flow	ioc
90	api64.ipify.org
111	icanhazip.com
193	icanhazip.com
194	icanhazip.com
195	ipinfo.io
264	ipinfo.io
265	ipinfo.io
59	api64.ipify.org

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.qq.reader

com.qq.reader
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4753

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8

Filesize
2.0MB

MD5
f441022e4264c4c77afcce9bc08f8a7c

SHA1
62530755aca4e46db62af5f833e6f724e6b01af8

SHA256
575451955078e1579cd4692a604419cc98801add000ef240439c8caacaf91dc7

SHA512
a9b2c6cd790fa490631da6a97ae6384dbcf9b09302d84f15a033bd4b00bb3be40de25b315bc4b2c3fec0a00fad83ac10ddbcb8194047c61445393f5dd8306209

Download Submit
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/tkyiF6gg.jjue

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/tmp-base.apk.gytqarF3000122093057493999.ue8

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
133B

MD5
7469ee52e41c1ef7a7caddb6b980bc11

SHA1
7b100d2414b54b41e4c69c8562ae9d8ae08b8aa2

SHA256
3b41c8595a4219ed7e392a13e3804d98c9c883afabf4d031b9e6700f2d9b8777

SHA512
e137be5b79d6f00f0380bd228d061b5d3ff69b4b84027ad1f7601bc79f171a10c8e6db21c23d3a0cb7276ba30d5adc9437dea26c7b18db17489bbc6b2aecc879

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
197B

MD5
e4640c5d2fa7c5e193d86440b7bce06e

SHA1
b4623047ae6c16760c59bfd4aeacd35a4f96929d

SHA256
d776fb0fe2dc29482976940d5bb81b12f4d62337f4c9c13bc94e1ac2d7101966

SHA512
8d925670f647ba722dbec25846bf3348115eda702c2c95169fad434629171dacbebf7809e5470b44c0a5ce0780fdeb2f0ca2d34ef81c27a6eb06b49d7df9e503

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
240B

MD5
e284e67a0d25c111df77e3a050d3e959

SHA1
e06fd871780d074b6128ada94f3a4bc5cd2fc20d

SHA256
4c6cca2cefa65f5330a402790e96f4fb060a4b2b667916e13a536f3549ebdcb0

SHA512
a4128f29f68670e8671b645a39c380dca2ba4822ed24e1d38c08a5340dd2372de436654fd19986d6e69e734c8f338bd572865646180064f14b7d5d0e2059490f

Download Submit