flubot | 1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7

Analysis

max time kernel
1544743s
max time network
164s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
09-11-2022 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7.apk
Size

5.5MB
MD5

c090102914f9d558dca69c875428946f
SHA1

4887d7a53823bee74d8610f6ba8d0a6163064c33
SHA256

1458b4858ea9983227d68c70d2d9dcdf85c89e66aa9fc50879205d97e08fbbd7
SHA512

1d47e0dd3c8045944cb3a1cf8595f30fd17229f394f0a526d4a7d0f83bdae57c62869cf801a9aa12e5635feea5d3598985101f2e39fdf8e0cf4c051f8683f59b
SSDEEP

98304:lPXp1mY2iKPrYVisH/NhSQUtOejEgFIMKhUC7Q8MK4ShyxrB:NXTmR/YVisFUtdAgS7TMkhyNB

Score

10^/10

flubot banker evasion infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.qq.reader

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.qq.reader
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.qq.reader
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.qq.reader

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.qq.reader

ioc pid process

/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8 4535 com.qq.reader
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.qq.reader

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.qq.reader
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ipinfo.io
43 ipinfo.io
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.qq.reader

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.qq.reader
Removes a system notification. 1 IoCs
evasion

Processes:

com.qq.reader

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.qq.reader
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.qq.reader

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.qq.reader

ioc	pid	process
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8	4535	com.qq.reader

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.qq.reader

flow	ioc
42	ipinfo.io
43	ipinfo.io

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.qq.reader

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.qq.reader

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.qq.reader

com.qq.reader
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4535

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/base.apk.gytqarF1.ue8

Filesize
2.0MB

MD5
f441022e4264c4c77afcce9bc08f8a7c

SHA1
62530755aca4e46db62af5f833e6f724e6b01af8

SHA256
575451955078e1579cd4692a604419cc98801add000ef240439c8caacaf91dc7

SHA512
a9b2c6cd790fa490631da6a97ae6384dbcf9b09302d84f15a033bd4b00bb3be40de25b315bc4b2c3fec0a00fad83ac10ddbcb8194047c61445393f5dd8306209

Download Submit
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/tkyiF6gg.jjue

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.qq.reader/Uggjgefggg/yj8tIUrIgd8ggtF/tmp-base.apk.gytqarF134639943381831615.ue8

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
133B

MD5
29e2361038d3cb1fd469cd833a3b955e

SHA1
3d7dd373624163324cf5126e279c9ce6ebf8fe29

SHA256
948318889a74a0716b072fd04c08fa354fc432881ad69f0bad14e876dc1d5dc4

SHA512
c3ed0bdfd31aeeafbb0c1fd1ef0a0c196ac686cf996acdc32c36474f2023132ba1906bab22c4d3041271ab7dff529b79a645540d60f8e4d0031b53c8a174bad0

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
176B

MD5
1ebc3806e98c9a8dffbe698f3e12b525

SHA1
50fcaafe0382da1855dee68908d12988492a0d68

SHA256
955d9d63e3afdfa309f34d2663750ba5e39f0f32cdb1eb1905ce375869213716

SHA512
31a6793f21a7e01b51e0115d0e2948edc5184186288888bc3b22443a3a4dd8aa05cf1c1aca21ba025683cf8238622523007a09b4dd80ead5663b5a0c2fecdcc2

Download Submit
/data/user/0/com.qq.reader/shared_prefs/Flash Player.xml

Filesize
240B

MD5
ccb81c64fb5ba3f427dffc1da033b5c2

SHA1
13d8b74297f1563af26d5c2c55d17d0fd3f797bb

SHA256
68e983d761b27c035bc02d750b34c07b3779966bfaad6e7882987bc1c104040d

SHA512
cb3bbba013aefde57ba200ffd5cd754b97b7110e07011361064921ab8ac79d1bdecdca9880b79f9c6b0c3e8b27e14dede01515011665082df71f6cfb5356b329

Download Submit