flubot | d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b | Triage

Sharing

General

Target

d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b.apk
Size

5.6MB
Sample

230719-sr6nxshg6t
MD5

95fb562c7721bc502223e9a0b9e5b0f6
SHA1

6ed60847eefb78b9a91d8e0433dc5ea3494357f0
SHA256

d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b
SHA512

a59d5e5840378df2610f599f1529835ec0dc9fd9e74fbaae167152d16dc9b0e01a2d46c99d722e7c88f02ff8fbfed4c25caa3e51fd101e28bd940d0ce6117f15
SSDEEP

98304:Q6NZwHRVLnc20uge7A1PVTf4uFwEEp/txdrroaMtiXIFvGxQdyxrk:Q6fwHRBncHudM9VTfRFwEGRiyKGWdyNk

Score

10^/10

flubot android banker discovery evasion infostealer ransomware trojan

Malware Config

Targets

- Target
  
  d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b.apk
- Size
  
  5.6MB
- MD5
  
  95fb562c7721bc502223e9a0b9e5b0f6
- SHA1
  
  6ed60847eefb78b9a91d8e0433dc5ea3494357f0
- SHA256
  
  d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b
- SHA512
  
  a59d5e5840378df2610f599f1529835ec0dc9fd9e74fbaae167152d16dc9b0e01a2d46c99d722e7c88f02ff8fbfed4c25caa3e51fd101e28bd940d0ce6117f15
- SSDEEP
  
  98304:Q6NZwHRVLnc20uge7A1PVTf4uFwEEp/txdrroaMtiXIFvGxQdyxrk:Q6fwHRBncHudM9VTfRFwEGRiyKGWdyNk
Score

10^/10

flubot banker evasion infostealer ransomware trojan discovery
- FluBot
  FluBot is an android banking trojan that uses overlays.
  banker trojan infostealer flubot
- FluBot payload
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Reads information about phone network operator.
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  appx/af-appx.min.js
- Size
  
  570KB
- MD5
  
  b6eb04363e88ceb02983493d0d415a76
- SHA1
  
  00faa2d27a8c2cd70f261cb17a53884181d44ee5
- SHA256
  
  60ede3350d57014350598f985e240c65d0fef70ec003546c35debaaa707737fa
- SHA512
  
  da4149950427d6341021a6073216355f28d318801c01d84fedcfd4e011e038ed28a743fbd6eb737bd9a995a5135de157e598be79a704ea0eabf9b835bbcad0f8
- SSDEEP
  
  6144:KZz1+/1/N8ezA6ctPpX92pM1Og12wj11W19yK7RLQjAayjUaC7Tiq/0TkzIF:q6dicmtPj9K7RLQjAayjUaC7T0TkA
Score

1^/10
behavioral4 behavioral5 behavioral6
- Target
  
  appx/af-appx.worker.min.js
- Size
  
  425KB
- MD5
  
  ee95e302665633407abe6a8fddf06d4b
- SHA1
  
  9ef5894a6e2ecee4d20cc53bf3eaf865568e2aff
- SHA256
  
  801783c0a71ff48d9b29a775cd47597ad5bf0a6aa0c15dd4e1023a3eaefef149
- SHA512
  
  b6dd91a847c67c3f8976a9d80beff6f1361a097dd7fabb68eb8853e8a055a66b8404c12e42baf573af6a4f3e85ef79a1918606081a5ef2595667373e8821f358
- SSDEEP
  
  6144:CVdAA/7HtAt9HqZb/q4l56eZkr28dCvOlpaSYRv359ls+N:CVdAEHWt9KN/nl5Sa8dCvqaSYRx9ls+N
Score

1^/10
behavioral7 behavioral8 behavioral9
- Target
  
  appx/es6-promise.min.js
- Size
  
  6KB
- MD5
  
  87386dc55ba8a0148b2b368daa730e3a
- SHA1
  
  721f69e52595a309169781c6fd9f31b5cb971b94
- SHA256
  
  c0e9849f5a195abee01fb0c70da42c232c6cc0ec226f67d54ab31975f2eedf9a
- SHA512
  
  d60c1edf9adba7440bdee328ddb80af8470aaa19b2bd90b03746738eefb066929d0c8a9b824fed7d64f22fc643ea9db27413747425917f635d681490ad098a67
- SSDEEP
  
  96:+0jEIlgBtFX762eQAl25zU2sycRu56+NUXvfRW2CjwqKbq5hizUfUAEvm0r/GzR:+NXt22vdcR1tqKbDAENrGR
Score

1^/10
behavioral10 behavioral11 behavioral12
- Target
  
  appx/index.html
- Size
  
  1KB
- MD5
  
  2b186fa99270394f1ef2a19604832708
- SHA1
  
  b423eb5c7821436d81ddd99b87f4b664a367bc13
- SHA256
  
  a41346e3edd7b683b8eab44f9b7234d5758cd76d05f9956ebd519f92c0a94f0c
- SHA512
  
  1271fedbc6b03c6626761e0b36a903a0ffd36a7ae5cfe67cfa97bf3cbc905e21819fadc1d9a567763d99842af5e02064d6bb2ff9e56032fb894d66b54cbcab2b
Score

1^/10
behavioral13 behavioral14 behavioral15
- Target
  
  appx/security-patch.min.js
- Size
  
  731B
- MD5
  
  9af9636e96667b6e51fd8820ea64bcec
- SHA1
  
  9945a97db54b07812fe8c9384f2381c0cf7a5b59
- SHA256
  
  9c55d51b975b03f274f228d9b6ce303accb0df522b58d6aded2cd5c577e89f79
- SHA512
  
  6273caeb43d33462f42708d3b326fff27dd552dccf129ea71943ee7c5e9a150ca0205498e58c71567148370b5871ebdc9ff33b05645b886e968938648870089b
Score

1^/10
behavioral16 behavioral17 behavioral18
- Target
  
  MOBILEIC@idNoMacau
- Size
  
  12KB
- MD5
  
  38437a4009f05c38b1d4dc62be2e3a67
- SHA1
  
  b1e6a40fe7e597dbe1a12bd08b3960dee2412238
- SHA256
  
  8cfc9a1d8f446f6fb0251bc4705b624722946756215dc7e6d1008c013123015d
- SHA512
  
  3abb012e37066c60367255cb1a302a7d671eb79f59c43a91cfaf26594b0426e6bf512ec7cf528f1c6e1d0d80e1da0bacd52ee9dcf6f3d0cf2d7e2cb65da14208
- SSDEEP
  
  96:t+TngYnQeIqg6jEvx4UhlQ9Ja6NmnaIqg6GrvbV2kDRUugKMb08NAW0r6lQo+MDX:4gYYzQ9J3u0kDRCKN6lQjvOX
Score

1^/10
behavioral19 behavioral20 behavioral21
- Target
  
  MOBILEIC@secret-question
- Size
  
  9KB
- MD5
  
  55bbfd0cfedd4e8356d7016a16c1ae1d
- SHA1
  
  cda6a1318a31e99a7e905ded1f22e3108eff6167
- SHA256
  
  f2cd555da76b2dd6e19467c630172b6cf090367166127cc841e0baadb4e04a30
- SHA512
  
  aacaa4ba39395f75e0071d755a95827eca5c385ff994d94a73e4d742d729fbcdc8e02bbcd94c216e67aae04656c517ffaddeb597be45de657d1b606b3f89d8e5
- SSDEEP
  
  96:zd+DL4y3Z8JyKhj0ZPlG8AnRuQuL+JBwwfwcxHh4RJU618upd2qP:zu4y3Z8JyCGlG8AnRupL+JBFw0Ez
Score

1^/10
behavioral22 behavioral23 behavioral24
- Target
  
  QUICKPAY@card-no-flex
- Size
  
  5KB
- MD5
  
  0f03a81b0a45aa562a7000166255ccbe
- SHA1
  
  a25dc16c49920997964231ae30b347e6ea4fb8a6
- SHA256
  
  add2c7fc3367b8b063b5ade4f258de93b3f16e386abaaedffb9dbf8bae62d294
- SHA512
  
  275caf7f94e61901d55ab05d24fcb4d2d88adc037699c745762539ada489da42cfcd992ff483420b1349410f37c20c471da6274d3f5c78191e1805e64d4583b0
- SSDEEP
  
  96:zVkRITsdxQY2GGSNgiJlG4ReBf6gkUgKJ7ZJuRZMen/SQ:zjszQY2FFAlG4ReBf6gkUgxf
Score

1^/10
behavioral25 behavioral26 behavioral27
- Target
  
  [email protected]
- Size
  
  3KB
- MD5
  
  55acfe384eae522d3d9e0c046ef9bd53
- SHA1
  
  fbcf05fd0ad0569b4afc35c3bd8885b042832b77
- SHA256
  
  62ffd64e012a83d114bd8e15c45808773d66852ce385599a8f8a0fd5d7acc87b
- SHA512
  
  32043682d12cd10e24ea18d9a636b7f03ef688596818b1e2f15b090bdf69251fb2b69136231c418616fa95d3d3d514ae98b529c7a76d3f286828029cc574c0b3
Score

1^/10
behavioral28 behavioral29 behavioral30
- Target
  
  QUICKPAY@pwd-validate-flex
- Size
  
  5KB
- MD5
  
  7abc912426e02eb2071541e7551a8657
- SHA1
  
  40d5ae4e19f2e9ce42378747df402037bfa1c564
- SHA256
  
  619867085287fd43fc03e6fd71bfe1df16c0681ca3f2eca3a0aeafcaaa9df167
- SHA512
  
  c4fc86eb474ce6b12f102aab4c0e0ea0a14ed52a98aa40d8289426e2554d02c09bf78edc9360a88eabd6883be6dfe7f4719499c8215018ab518dd1b70ce88c2a
- SSDEEP
  
  96:zkRpofwnp27tVBWPZDnWgN1W0vY9zD17nzvZJDRRFWqvsPyJVFTdn:AofK87QWnG+rzfxzln
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

flubotbankerevasioninfostealerransomwaretrojan

behavioral2

flubotbankerinfostealerransomwaretrojan

behavioral3

flubotbankerdiscoveryinfostealerransomwaretrojan

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32