flubot | d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b

Analysis

max time kernel
1858334s
max time network
338s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
19-07-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b.apk
Size

5.6MB
MD5

95fb562c7721bc502223e9a0b9e5b0f6
SHA1

6ed60847eefb78b9a91d8e0433dc5ea3494357f0
SHA256

d2c5e4af486a01426f5c98f8ffb13f69f1defece0e07f2c7e4f39d8c2593829b
SHA512

a59d5e5840378df2610f599f1529835ec0dc9fd9e74fbaae167152d16dc9b0e01a2d46c99d722e7c88f02ff8fbfed4c25caa3e51fd101e28bd940d0ce6117f15
SSDEEP

98304:Q6NZwHRVLnc20uge7A1PVTf4uFwEEp/txdrroaMtiXIFvGxQdyxrk:Q6fwHRBncHudM9VTfRFwEGRiyKGWdyNk

Score

10^/10

flubot banker discovery infostealer ransomware trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4686-0.dex	family_flubot

Makes use of the framework's Accessibility service. 1 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.reading

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.tencent.reading/Gtfgw8g8UU/HhjIUhGUGG7ej8e/base.apk.UGdkqyf1.I88	4686	com.tencent.reading

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	api64.ipify.org
85	icanhazip.com
86	icanhazip.com
87	icanhazip.com
88	ipinfo.io
89	ipinfo.io

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.reading

com.tencent.reading
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4686

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.reading/Gtfgw8g8UU/HhjIUhGUGG7ej8e/base.apk.UGdkqyf1.I88

Filesize
2.0MB

MD5
ac89082019a67c0d8dfea697649b7d01

SHA1
9cf9568be109a80e10ba82fcfae9067a3803784d

SHA256
8a447c8a6faa42d24be09983197f851b970caf6392a9a02ecda21b0d13810277

SHA512
108834466356a51337ca27cf061df22d140cc00ff9843892d25e14e7d33fb6aad938bb647af0703b2dc8f561f0f748f4bdd74351c58740ffc80a5646fa2e7838

Download Submit
/data/user/0/com.tencent.reading/shared_prefs/DHL.xml

Filesize
133B

MD5
4e4b13fe2972eee36b59e7c679e16d6f

SHA1
13b3df7d8e4714d8d1e4b1a9861a5f03c3b49a58

SHA256
e082f8241ebf2b36c139dd4be10b461fb533f724818927979ed92942d61ada3a

SHA512
7806f43480465d6ea3219f9e7657ab63f52b3897eeb43e81a92ca2e7002c3ddd0803ca602dad71e123e8ff5f8d88a9495698480b40df3610db49fb333774cbe1

Download Submit
/data/user/0/com.tencent.reading/shared_prefs/DHL.xml

Filesize
176B

MD5
f93a46785fe8d45cf35b9f391e15f4f8

SHA1
dd972c4ebee10d5fbcbcc7d8263efdb04af2b48a

SHA256
1f57fa5e2286b745c9f9b6612b73ababc67fa7d9b473b8d2c3a025fc63a82450

SHA512
d23285adc7ae03e46ba5065a7c03bdae0f14528996594244f0c20e9e6c67b95c525694c7ee53a112d9b1ce3a5ef1d0170f88bef9e28ff40567e0b74135c7b0d4

Download Submit