flubot | d0d67aa3f62e8e280b6a55c9523c8d82159deab4fd1693a15b6b478d47279148 | Triage

Sharing

General

Target

df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f.7z
Size

5.1MB
Sample

231011-l8rg1aab72
MD5

8ec2d10d355839da988d1481c459e5fb
SHA1

63109a05bdaa1b3376a369a150513c47805299e5
SHA256

d0d67aa3f62e8e280b6a55c9523c8d82159deab4fd1693a15b6b478d47279148
SHA512

74de1784f5f9df6857969b1aee9aa867a08246c0f7e044b3b69c86bacb1c7b1e2bb87641ed56a37ff30faa1b20d8f691b15d8936d0ba122b6610efb0d37d95ea
SSDEEP

98304:RCswU6UcgM4OBC9l3yR8ob27TxyyqC6HOFt/Evd84QMkizCCGOA:EswU6U/dNyR8M2pyyqnHOIVZkFrOA

Score

10^/10

flubot android banker discovery evasion infostealer ransomware stealth trojan

Malware Config

Targets

- Target
  
  df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f
- Size
  
  5.5MB
- MD5
  
  42331cf55ee2174ac0d137d27633f7ea
- SHA1
  
  c67ce535777198f1bac3a7b7bd34817255c05e13
- SHA256
  
  df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f
- SHA512
  
  ffef78b5f7507cf444f9b1b03f5d655b4c88b6c9d00fa10455179d63003d2cd52b120d5ec81fa031bd920f711f5a3cf42d804da51f418314779de4e508336d32
- SSDEEP
  
  98304:f++ca+O+GSgUvtRZb9WFbto/q5qb3S1B3Y70sOyrDrfK/+xyxrUh4:W+cRODULN++S5qbOsOqCmxyNUh4
Score

10^/10

flubot banker evasion infostealer ransomware stealth trojan discovery
- FluBot
  FluBot is an android banking trojan that uses overlays.
  banker trojan infostealer flubot
- FluBot payload
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
  stealth trojan
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Requests enabling of the accessibility settings.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  appx/af-appx.min.js
- Size
  
  570KB
- MD5
  
  b6eb04363e88ceb02983493d0d415a76
- SHA1
  
  00faa2d27a8c2cd70f261cb17a53884181d44ee5
- SHA256
  
  60ede3350d57014350598f985e240c65d0fef70ec003546c35debaaa707737fa
- SHA512
  
  da4149950427d6341021a6073216355f28d318801c01d84fedcfd4e011e038ed28a743fbd6eb737bd9a995a5135de157e598be79a704ea0eabf9b835bbcad0f8
- SSDEEP
  
  6144:KZz1+/1/N8ezA6ctPpX92pM1Og12wj11W19yK7RLQjAayjUaC7Tiq/0TkzIF:q6dicmtPj9K7RLQjAayjUaC7T0TkA
Score

1^/10
behavioral4 behavioral5
- Target
  
  appx/af-appx.worker.min.js
- Size
  
  425KB
- MD5
  
  ee95e302665633407abe6a8fddf06d4b
- SHA1
  
  9ef5894a6e2ecee4d20cc53bf3eaf865568e2aff
- SHA256
  
  801783c0a71ff48d9b29a775cd47597ad5bf0a6aa0c15dd4e1023a3eaefef149
- SHA512
  
  b6dd91a847c67c3f8976a9d80beff6f1361a097dd7fabb68eb8853e8a055a66b8404c12e42baf573af6a4f3e85ef79a1918606081a5ef2595667373e8821f358
- SSDEEP
  
  6144:CVdAA/7HtAt9HqZb/q4l56eZkr28dCvOlpaSYRv359ls+N:CVdAEHWt9KN/nl5Sa8dCvqaSYRx9ls+N
Score

1^/10
behavioral6 behavioral7
- Target
  
  appx/es6-promise.min.js
- Size
  
  6KB
- MD5
  
  87386dc55ba8a0148b2b368daa730e3a
- SHA1
  
  721f69e52595a309169781c6fd9f31b5cb971b94
- SHA256
  
  c0e9849f5a195abee01fb0c70da42c232c6cc0ec226f67d54ab31975f2eedf9a
- SHA512
  
  d60c1edf9adba7440bdee328ddb80af8470aaa19b2bd90b03746738eefb066929d0c8a9b824fed7d64f22fc643ea9db27413747425917f635d681490ad098a67
- SSDEEP
  
  96:+0jEIlgBtFX762eQAl25zU2sycRu56+NUXvfRW2CjwqKbq5hizUfUAEvm0r/GzR:+NXt22vdcR1tqKbDAENrGR
Score

1^/10
behavioral8 behavioral9
- Target
  
  appx/index.html
- Size
  
  1KB
- MD5
  
  2b186fa99270394f1ef2a19604832708
- SHA1
  
  b423eb5c7821436d81ddd99b87f4b664a367bc13
- SHA256
  
  a41346e3edd7b683b8eab44f9b7234d5758cd76d05f9956ebd519f92c0a94f0c
- SHA512
  
  1271fedbc6b03c6626761e0b36a903a0ffd36a7ae5cfe67cfa97bf3cbc905e21819fadc1d9a567763d99842af5e02064d6bb2ff9e56032fb894d66b54cbcab2b
Score

1^/10
behavioral10 behavioral11
- Target
  
  appx/security-patch.min.js
- Size
  
  731B
- MD5
  
  9af9636e96667b6e51fd8820ea64bcec
- SHA1
  
  9945a97db54b07812fe8c9384f2381c0cf7a5b59
- SHA256
  
  9c55d51b975b03f274f228d9b6ce303accb0df522b58d6aded2cd5c577e89f79
- SHA512
  
  6273caeb43d33462f42708d3b326fff27dd552dccf129ea71943ee7c5e9a150ca0205498e58c71567148370b5871ebdc9ff33b05645b886e968938648870089b
Score

1^/10
behavioral12 behavioral13
- Target
  
  appx/web-view.min.js
- Size
  
  8KB
- MD5
  
  ca944d08e0a38016bdc258b631694aea
- SHA1
  
  b2f75052eb0501222d591931bc246f2022aa1326
- SHA256
  
  52736ee32e80eba647f415cda8425eeadf101fa6b9f1c2badb0ef2ad6979a517
- SHA512
  
  dfa0a313e658c323ee81de3b3318644b8c8e82860fbd6d824fd5ea0825d2a87fa5d889f3fd4768e0d500feb8db35194c0eed68e860d021debc7ce12e314df1b4
- SSDEEP
  
  192:KtStPO7ZKgcYfUdwpiEdXFf0KCFCcINAqS2F7olnJAE91gBU1:+yzrsdXd+gcIN3SFlJqa
Score

1^/10
behavioral14 behavioral15
- Target
  
  appx/worker.min.js
- Size
  
  22KB
- MD5
  
  6dee7139b6c43a49741690666defab4e
- SHA1
  
  74399abec36c143500a5a62ebcae6bd1dc1e48d1
- SHA256
  
  4df5efc08311b8b1f52f04822c5ea7a284a86456fcf4f78ffffe6f76227a1f51
- SHA512
  
  180698dee55bab6b7cbfc93cc64d8e1c0217ff3d78fd722e1cb37fc63f9179b87788870131274c0c4adf5e520d7d3710020be90afc2a5d2caad6f345f4eff524
- SSDEEP
  
  192:lwTlxd9C21chawRBFpg+o29aG/h2UhRxut6xgKM//RX+qmFlHSIYzR69Us2k3HSE:LOoFpg2PAUhRxI6mx+qmFxjYzRSLANVS
Score

1^/10
behavioral16 behavioral17
- Target
  
  MOBILEIC@idNoMacau
- Size
  
  12KB
- MD5
  
  38437a4009f05c38b1d4dc62be2e3a67
- SHA1
  
  b1e6a40fe7e597dbe1a12bd08b3960dee2412238
- SHA256
  
  8cfc9a1d8f446f6fb0251bc4705b624722946756215dc7e6d1008c013123015d
- SHA512
  
  3abb012e37066c60367255cb1a302a7d671eb79f59c43a91cfaf26594b0426e6bf512ec7cf528f1c6e1d0d80e1da0bacd52ee9dcf6f3d0cf2d7e2cb65da14208
- SSDEEP
  
  96:t+TngYnQeIqg6jEvx4UhlQ9Ja6NmnaIqg6GrvbV2kDRUugKMb08NAW0r6lQo+MDX:4gYYzQ9J3u0kDRCKN6lQjvOX
Score

1^/10
behavioral18 behavioral19
- Target
  
  MOBILEIC@secret-question
- Size
  
  9KB
- MD5
  
  55bbfd0cfedd4e8356d7016a16c1ae1d
- SHA1
  
  cda6a1318a31e99a7e905ded1f22e3108eff6167
- SHA256
  
  f2cd555da76b2dd6e19467c630172b6cf090367166127cc841e0baadb4e04a30
- SHA512
  
  aacaa4ba39395f75e0071d755a95827eca5c385ff994d94a73e4d742d729fbcdc8e02bbcd94c216e67aae04656c517ffaddeb597be45de657d1b606b3f89d8e5
- SSDEEP
  
  96:zd+DL4y3Z8JyKhj0ZPlG8AnRuQuL+JBwwfwcxHh4RJU618upd2qP:zu4y3Z8JyCGlG8AnRupL+JBFw0Ez
Score

1^/10
behavioral20 behavioral21
- Target
  
  QUICKPAY@card-no-flex
- Size
  
  5KB
- MD5
  
  0f03a81b0a45aa562a7000166255ccbe
- SHA1
  
  a25dc16c49920997964231ae30b347e6ea4fb8a6
- SHA256
  
  add2c7fc3367b8b063b5ade4f258de93b3f16e386abaaedffb9dbf8bae62d294
- SHA512
  
  275caf7f94e61901d55ab05d24fcb4d2d88adc037699c745762539ada489da42cfcd992ff483420b1349410f37c20c471da6274d3f5c78191e1805e64d4583b0
- SSDEEP
  
  96:zVkRITsdxQY2GGSNgiJlG4ReBf6gkUgKJ7ZJuRZMen/SQ:zjszQY2FFAlG4ReBf6gkUgxf
Score

1^/10
behavioral22 behavioral23
- Target
  
  [email protected]
- Size
  
  3KB
- MD5
  
  55acfe384eae522d3d9e0c046ef9bd53
- SHA1
  
  fbcf05fd0ad0569b4afc35c3bd8885b042832b77
- SHA256
  
  62ffd64e012a83d114bd8e15c45808773d66852ce385599a8f8a0fd5d7acc87b
- SHA512
  
  32043682d12cd10e24ea18d9a636b7f03ef688596818b1e2f15b090bdf69251fb2b69136231c418616fa95d3d3d514ae98b529c7a76d3f286828029cc574c0b3
Score

1^/10
behavioral24 behavioral25
- Target
  
  QUICKPAY@pwd-validate-flex
- Size
  
  5KB
- MD5
  
  7abc912426e02eb2071541e7551a8657
- SHA1
  
  40d5ae4e19f2e9ce42378747df402037bfa1c564
- SHA256
  
  619867085287fd43fc03e6fd71bfe1df16c0681ca3f2eca3a0aeafcaaa9df167
- SHA512
  
  c4fc86eb474ce6b12f102aab4c0e0ea0a14ed52a98aa40d8289426e2554d02c09bf78edc9360a88eabd6883be6dfe7f4719499c8215018ab518dd1b70ce88c2a
- SSDEEP
  
  96:zkRpofwnp27tVBWPZDnWgN1W0vY9zD17nzvZJDRRFWqvsPyJVFTdn:AofK87QWnG+rzfxzln
Score

1^/10
behavioral26 behavioral27
- Target
  
  QUICKPAY@recommend-setspwd-flex
- Size
  
  3KB
- MD5
  
  f5bcfc5b47c55815da1b289dc7887791
- SHA1
  
  b768856e9281c4b563f0e7a8719305e2dbaa1cd3
- SHA256
  
  79532d1c255cbb499fb016aed3f7641c64c5181c98ff5fbeb03166305b3006c5
- SHA512
  
  121ce54f4155dfcf1f2376a5052c4c9f8244dd78921301db321f482f4db85561a32a2c1281a4c788a8935c64b64dbcff4250da7babc3ec47f76faecfb124ea19
Score

1^/10
behavioral28 behavioral29
- Target
  
  QUICKPAY@waika-select-country-and-area-flex
- Size
  
  3KB
- MD5
  
  7e94e58b8567cb98fda48343f7e06514
- SHA1
  
  17c15dfefeb91fda28567c160cb107a1bcf255ba
- SHA256
  
  a490ca25320a35b41b3e922d66ef36432dee17adf69688e304a5960486a5877b
- SHA512
  
  9924f29fee22a2f0c8c6d5556825f3a509f901d94eb3a428e12b9b9ca803bb7faaa3b498c08626e33515b234aba2940e3e2eccf152aaaa116df046a851c19700
Score

1^/10
behavioral30 behavioral31
- Target
  
  amc-h5.js
- Size
  
  378B
- MD5
  
  cc09c18ba74a339b86f2fe87cee5599b
- SHA1
  
  96bf5a371ee081cdc431181ffdf654c4d6ddcfb6
- SHA256
  
  031ff0f52ef4ea571fc36ce396a0d18b5395b354fcaed3e037e3e3588c68b23b
- SHA512
  
  fcc9083fffde7c6111374ec7fb7000fef8a66bdcd03f3300fe8fd512014b862591bb72da49b8d825c8a009937d455f40c66e7ca994d8801282b59e2ef0601d01
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

flubotbankerevasioninfostealerransomwarestealthtrojan

behavioral3

flubotbankerdiscoveryevasioninfostealerransomwarestealthtrojan

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32