flubot | 88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b | Triage

Sharing

General

Target

88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b.bin
Size

4.6MB
Sample

231015-1w2vjaad4w
MD5

98f1b616fb6dda391b672523e1a211b4
SHA1

3c3a6d61263837b84cb56a12bcce6957305d7927
SHA256

88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b
SHA512

1be3a1a19d2cdbc002a835f3abba12811bb37a23656ca567085d2ce652a7e2b35ac40e49a1487b05a5a565f6817b157ff905bf10d92ed007d3e23798e07b350c
SSDEEP

98304:YonHYXBsyc4NR9T13zE8HjhR1Iok8Jzijm0DucfuhKLtPG:YiYXXcCRjE8DlIWAjDDuc3Lte

Score

10^/10

flubot android banker evasion infostealer ransomware stealth trojan

Malware Config

Targets

- Target
  
  88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b.bin
- Size
  
  4.6MB
- MD5
  
  98f1b616fb6dda391b672523e1a211b4
- SHA1
  
  3c3a6d61263837b84cb56a12bcce6957305d7927
- SHA256
  
  88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b
- SHA512
  
  1be3a1a19d2cdbc002a835f3abba12811bb37a23656ca567085d2ce652a7e2b35ac40e49a1487b05a5a565f6817b157ff905bf10d92ed007d3e23798e07b350c
- SSDEEP
  
  98304:YonHYXBsyc4NR9T13zE8HjhR1Iok8Jzijm0DucfuhKLtPG:YiYXXcCRjE8DlIWAjDDuc3Lte
Score

10^/10

flubot banker evasion infostealer ransomware stealth trojan
- FluBot
  FluBot is an android banking trojan that uses overlays.
  banker trojan infostealer flubot
- FluBot payload
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
  stealth trojan
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Requests enabling of the accessibility settings.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  qqlivejs.js
- Size
  
  4KB
- MD5
  
  c50fcde20d7bcf26992856dd72478488
- SHA1
  
  6b291c6501b170160d4e26922b9c2758b4d15287
- SHA256
  
  0a714b00a6b6c6a7abcdc86035d4f1b122f82be1c71ec484d5d98789d6d78d45
- SHA512
  
  7e0816e867b6bbce118ffb246dd80324ce0f5f235c95332a7bb7291f5cafa42fbd904adab87cfcd8878426cbec9e02add99196f6fd61b81811201b3afb10d6af
- SSDEEP
  
  96:dTESfSyq0+LOk1Ewy9gF7QF3sjwxL0Qp6NZ5p+CyfCMC/nuH0tkQNBcJfMQqw:+2SvowyqFEFcjwqQg/iCyahPYakQXcJN
Score

1^/10
behavioral4 behavioral5
- Target
  
  tcaptcha_webview.html
- Size
  
  2KB
- MD5
  
  91da5d9997c1e6e88bb16013fd2972a4
- SHA1
  
  5678df78fe5f83ce2a0012246aa1bf9f625c5851
- SHA256
  
  15faa9670379fd4c06bff363d2eec13db8ec0c61a0d7e5b59cf6db7b84eda125
- SHA512
  
  f79bb52639cd1f6d889623c8204d9fb3b0d9669a966f48971911b39fe3a1bc95ba8285d24fec9a5e15f4e560471eadbc3eb431403f659e7fcba2f663a0e32cf1
Score

1^/10
behavioral6 behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

flubotbankerevasioninfostealerransomwarestealthtrojan

behavioral3

flubotbankerevasioninfostealerransomwarestealthtrojan

behavioral4

behavioral5

behavioral6

behavioral7