Malware Analysis Report

2025-08-06 00:57

Sample ID 241016-2e3wyazerr
Target ec8927344fdc09c66f4b45a5cba929d65b407742d54e532a29d37097d1107c9a.bin
SHA256 ec8927344fdc09c66f4b45a5cba929d65b407742d54e532a29d37097d1107c9a
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ec8927344fdc09c66f4b45a5cba929d65b407742d54e532a29d37097d1107c9a

Threat Level: Shows suspicious behavior

The file ec8927344fdc09c66f4b45a5cba929d65b407742d54e532a29d37097d1107c9a.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:30

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x86-arm-20240910-en

Max time kernel

18s

Max time network

153s

Command Line

com.rhmsoft.codeund9013

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223045376.log

MD5 6074f4b2009c570d474a27dd0659340e
SHA1 a01053ef034d8736fcde6c243f209088047e3c30
SHA256 7acb83218afddf700779edc9184451fe7c05083df4ece8a25e725eb3fcfccf7b
SHA512 10fc7e4358bfa02d34ed0b74a8d99d5b7f5312c598015672c73ddb56db605d20a212473eb660957d934cc19049f80ee366ff734f4438786a1f90f0fe7256baf9

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 98778bd14d6759a2db8ae8851ee3cbf0
SHA1 5e7ead1c1d15dae682ef03d7bc37c6fa03ac41d0
SHA256 98a8ab751e6e2b07c3e5a984cf162c6376f2e26704dcbaa23661f7973af57c5f
SHA512 c80a23a0c5f5d9b946d09dbbe2f79ab9b8093c75ae0b001e05e18a880435426c048a8bc54329612eb7eca83c172c7d18e4429c97c6cd9567f182ba3f1cf5a750

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 a52534cf217b939f9610f7fe72008832
SHA1 a3e051ecf2f5b4cdaee2cb1ed1c3d21178d9c7bb
SHA256 9f2e989eb016f071b82bbddab657e9d2ba9570e0157be7d545b3261a75886796
SHA512 90490b04ea7df7984852a946af99c5ad5c05838b200756f71d8a6865f56b6a9c87e03f306e787aea1a4301322b44d8f5b7f530b51bb46fa1571e070d2e45236e

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 80bc38e34fc208bd8fd1d73517116755
SHA1 999a66063ff89e6a589bb7984605edd04427770c
SHA256 2187adb74d8900968bc54ec83e0d5f4d8df0685b9b21d31761b85c67341ff2f6
SHA512 85a2ae2a67ef003851c7dc3ae92f7de2c0dc20d2a84b41bd3ecd79f1b7318a0374d03a5763a6b6df37113041d81dfb33094a9b5d95f3c018072e7324f1c0b7a1

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x64-20240910-en

Max time kernel

47s

Max time network

153s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223042291.log

MD5 6d66511ea6b295ea51c42ae11b7adbba
SHA1 30c142aece2ddc824c51f46c8bbbba63b375e97b
SHA256 2a862d5ee35f35eb42fb666f3b1d255c4d8fb9153e8a33369a1942e53875bdb1
SHA512 532cac8d6282569d39cf52c73a114d1003f8d1f15b64db47d09a774651ca231bc112f694c415d37ffae795e686659f37b0e9f977a6cfe75353cc07811cc11197

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 2209a5f280d23f876cfe314b84e399cf
SHA1 a2ec5ca626eaefa0e76a2976fdb5853dfef6b2d2
SHA256 4508cbee83c82cf5d2346e04aa625be5c018e38ccbc26c8d42fe28e4dc485677
SHA512 26d9b3a14d3cded2be9c56320f88f1914fe2040e61428c5cf781b9f2cd7c449f053748cb729569a54f8bca541b49538039c615fa03bc4b114d59515ac8328f81

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 ca108406e4097e9a45b69fb5dde42040
SHA1 61c5f98e67a3aa203ecc76263bca59467bd4b60f
SHA256 9c90a1e2cb2c02a44118a9fd3e9f5bbe594ee3f8994c577fa1b5c64760063880
SHA512 fb538aa52ee791cacf7d69668b173c2432e3f29cf4fea6abb91d386d5406519b398634bbeda278dbfb9c1b67525234e6a15dae8282e59671a85c93404a08f3c7

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 5a0b7090b09968189b636efae16b3ab3
SHA1 60e2f01ff9513907c7d9bb6d71b91a49930b7969
SHA256 801d76baba4b7ef759b0cc70a061eec414b8b2e64e148938e943edafb581d074
SHA512 4d9d66c07d39a9292f7775c0fe0d04ea5bc1ebf8fe90f17992e7d72e94a6b2dac1f5926287a6edd96b179c8721c29a228c7b98625ff97bbddeb911e0e1089aa7

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x64-arm64-20240624-en

Max time kernel

111s

Max time network

132s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223046427.log

MD5 56a93b8a3611868738ebcc26b0edb28f
SHA1 805823ae2522a998bd06289dd9586a5cd635eafb
SHA256 274a2b3d7f0bc3f6dfc191dd028c96c50b69e48c243d97b40100dfc06d5a1844
SHA512 48ad5037c22356a1f578f49c6ef0c588ad93b6d18238765af49febfd46894d8189d1af8cc725ab18b386f6b35aed7dfbb3bf5461d7b56d5af50153d6934d3f8d

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 f8aea5fcd4b3f5e48b4e9e6e6c42714f
SHA1 049ef64c140911fab18bfe01d1273984e07663e4
SHA256 032e436896620f25a41a7c21cc19601734e4ec71d486f16085d7b8015a91da53
SHA512 5727d9582bede38cf7f33ff01c7fc55941fee538391dbcd081776d1a52e05dfe1e26e37a9ccf19490cf5a64a3b6f536d07f6abf8b5cb92557195739f64300daa

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 debf63620112c722a7425f4476299da4
SHA1 a2601b094df2a644deee61bfea56fc85b62e55cc
SHA256 7b1a3955d2ef644e285a425a192f54cd51a86f37523459a5fccfb8f62f50574c
SHA512 a1924baaf129f9b3ed8bfea289df4ccb826228de8c730b37818602e242de499b7aeed7a4945636b43b3bb4b91cca98f789ff054e86162ef367b4f8f92ca7dd0a

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 ea981857af89ac28e87607b381c9096d
SHA1 72d09e231f185fc36eb3159be75811d41b9f6344
SHA256 f86009fdb51e15c1be34867c30c85048900bf773529bbc3271f1c7a959269b10
SHA512 0627fd713345b45707092064ae7a102ed353d8f5b3f6cc0c4ff03c99a740c92eb0f7d163255671711fb7c0919ca38a30c6783e285f7857777417cdee4af38c3f