Malware Analysis Report

2025-08-06 00:57

Sample ID 241016-2enf9awgjc
Target 4b14e12a410f42bbb892ad1583cf670dc3c715d12f056959da19e7f7a3daa636.bin
SHA256 4b14e12a410f42bbb892ad1583cf670dc3c715d12f056959da19e7f7a3daa636
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b14e12a410f42bbb892ad1583cf670dc3c715d12f056959da19e7f7a3daa636

Threat Level: Shows suspicious behavior

The file 4b14e12a410f42bbb892ad1583cf670dc3c715d12f056959da19e7f7a3daa636.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:29

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:29

Reported

2024-10-16 22:32

Platform

android-x86-arm-20240910-en

Max time kernel

17s

Max time network

144s

Command Line

com.rhmsoft.codeunbniem017y

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeunbniem017y

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.rhmsoft.codeunbniem017y/logs/20241016222955740.log

MD5 404b286845232943eebb0f8ee386b0d5
SHA1 b37bb77939d87bc68acf1ec5f10041881ef8b695
SHA256 d353d3035c2d3df2471c056df571e99b6acef34180b268b493487f1a817c524b
SHA512 a5cef197424d2cf4555ce08f44e75d1f78cedf9c8622cc59a04c19005dd7ba4ab36060ebe5256580b7b6db8e30e42a36151546e2c8f53c2714273917bb3130a5

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-journal

MD5 7b04337fc77331409272423e766721bb
SHA1 5a3fa0d0311db83f51e4b1d239072c7f251601c9
SHA256 f095970044b40750ce9ac8e95edeac02791cc022725b8976e2eadd10e432710f
SHA512 7025d0442536bbce6323558aa75b0c52e8fd7b5642f5b27cc8ede47a7995b74f45979cd00fee4577c4fd77b4f0828b511b47694bc2b645b89de9f8d958f31ca9

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 66f50528d1f42f2ff23961bb5c19b2a1
SHA1 a923c335fc9305f7c01dd5c07e2467275e27068c
SHA256 c2e32d93ae86fdb9ce526746636878fcc091b215e73e0902c687a8776a3b087f
SHA512 f8b6178e4df15778ad074285c0cd2bdaf22f3cf064b25d872ba4b0e65c7a4fbf84f684ff6aacdce6b7e3b4f7659db8358f757379d59d75a8078716e0ef750471

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 77473ce469129b2130cfcdebba634582
SHA1 9d4d03a7816c64252c74114a93816150999cf984
SHA256 0d0f6d4bee3048851ba24ebee4c1a3c8761a00a2f51287ff6ffb1f7c9737df68
SHA512 dfc2792b99b52311329a0ce5ac6bb82dd9ddcff537fe3486eafa7e1839a2a7f31c6068854bfa89f716658d849526518e686597d124199d7a96bbc01b787eb70b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:29

Reported

2024-10-16 22:32

Platform

android-x64-20240910-en

Max time kernel

47s

Max time network

129s

Command Line

com.rhmsoft.codeunbniem017y

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeunbniem017y

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.rhmsoft.codeunbniem017y/logs/20241016222955470.log

MD5 b09054d866f50882bbb48b443b741a5b
SHA1 c9dc65020bd1943b85a87ea1e3495542d8307413
SHA256 6f583f83d983ad9c080cfe6fb4ce1be536e11f9995b46b9ffb70f7ec442a5816
SHA512 ccee402063e0e4443fc714ee1bada8aaddd1447d942daf4b64ed82360b6f73a07e2993ef2abb1689f76fb9f8d71afa91d32cf0058f94daf1cbc5aa7bdb1868cf

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-journal

MD5 251a11718593255ef2563e1de014ac21
SHA1 80f781e57b0ade22599d00d52aab80203ea48ebd
SHA256 f12fedd68a3dee349e8061056b432961c9d36839fe16d6f68de5c70c27574118
SHA512 c91e9afdac73537eb3b11915d387414a3a39e2745beed022cfef434b468f419c971dfbda776146034d3d30c7dc00623b181d7634bd8d2a4d5d50d6be3d532643

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 242bbfe328245b2597744b75931223a4
SHA1 0ac727eacb1c93a328c26adec9d4b7d8e3630a1d
SHA256 a4cd5d445c9dd126e40b56376067168992ba1c991a41527725064ac865ebc282
SHA512 a1ccb295729cd2815266a87953aa7f37a6140be4d0ef2f21f4e471f536bc7ecad93f694ed6dbccdd9161ed920f75c3d847c662195c857edad54ee46a0289f93f

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 6be116c3f8caeb80c0990d0e2e1c34e9
SHA1 720023984c40a0452b68f2260d6b46d15f4a76dc
SHA256 2b8c6f487b6181643bb22ef6a0ea325a816ce11aeacc51c3581a6d000c2d7781
SHA512 d4ec3544f5b7087104d124af9df9605b2eafa93e28d67f51b94062771a92cc16f818d7f48ad9f6ce7d30f74227fc85a0ce180b64aaf0b42a7b4723c267cbc1ae

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:29

Reported

2024-10-16 22:32

Platform

android-x64-arm64-20240624-en

Max time kernel

142s

Max time network

132s

Command Line

com.rhmsoft.codeunbniem017y

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeunbniem017y

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.rhmsoft.codeunbniem017y/logs/20241016223001146.log

MD5 33a812b1eefd38cd7daf3f8a8cbb746c
SHA1 7432fa16c8347e69e4406c99d1c044aeb25bdf86
SHA256 b802427461b32d08076829a9cc6b40d3462ccd81e06e2b05e7429e9f92ef0525
SHA512 a9f8de33a1b617ea367c592d5208be9d1e3d6746d228e0ea4a59cc24cc24cfba08afdd7d0c88983a4423a6318b71b5420f7401138c553fb3a2f6a23348225114

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-journal

MD5 c080519fa58c98af906549540fac7e45
SHA1 781295755648ee8e800efde4482ce8cfa2e700d3
SHA256 e8f90ead66fd822ccc3444293958407b097654495577c2b53a62d0fe79d2d253
SHA512 f248cf5fd30f22bdac25ab8560efc8b8db352155e26e668e4c43f32a07760d58097d1ffc0ce2b46d89d287d7b16e75bf08b4472c9b73dad2633a2515563c11ec

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 a4e17980748f2dd5ce8ecee7fc7031d7
SHA1 164541fd42240eb8a12e2daf9b0911e373909856
SHA256 806773439e1dbe65bd1c3bf8308cdec2c4804c1b828588d23a445b2b7416019e
SHA512 2b89a0d48a07c3758c22886679083a00c1a1bf9b28600751a3c23fdacc8af04374194ed5552a9ef77f18446151d21145a441d0f117c6cef03b5baae90e4b80a9

/data/data/com.rhmsoft.codeunbniem017y/no_backup/androidx.work.workdb-wal

MD5 124122245390c31f63f0008e4ba969aa
SHA1 7545cf670bcafc0dd0fb24dcdb56086c6d007098
SHA256 8cdcbc1cd2fc703910bb419694f263d2b6bd7d1bf55a768ebf7973ee6d0661d1
SHA512 667855490a750bf7b3cb07ddd13eed5280a15fda4d1a06bbfc4fdebf96b920c4f0f01a5fc20779c26f8400b3f75a617b2cb5e1a0338d51a33e63ce01e90d8648