Malware Analysis Report

2025-08-06 00:57

Sample ID 241016-2faxjswgnb
Target 063e271cf54cef4a7885bd214edb462f68864133d99c73ba1a0e5ecdcc3ea443.bin
SHA256 063e271cf54cef4a7885bd214edb462f68864133d99c73ba1a0e5ecdcc3ea443
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

063e271cf54cef4a7885bd214edb462f68864133d99c73ba1a0e5ecdcc3ea443

Threat Level: Shows suspicious behavior

The file 063e271cf54cef4a7885bd214edb462f68864133d99c73ba1a0e5ecdcc3ea443.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:30

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x86-arm-20240624-en

Max time kernel

22s

Max time network

129s

Command Line

com.rhmsoft.codeund9013

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223109340.log

MD5 0a1b09a4c5c0d998e2229f24444dfabd
SHA1 9e0fbab538e9ae222cb7f4eb5a85c90ed840a18c
SHA256 60f4fc8e790bffc3e9848990cb1be30ce534c442bf3ffcc68cda72be8d812f81
SHA512 0e34916a7a34bc894bc5c5988bcffe6a14157d28184bc99033da606f9b1f05a22f2ca904584353b4c665a2b95123a7e5f1b6d4b415c7a6ccd3826ee692515169

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 59af8b305d45d7c8e4c2f1bd34611272
SHA1 2eab5ba928d4f4ac54aeb82b8e89ea4e99791f9d
SHA256 a349c5c822956ab3aef0123029b086fd71bc89bfa442bf8674fae81e03de984e
SHA512 7361ee075b684281015b902d5e74fddc0206fbb556d133890e357240684007c13babd76acd3160379e7d1139aa654a9c6f8cf194f2288393e55ff00e548da57b

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 d68ebe6833640bf7128641d27fd53e27
SHA1 230962866746fb22527a96c9ab8a58f92342417b
SHA256 11153049037740c5b2f3a658b21c235415325032ab9d3710520de70c7da70880
SHA512 482e5e63cc4f0c565bfaa2bf2695a2caa490fa5a15346e03293b5285c913ca1a77f1b098549fda91244700d81795c9d779af092b0a34abf9a94a0785740f23fe

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 4e567ec62885f6c236765c36b59ac900
SHA1 4e5d2f3fe6ce82425f54bc1a0478697e66009a4d
SHA256 031dd6de14a16f90e9317d2e0e7cab18317dbc0b5f7b5af6e271d88699567f85
SHA512 720b501675fb376c916b4b1fd2931520d5d2036cf66100ce931a17bab0046f31dcec88088fd06233fc1e9f532b5b19c9594c249fea8c58f32d9f1f35201c4c70

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x64-20240624-en

Max time kernel

51s

Max time network

156s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223108421.log

MD5 fae7aed6f94e4d3fadec1ece2abe31af
SHA1 b8c30d1b74b56bc329b2ace18cdf3f2a2c72515f
SHA256 5ca4b68ec55cf48077eff595e200442c9b10562ede8834276e22dbcdeaa3f6fb
SHA512 1d7668b7d9b137a55daa89abf52204f84eded90cd01e28a0e3d9534f29307548f6ae372f8e310de1622be4eca56545673d2b9c89450010a9bf445dc593297a0b

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 6bdc7e73522dc9b56536db730cc1641b
SHA1 d41d0dec0f3c9f03806e9a9c26e899d705220c9a
SHA256 f56aad27dc68cf7d8155eb6e08cb183270127012fbf79c328f572eeff9d7253d
SHA512 d44742a71e65ad6e4739bbbe0aa7e7c10e7889eb47fad1bbc6cf7eabb5eddfd1134e04b4bb499c1a0c75bad8e9c8e831da621a57bf6c77485122c14c28402782

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 eaa6e3b19741a0760049f9914916cd4c
SHA1 a77317932d41736df24ac286d6ede1274fcc0eed
SHA256 ccf7449d36d90f6c0fa067b6bd672a400c2e63062af1493e51963b4f1f8a6f48
SHA512 42e0328316bb8f16aee2c960f6a5ae764a1865bceb7e3e4481d77896f18403cc80bd4017bd90204791bc6ea8b18450177986b0e7db6402352d651fe9146e6c29

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 ee0a730176b2ae1eb2cd10e8c1d37baf
SHA1 c8632f53673e5ea93827730592258ffc9645056f
SHA256 ee8cd4579e106c47f3c91393d3b10ff4bf4ad5e6f90c81e72204281f805ea7f4
SHA512 532d2e7a781d7ff1b550a797864c17c3672789e60c1ab57cc04d4f1e3fc2a8c0ee9a64f14d32bb10ffccddc6844f68936b6a0ec4ae59f77278a41493d131d2d9

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:30

Reported

2024-10-16 22:33

Platform

android-x64-arm64-20240624-en

Max time kernel

87s

Max time network

132s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223110660.log

MD5 32b4658f61fa02dad6c209a18e8d90df
SHA1 ffed01e73b77c97502382b121ba4b6619a28a2c4
SHA256 27041f768a80d34b6f0b49e766f5a05ac1cb5fbb56713f13399873ca4044751e
SHA512 a8ceac98553b1b48288ad881a68506657eb9a003f1e90e40728e2795858af304ffc50a2d4f02b027776bd9926144b23f29799c691f126a131af2be3b2b4e294e

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 f097b3d31d6482d077cfe9a246a9b5d3
SHA1 030866be22a96d390c9ae709de70061e77670bf0
SHA256 b0d6341cf317ae0906c829d6715f81667e94f8710c5de849621f1f03761bb6ae
SHA512 f1e0d3a905978fb61c9629f1befbb5364f50538cae63f7cb28206233eafdcf788ea13c6b3c73bfec781b94894b8451e6f661d6ae6dfc733d9f23d0c4a833066c

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 61273dee2e5a4d4eada326cb93ce27f8
SHA1 643276a0d443d3d3573cce89ded90fd3f4600ce6
SHA256 ac28b6c7d22d63b24bb88a1fd23546647fbed9abece849aaf9e803551eb88ba6
SHA512 65ea019eabc2ff07a802f59939c88d7b229f4ad134231d874987b6ad5687c11a81dcbc0366ae5177a865e286e07182bcc7650f4d7d5c300ffd0358eb107e59ba

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 0b7657c131979038e2494c006fae740b
SHA1 d01766038688c1934422618f29db26a44ca7f61e
SHA256 01a96f1d244a30352549f06fad1ef403afee9386139efd19e73d8eb632dbefc6
SHA512 979623da7d8e9fe7812781183556548982b516f131928f1fd1de8051cb369178fad1dccb5512181c687ca68ffaa5bbc99d1e90ac1931d70371ad351440f0cdcb