Malware Analysis Report

2025-08-06 00:57

Sample ID 241016-2fpqpswgqd
Target d042bbd220d0edd3723d18b0cf55dcfbf39a39ec95929809dffad9167e8901e8.bin
SHA256 d042bbd220d0edd3723d18b0cf55dcfbf39a39ec95929809dffad9167e8901e8
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d042bbd220d0edd3723d18b0cf55dcfbf39a39ec95929809dffad9167e8901e8

Threat Level: Shows suspicious behavior

The file d042bbd220d0edd3723d18b0cf55dcfbf39a39ec95929809dffad9167e8901e8.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:31

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:31

Reported

2024-10-16 22:34

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

131s

Command Line

com.rhmsoft.codeund9013

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223153450.log

MD5 475fcd4b7466c768f8c70ae38c5d2775
SHA1 6a90fc7cd87281f0e260385890a403ee601dafa0
SHA256 5b82ea4e963448c6b09cc571d29ef7384631d0420c6545bc2b010c02f6f216b8
SHA512 d41c5c6ad22ab50aed64de67133287a2b06a890298db9c0bfa187dd35c4ab38784fd615a7c78b7c0b2edee202fa8e5d1b84e3d615a42016277a748924028047f

/data/data/com.rhmsoft.codeund9013/logs/20241016223153503.log

MD5 faf3dd102df1c807fa68733cccb4eeff
SHA1 8ae3311d8514668d1ea1623c9225271dde1103b0
SHA256 0844623efacf5f0237f9259c0412bd44de33973a072bd787c4648657b917eb81
SHA512 9063fafb4435ac02d3214c01bad96903bf11c6e31e92c0440cff99c30d526d038ef9faa1a133913b0c8fb2861359a445b9d9f7a0188a6538c21f95969770988c

/data/data/com.rhmsoft.codeund9013/logs/20241016223153491.log

MD5 e92dc383e30ba13e3cb9aaf68dc1011d
SHA1 f8428eb317512836ac84710ce9cb7c0db159e19f
SHA256 ea9abbaca5b9703dd7b624f37fb8c330128164f3f61779a1437ca570910638b4
SHA512 34cec72f58c4a590802fedf9cbf417a53a418654e750472044419bbfb7fed4f9643b701349fb29f2056022e01a06893638a5475a3f59588e4ef92da40ce33e6e

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 2ea9618a3df843195eae3425f215dad6
SHA1 ea136f5d6616783820db217f7a2747678ad7a3fe
SHA256 3a164527a1d66bf039638174246d5a63512a66712569d3ee8dd5cbf298e5de86
SHA512 f2817cf692f79248bfce5daf04edfc1f73f6cb27ff084a373d12d0e7df1375e7759b44fb769610b7070ddad5ab319f042030b2f0ac0c4714a634a3a45764b8ac

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 7fa361fca9a48d7746b6badb6a6c41cf
SHA1 af563b88c80a752a37a3765d02faf2bb6c90e195
SHA256 17040c1fbf79ed85f7bf4651e3df20ab9cd94fb87f170c1d7d41d16e471ddc11
SHA512 a7deb0229e329e0c4fbfed4299ab7665ca0c800402ea2028280e0bf976d501ba60af2ac4377a1aebe7cae7fa8e4e6a7a6abd412f4a37b4bbf5261b4774c22111

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 4c982e3eec83574068d8776f95e17a67
SHA1 63b2321cd5b5051ea0ef89c81f128bec6e3a0924
SHA256 318ce5f21cb4de199e5c4f151ca4d1784ecb80453608e1a93b256f410e84cd80
SHA512 f239a1242412ef79d04203d73f4158f25b09ebc3658769714da5ce70b6a52f3b50fb68505f041eb135ce8e440149792ceb63503ec8d03926a3b8f1a0fb2cf1d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:31

Reported

2024-10-16 22:34

Platform

android-x64-20240624-en

Max time kernel

50s

Max time network

156s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223152432.log

MD5 9dda7bbe6928bb2f4ee4bb60e563b62b
SHA1 ec7d2a701804dab82c2069e4ba162dea462f47f4
SHA256 d17f9a6016968c352f88816f092e846992db1a1eb3dc7181664ab36d86a9ce38
SHA512 ae4b892c6377bb35d667e4eb86a3950532cb61e694ae21e6e2637af9c1615d07ee78cb27924d635a7f1155914ffb6f1b2a86b11fdd1ffc19cd50b5a299fb3a01

/data/data/com.rhmsoft.codeund9013/logs/20241016223152435.log

MD5 3a2baa5f1aa2d4c44a40ea89ef62be42
SHA1 27a3892047445580fee10c3783d1ec99ebcc6e63
SHA256 27318aebf06ec6037d0ff858121dcef42ed1a0e81ac325aae4659d06e265b4d7
SHA512 b60b458b96b4ea429e5837c121fc2e9d44bd235150ab57a743a45f9cb755bdd742cc9bb8465c7b8c7113149a2431bab280d56d5f64114c30176c265dac9214e6

/data/data/com.rhmsoft.codeund9013/logs/20241016223152451.log

MD5 7e7ce07c816f5541e7051237722fe980
SHA1 c57a67da9fd8f8852da20d1919518bd5a235b504
SHA256 4aa1c1022e5cd3ef908199cfc33feb760cb712d1085551cea400c45dd8c371f1
SHA512 4a25efd02358f3a5ba582b1b907e8bf379d298ed09a0ec70b25f9fed7260b1cf9352f1c48df221d939279563f9379c18f6f2e57e6924a9ea55367c0a100d59b7

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 53a559dfdd9908ac7aeb3361d51d2542
SHA1 ef9f2a929b7c937f09c2861e703dd4b21d1b8cb1
SHA256 5e343cff84f5f98698fc9a9ebb93d42d3e54d37cde7ae0476e2ea5a45e0d7781
SHA512 bacf4a51830cfe4a63b079a2a5ce74049150e08f42f936efe31fd439c58f98ce3db5622e416160f28c531454d5849673f084365046574a0b441d3182c1f8eefb

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 3d2aef880ee27835c4fbc9a187f977a6
SHA1 c9c7895927059629c5a9b6a24338844b5cb6b2e4
SHA256 69c2e7696c13d7446cf7cb4a9224fd6a3e8d457a3347ebacf66157fb119dbb09
SHA512 3cad2b4bac747f264054c3b0e3efd78c3101e6f7deb6276a1303ce968625a9dfa089fed2dc819a6456d26d28cbb5a91166987cb58dfbed76a1c110cd387c9042

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 ab8e92f15a64952d030dd68938b1f67b
SHA1 50e48f943c502b25440a5fb4bba8005ed7c5de4d
SHA256 f04da7125ec258cebdd2a701299aeffaf03c91794b22f1a028c7b12a8f8872a6
SHA512 ecfd624b745d039f6265db57a7476a075812f5c5935d8c72d6604b3edd88e0f5b8800bc56cc92d1eaf080231ba1200fe9487faf2b84e7cc11f147824ea008f25

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:31

Reported

2024-10-16 22:34

Platform

android-x64-arm64-20240624-en

Max time kernel

87s

Max time network

132s

Command Line

com.rhmsoft.codeund9013

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.rhmsoft.codeund9013

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.rhmsoft.codeund9013/logs/20241016223154221.log

MD5 661f731b6a3ebc7b859b66d740b17362
SHA1 e3eeaa218f3a2928e9ee08969a31b0815fc459a2
SHA256 fb1479f0fe73ad5a2a6cd2a88d053d5ba01edf27f12824aacdf8e0fb467596f9
SHA512 323ccc4249b6ccd818b2927fd72281530bcd190c95bae10c0167cb6fab1eec22f1cdbb165a0132a3f6175898ee409483be97a7a50c97ca349ecf3e2c3c504a0f

/data/data/com.rhmsoft.codeund9013/logs/20241016223154216.log

MD5 88607a4bf5e06258276a18b3b4fe7022
SHA1 ee2945057045cfc4e5fd123c76318f7fd1edf6bd
SHA256 c9ba479263b1cd34d612cf0a907c5adc99247b026e817afb78ff01429692bcb8
SHA512 46c3695e27f7c901671699d922701918b194bc1b821a9d33afaff0c4a8898f2a3b3b3521064a67b8732607827e7d078487269a3cba428dccc9ed00b112cdf4f6

/data/data/com.rhmsoft.codeund9013/logs/20241016223154226.log

MD5 5d20313df71c34ca16f1d7c8146ae559
SHA1 720dcbbe9e0c482649f1ad4e1c155843363599f3
SHA256 2ae13aace9be5f1d62584720019aa843dedcf5a2e51c739deea7872361bfa8c4
SHA512 5ba9d93e74ec5a8857ed5c3b439b09b27da63297409eac05e8b7ed0dd1fbbe9abd3556ae11c9a2661e98589eb55509612da1caa1480adcc99eac403237cebeda

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-journal

MD5 36a5ad18ef13ee76de120306a3ac8bd2
SHA1 4c1d8e729fee0f8f8bb6031e082d74d407a9afb6
SHA256 f8ec780ea34b4ab2c7f302e681d1af152037ad78cf4d44b1179f77d99493dbd9
SHA512 a7c68dcc991bd59222b873e4d5465d52046cf37cb74ad85308676fc3fdabf57a1576a98595cdc3c7f33f9c0d7f6468d0bada973866b297c0a6ef0e8893636c02

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 7d29e806cd9e7f8d7425f6d164ff70a3
SHA1 c0778004c9803cd7a0ceea5d933201d557cc580c
SHA256 e4e84f20a53f769c8fd9835c251e672f0992d6cf8252ffa5b05a1fefa91b09cc
SHA512 73ecba29e38c58105971ac1b26a0a136ea5ed62751ad5f3711eea3cd859af9bde24dbe59075ef468151e148da5e25c52afd88cbb969925193e4c83167e4e2dd0

/data/data/com.rhmsoft.codeund9013/no_backup/androidx.work.workdb-wal

MD5 c636c9c3773aff15b8ec761047b64fa6
SHA1 c072a762563357bc4ed698d9d0c1b61a7a221e65
SHA256 5f634171da563c7544e6ed2695a8522473e4c42a1eb57288e9130db8139b8a3c
SHA512 cdbf4464c30c0186bcbefb95dc71fa62125c9e3f3b62d84700b0f999ff0227c164634d6df2f7ca8e40af494178269904258d44e46f828b9a3e3ad1547f93a092