MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d2595d5cd34996e4ce0ac0c2b20915e3adee14ce88404d02016ae331a4fec26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Joker


Vendor detections: 3


Intelligence 3 IOCs YARA 6 File information Comments

SHA256 hash: 2d2595d5cd34996e4ce0ac0c2b20915e3adee14ce88404d02016ae331a4fec26
SHA3-384 hash: c4f943f068ed3764fb0f057c5732648e3d1c50366ffbc4e8a38a7aa61867f9897d7c5286767a72ac5e3dfbce87b23866
SHA1 hash: a79deed1180a271ee95f18c07c824a4ae2e99939
MD5 hash: 929032b78fe57a15e1c731b7194f966d
humanhash: fish-six-washington-don
File name:com.scarletclean.mobile_1.0.6.xapk
Download: download sample
Signature Joker
File size:4'584'663 bytes
First seen:2026-06-14 06:45:42 UTC
Last seen:Never
File type: xapk
MIME type:application/zip
ssdeep 49152:+DvMHuaDJ8hnKL+h+rDJs9Rnvq7oBOMAx8p0/lHm8gB4aM3gaQ7:VDenIsx69HmXB6S7
TLSH T13826CF06EA27EE79CCAE53342C7B039073326189F7838357601CD9B4AD8B2ED5795399
TrID 41.5% (.APK) Android Package (27000/1/5)
20.7% (.JAR) Java Archive (13500/1/2)
19.2% (.VYM) VYM Mind Map (12500/1/3)
12.3% (.XPI) Mozilla Firefox browser extension (8000/1/1)
6.1% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter Anonymous
Tags:joker malware xapk

Intelligence


File Origin
# of uploads :
1
# of downloads :
146
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Malware family:
n/a
Score:
  7/10
Tags:
android defense_evasion evasion execution persistence
Behaviour
Registers a broadcast receiver at runtime (usually for listening for system events)
Schedules tasks to execute at a specified time
Makes use of the framework's foreground persistence service
Loads dropped Dex/Jar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Android_Accessibility_Service_Abuse
Author:Buga :3
Description:Detects Android malware abusing Accessibility Service for auto-clicking, credential theft, overlay attacks, or device takeover
Reference:https://developer.android.com/reference/android/accessibilityservice/AccessibilityService
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:SUSP_ZIP_Smuggling_Jun01
Author:delivr.to
Description:ZIP archives with data smuggled between last file record and the central directory.
Reference:https://github.com/Octoberfest7/zip_smuggling/
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments