MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AntiDot


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a
SHA3-384 hash: f18d93ba269b5163c95f8e73af3ddbcfebee39ea2b1ed4486e4fd3542c9a944f952edbb2b265413c46a5e6d178eefe94
SHA1 hash: 8493de7dec3d81680aa8681da736c1fe18a72215
MD5 hash: a4ee6d65eca0c3de859ac90f19e85095
humanhash: artist-sink-march-dakota
File name:Ch铆nhph峄_apk
Download: download sample
Signature AntiDot
Create hunting rule
File size:25'096'954 bytes
First seen:2025-12-30 11:35:10 UTC
Last seen:2025-12-30 14:35:28 UTC
File type: apk
MIME type:application/zip
ssdeep 393216:q59Dw2H7e9C8Hs3FNgIuZ9zhL9VmENEDEyIlmLf:FYqkisFitZhHVQLf
TLSH T1A747E105F20C662AD9C6F07DAD8605E2B536BC8A6350C5463537B32DFAB3BD48B653E0
TrID 50.0% (.APK) Android Package (27000/1/5)
23.1% (.VYM) VYM Mind Map (12500/1/3)
19.4% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
7.4% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter zhuzhu0009
Tags:Antidot apk

Intelligence

File Origin
# of uploads :
2
# of downloads :
12
Origin country :
SG SG
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
android bankbot base64 crypto evasive fingerprint persistence signed
Link:
https://www.filescan.io/uploads/6953cacb65e07687fdf2e54d/reports/200446a9-03ac-4b6e-9985-6b2eabd9a48c/overview
Result
Link:
https://incinerator.cloud/#/public/report/a4ee6d65eca0c3de859ac90f19e85095/detail
Application Permissions
display system-level alerts (SYSTEM_ALERT_WINDOW)
read external storage contents (READ_EXTERNAL_STORAGE)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
Allows an application a broad access to external storage in scoped storage (MANAGE_EXTERNAL_STORAGE)
read phone state and identity (READ_PHONE_STATE)
directly call phone numbers (CALL_PHONE)
take pictures and videos (CAMERA)
read contact data (READ_CONTACTS)
coarse (network-based) location (ACCESS_COARSE_LOCATION)
fine (GPS) location (ACCESS_FINE_LOCATION)
Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)
read SMS or MMS (READ_SMS)
retrieve running applications (GET_TASKS)
modify global system settings (WRITE_SETTINGS)
full Internet access (INTERNET)
view Wi-Fi status (ACCESS_WIFI_STATE)
control vibrator (VIBRATE)
view network status (ACCESS_NETWORK_STATE)
reorder applications running (REORDER_TASKS)
prevent phone from sleeping (WAKE_LOCK)
automatically start at boot (RECEIVE_BOOT_COMPLETED)
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a
Score:
96%
Verdict:
Malware
File Type:
APK
Link:
https://malprob.io/report/4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a
Gathering data
Threat name:
Android.Infostealer.Anubis
Create hunting rule
Status:
Malicious
First seen:
2025-10-11 19:55:07 UTC
File Type:
Binary (Archive)
Extracted files:
1656
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=im4kw56qllvm27vmllf6t3wvk2dxrshd5fezkyubnac3ks2ndjva._file
Result
Malware family:
antidot
Create hunting rule
Score:
  10/10
Tags:
family:antidot
Link:
https://tria.ge/reports/251230-p4j4xaskcj/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d8d1cce-277a-43ba-b070-c5ad218045cc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments