MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d65a2d570219c01df9e7e175c58bcf1518f03ec4095802c34a80488061b9a29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 25 File information Comments

SHA256 hash:	5d65a2d570219c01df9e7e175c58bcf1518f03ec4095802c34a80488061b9a29
SHA3-384 hash:	93046916c06aa6a27491ae90a27a58ca8cd3384f092bba872d771c810291505938f329d06a48ad2eca885f0e3783daaa
SHA1 hash:	591cf1ddfb87c8586f121619bf615800cbae8e62
MD5 hash:	ce8c236c40c1562c9ad23ccbf1d95a8e
humanhash:	march-idaho-fix-sad
File name:	Telegram.apk
Download:	download sample
File size:	76'657'884 bytes
First seen:	2024-08-09 06:13:17 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	1572864:w40oq0wXQlIYseMgGOzsnL5dWnHoulM7xp8tD5sz9EnK:wLoqtUIYseMdYeL5dWnIwMViaz9l
TLSH	T192F723E3F3354C3DC9770672866A6171E9284F51D322B21F7808B72DB9772E28A45BE1
TrID	60.6% (.APK) Android Package (27000/1/5) 30.3% (.JAR) Java Archive (13500/1/2) 8.9% (.ZIP) ZIP compressed archive (4000/1)
Reporter	Anonymous
Tags:	apk

Anonymous

Telegram中文安卓版下载

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint lolbin remote spyware

Link:

https://www.filescan.io/uploads/66b5b3adb1392db6bab183e7/reports/8db34d24-072a-4693-b72f-6de3e400bcb3/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5d65a2d570219c01df9e7e175c58bcf1518f03ec4095802c34a80488061b9a29

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lvs2fvlqegoadx46pylvywf46fiy6a7mickyalbuvaciqbq3tiuq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

android collection discovery evasion persistence

Link:

https://tria.ge/reports/240809-jsy6sssbld/

Behaviour

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Acquires the wake lock

Queries information about active data network

Checks known Qemu pipes.

Queries account information for other applications stored on the device

Reads the contacts stored on the device.

Reads the content of photos stored on the user's device.

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	apk_flubot_w0 Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	matches on dumped, decrypted V/DEX files of Flubot version > 4.2

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	F01_s1ckrule Create hunting rule
Author:	s1ckb017

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	html_auto_download_b64 Create hunting rule
Author:	Tdawg
Description:	html auto download

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_indirect_function_call_3 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_PlugX_config Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect PlugX in memory
Reference:	internal research

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PlugX Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect PlugX in memory
Reference:	internal research

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

apk 5d65a2d570219c01df9e7e175c58bcf1518f03ec4095802c34a80488061b9a29

(this sample)

Link

https://www.telegram-apk.com/android

Link

https://tg.telegram-zhongwen.com/It7ggKTkRe

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample