MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d44e0009d251ae4983f5bf29f7d8aa9af668df88dba05a17a7a314f6780ceff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1

SHA256 hash: 7d44e0009d251ae4983f5bf29f7d8aa9af668df88dba05a17a7a314f6780ceff
SHA3-384 hash: 7c6d81518df728ffabaae6eb82b3564f67d2ef71aaeffe5fbea9683ed6dba8a8870949b99c575ea1c2e08eefe0044829
SHA1 hash: d0953b36a6e6e09fbd7d93c07921ab2eecaf23b7
MD5 hash: 78336a1c63ba008af99fd984ef8f2775
humanhash: november-south-dakota-oscar
File name:Telegram_12.6.5_APKPure.apk
Download: download sample
File size:50'159'716 bytes
First seen:2026-05-24 07:03:32 UTC
Last seen:Never
File type: apk
MIME type:application/zip
ssdeep 786432:9gbPI+gXH1HYKCSxzQTDvrjQlCNwibgQIaYLc9wlMZd7Km7HLegrEvMKdN3kA32Z:GbVgl/YvElYwWItg9gMZ8m7iWEriIfdC
TLSH T142B712E7F3315C3DD9770532966D6071EA284F24D622A30F2409B63EB9B33D68A857E1
TrID 60.6% (.APK) Android Package (27000/1/5)
30.3% (.JAR) Java Archive (13500/1/2)
8.9% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter EricParker
Tags:apk FakeTelegram signed spyware

Code Signing Certificate

Organisation:Android Developer
Issuer:Android Developer
Algorithm:sha256WithRSAEncryption
Valid from:2019-12-02T14:18:53Z
Valid to:2047-04-19T14:18:53Z
Serial number: 55b323d1
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a08d7dc323ddf71ef3201944397e0d3cce7d40847263e11f328b68bbe19229ab
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
atEricParker
Distributed on APKPure as the "official" telegram, sends all conversations to a hong kong based IP

Intelligence


File Origin
# of uploads :
1
# of downloads :
394
Origin country :
TH TH
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 crypto evasive fingerprint persistence signed
Result
Application Permissions
coarse (network-based) location (ACCESS_COARSE_LOCATION)
fine (GPS) location (ACCESS_FINE_LOCATION)
access any geographic locations (ACCESS_MEDIA_LOCATION)
directly call phone numbers (CALL_PHONE)
read phone state and identity (READ_PHONE_STATE)
send SMS messages (SEND_SMS)
record audio (RECORD_AUDIO)
read external storage contents (READ_EXTERNAL_STORAGE)
list accounts (GET_ACCOUNTS)
read contact data (READ_CONTACTS)
write contact data (WRITE_CONTACTS)
manage the accounts list (MANAGE_ACCOUNTS)
read the user's personal profile data (READ_PROFILE)
act as an account authenticator (AUTHENTICATE_ACCOUNTS)
display system-level alerts (SYSTEM_ALERT_WINDOW)
take pictures and videos (CAMERA)
Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)
modify global system settings (WRITE_SETTINGS)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
access location in background (ACCESS_BACKGROUND_LOCATION)
full Internet access (INTERNET)
change your audio settings (MODIFY_AUDIO_SETTINGS)
view network status (ACCESS_NETWORK_STATE)
view Wi-Fi status (ACCESS_WIFI_STATE)
prevent phone from sleeping (WAKE_LOCK)
write sync settings (WRITE_SYNC_SETTINGS)
read sync settings (READ_SYNC_SETTINGS)
control vibrator (VIBRATE)
automatically start at boot (RECEIVE_BOOT_COMPLETED)
allow use of fingerprint (USE_FINGERPRINT)
create Bluetooth connections (BLUETOOTH)
show app notification (READ_APP_BADGE)
C2DM permissions (RECEIVE)
Verdict:
Malicious
File Type:
apk
First seen:
2026-05-25T07:19:00Z UTC
Last seen:
2026-05-26T04:17:00Z UTC
Hits:
~100
Gathering data
Result
Malware family:
n/a
Score:
  7/10
Tags:
android defense_evasion discovery
Behaviour
Checks CPU information
Acquires the wake lock
Queries information about active data network
Checks known Qemu pipes.
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments



Avatar
commented on 2026-05-24 10:06:04 UTC

C2: https://38.190.225.166