MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bba9bc21a322ea0e1737c5fa64057d12f133a3ebed6007ffed979b3d6099f6aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GoldDigger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: bba9bc21a322ea0e1737c5fa64057d12f133a3ebed6007ffed979b3d6099f6aa
SHA3-384 hash: 763aa2069170bc4e30f2532851fe1b8400de54ce60762c6b322d5e5c2a6c18a775031529e97d30fefe19046383f0ad03
SHA1 hash: 24289aa2d6b5e5735a85a0a0c5670d11b9c0196d
MD5 hash: 9f64f76bb0b20c3be949922bc1ae290d
humanhash: vegan-bakerloo-zulu-lima
File name:pln_mobile.apk
Download: download sample
Signature GoldDigger
File size:13'750'997 bytes
First seen:2026-06-30 15:25:27 UTC
Last seen:Never
File type: apk
MIME type:application/zip
ssdeep 196608:E7uoUT3zcKTkYzjZ3D1Rii+rfP1XTzsgC0LlIqYtAZofUUpbIDU+nxXIuyb:E7wbwKTkMRs+gjHHKbI5nxXc
TLSH T136D62247F794AC6AC0FB93320675122A96174D624B839AC36E45363C5EB3AD49F0DFC8
TrID 36.4% (.APK) Android Package (27000/1/5)
18.2% (.JAR) Java Archive (13500/1/2)
14.8% (.CATROBAT) Pocket Code/Catroid Catrobat Project (11000/1/2)
14.1% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
10.8% (.XPI) Mozilla Firefox browser extension (8000/1/1)
Magika jar
Reporter BastianHein
Tags:apk GoldDigger signed

Code Signing Certificate

Organisation:Th
Issuer:Th
Algorithm:sha256WithRSAEncryption
Valid from:2024-11-03T00:09:34Z
Valid to:2025-11-03T00:09:34Z
Serial number: 33be15e824837db8
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 27025d716dc24d8c8ba526abae2e4426c64f03c2ecf892cc33272618a471f87d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
89
Origin country :
CL CL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bankingtrojan base64 crypto evasive expand fingerprint invalid-signature lolbin persistence signed
Result
Application Permissions
record audio (RECORD_AUDIO)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
read external storage contents (READ_EXTERNAL_STORAGE)
display system-level alerts (SYSTEM_ALERT_WINDOW)
modify global system settings (WRITE_SETTINGS)
read SMS or MMS (READ_SMS)
receive SMS (RECEIVE_SMS)
send SMS messages (SEND_SMS)
directly call phone numbers (CALL_PHONE)
coarse (network-based) location (ACCESS_COARSE_LOCATION)
fine (GPS) location (ACCESS_FINE_LOCATION)
access location in background (ACCESS_BACKGROUND_LOCATION)
take pictures and videos (CAMERA)
read contact data (READ_CONTACTS)
write contact data (WRITE_CONTACTS)
act as an account authenticator (AUTHENTICATE_ACCOUNTS)
list accounts (GET_ACCOUNTS)
mount and unmount file systems (MOUNT_UNMOUNT_FILESYSTEMS)
Allows an application a broad access to external storage in scoped storage (MANAGE_EXTERNAL_STORAGE)
read phone state and identity (READ_PHONE_STATE)
control vibrator (VIBRATE)
read sync statistics (READ_SYNC_STATS)
read sync settings (READ_SYNC_SETTINGS)
prevent phone from sleeping (WAKE_LOCK)
automatically start at boot (RECEIVE_BOOT_COMPLETED)
view network status (ACCESS_NETWORK_STATE)
view Wi-Fi status (ACCESS_WIFI_STATE)
set wallpaper (SET_WALLPAPER)
full Internet access (INTERNET)
reorder applications running (REORDER_TASKS)
write sync settings (WRITE_SYNC_SETTINGS)
modify battery statistics (BATTERY_STATS)
Verdict:
Malicious
File Type:
apk
First seen:
2026-06-30T09:20:00Z UTC
Last seen:
2026-06-30T09:38:00Z UTC
Hits:
~10
Threat name:
Linux.Trojan.SpyBanker
Status:
Malicious
First seen:
2026-06-30 14:12:01 UTC
File Type:
Binary (Archive)
Extracted files:
1070
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Result
Malware family:
golddigger
Score:
  10/10
Tags:
family:golddigger banker infostealer trojan
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments