MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GodFather


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3
SHA3-384 hash: 481cf447f25a55a2183d4866909410825d4da00dfffbaa8d018a614467d3bc38d55cf795f260d05311949c6f15ec3446
SHA1 hash: f471dba14c16afb89272c6d6134118f14789d074
MD5 hash: c822246c2c42623e8f71243b5c0f3fd5
humanhash: hotel-quebec-don-hamper
File name:Muzik indir.apk
Download: download sample
Signature GodFather
Create hunting rule
File size:4'857'276 bytes
First seen:2025-02-26 16:16:29 UTC
Last seen:Never
File type: apk
MIME type:application/zip
ssdeep 98304:Y0RR6Ce30gUUhPo+ZhK4ReCP48OPguXnkv9U9P41vVlZtWqM:HaCekgUUhA6NJwFw9lZty
TLSH T18D261283FB45D96ED5F3833A4A7A166A55124C168783C3939A5C733C2EBB9C04E85ECC
TrID 49.0% (.APK) Android Package (27000/1/5)
24.5% (.JAR) Java Archive (13500/1/2)
19.0% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter BastianHein
Tags:apk GodFather signed

Code Signing Certificate

Organisation:marbleizing
Issuer:marbleizing
Algorithm:sha1WithRSAEncryption
Valid from:2024-06-13T16:34:14Z
Valid to:2025-06-13T16:34:14Z
Serial number: 29362c9f
Thumbprint Algorithm:SHA256
Thumbprint: 7b6666c6dee91323c35f4786d258fc8f672908ca0f3be26a4e79c19accab575f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Android.BankBot.GodFather.3.6887.7603.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
android evasive lolbin remote signed spyagent
Link:
https://www.filescan.io/uploads/67bf3e8654484fd3e32b07ca/reports/d55a4c80-151f-475d-8d58-d8574341574e/overview
Result
Link:
https://incinerator.cloud/#/public/report/c822246c2c42623e8f71243b5c0f3fd5/detail
Application Permissions
Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3
Score:
70%
Verdict:
Susipicious
File Type:
APK
Link:
https://malprob.io/report/c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3/
Threat name:
Android.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-01 10:55:00 UTC
File Type:
Binary (Archive)
Extracted files:
892
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yk6m7sftxxznux5vyiqflkoeqwjfnptzasjt5hqlsl5dd7ieedjq._file
Result
Malware family:
godfather
Create hunting rule
Score:
  10/10
Tags:
family:godfather android collection credential_access defense_evasion evasion impact persistence
Link:
https://tria.ge/reports/250226-trytrawj13/
Behaviour
Uses Crypto APIs (Might try to encrypt user data)
Malware Config
C2 Extraction:
https://t.me/paperokomozase
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ddd592d5-0eaf-4aa4-bddb-2aa1d9c7f6b9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2bccfc8b3bdf2da5fb5c22055a9c4859256be7904933e9e0b92fa31fd0420d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments