MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AndroRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103
SHA3-384 hash:	a1e42262445e82119a3f1a129c2b7099411fe8021ee333d285f7ef5f97e9b1b65bc511fd65d8e12b06c0deff216a4253
SHA1 hash:	3db0f3cb7565a183f8601f5515315ce8e36823d5
MD5 hash:	54a7d8d8f6ee586e266f369b0a8a8dee
humanhash:	montana-hydrogen-fruit-cat
File name:	evil.apk
Download:	download sample
Signature	AndroRAT Create hunting rule
File size:	2'332'330 bytes
First seen:	2025-12-29 23:36:30 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	49152:CY9l8FXNHt0RIoeXVQ/lTiiLl8qLmRk4kNtwHDAdgvY9Wh:t9l8F9aeoeXVElTiiJjgaMAV9Wh
TLSH	T19FB5F042BBC4AC1FCCB3D4324BB5877B11455D8A868AD313CA60B65C5DB7EC09E86EC9
TrID	49.0% (.APK) Android Package (27000/1/5) 24.5% (.JAR) Java Archive (13500/1/2) 19.0% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3) 7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika	apk
Reporter	BastianHein
Tags:	androrat apk signed

Code Signing Certificate

Organisation:	Android Debug
Issuer:	Android Debug
Algorithm:	sha256WithRSAEncryption
Valid from:	2016-10-23T20:10:05Z
Valid to:	2044-03-10T20:10:05Z
Serial number:	056c1a15
Intelligence:	62 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	1e08a903aef9c3a721510b64ec764d01d3d094eb954161b62544ea8f187b5953
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

android base64 evasive fingerprint persistence signed spyagent

Link:

https://www.filescan.io/uploads/695310af127d6a14e0c7581a/reports/c424eb02-ef01-4c22-b449-6e6908f9f640/overview

Result

Link:

https://incinerator.cloud/#/public/report/54a7d8d8f6ee586e266f369b0a8a8dee/detail

Application Permissions

take pictures and videos (CAMERA)

read external storage contents (READ_EXTERNAL_STORAGE)

read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)

read SMS or MMS (READ_SMS)

fine (GPS) location (ACCESS_FINE_LOCATION)

coarse (network-based) location (ACCESS_COARSE_LOCATION)

record audio (RECORD_AUDIO)

display system-level alerts (SYSTEM_ALERT_WINDOW)

read phone state and identity (READ_PHONE_STATE)

view network status (ACCESS_NETWORK_STATE)

full Internet access (INTERNET)

view Wi-Fi status (ACCESS_WIFI_STATE)

automatically start at boot (RECEIVE_BOOT_COMPLETED)

prevent phone from sleeping (WAKE_LOCK)

control vibrator (VIBRATE)

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103

Verdict:

Malicious

File Type:

apk

First seen:

2025-12-29T20:38:00Z UTC

Last seen:

2025-12-29T22:04:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

APK

Link:

https://malprob.io/report/c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103/

Threat name:

Android.Trojan.SpyAgent

Status:

Malicious

First seen:

2025-12-29 23:37:23 UTC

File Type:

Binary (Archive)

Extracted files:

710

AV detection:

10 of 23 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ywvqvwxn6oi2hfjypxztwc7wqvhrzte4lwutpek6vbvv53domebq._file

Result

Malware family:

androrat

Score:

10/10

Tags:

family:androrat android discovery evasion execution persistence stealth trojan

Link:

https://tria.ge/reports/251229-3mbcbsyjbs/

Behaviour

Schedules tasks to execute at a specified time

Queries information about active data network

Removes its main activity from the application launcher

Malware Config

C2 Extraction:

192.169.x.x:8000

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ee542262-d2af-45cb-bfa7-2e75f66282f8

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.69

Link:

https://yomi.yoroi.company/submissions/c5ab0adaedf391a395387df33b0bf6854f1ccc9c5da937915ea86b5eec6e6103

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample