MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2
SHA3-384 hash: 69cadc6b2a07bc01ceeb75f0fbcf3fe93bb586550d495ba56fca02c89eecfb9a134447796e58aeb0887ddae56f668112
SHA1 hash: 024b0ef5847b1e64bb73d37292ff6f280dab04e1
MD5 hash: c648dec75136ea17e4a2e07cc72bbc9d
humanhash: magnesium-nitrogen-march-sweet
File name:wdsj_01485.apk
Download: download sample
File size:19'757'234 bytes
First seen:2026-03-30 04:01:00 UTC
Last seen:Never
File type: apk
MIME type:application/zip
ssdeep 196608:MXHbYMuAZImBudGs7zU/7YLbpz8TabVZT79heHjfBdNVyCk3Xv62jmOowdbb2mNk:zFIR/c17DSj5db9k3Xv6AvPtUnh
TLSH T12A17CF14D74E643AEACBF03CEA47059260123C5C5661C89931BBB20EF7B77E267273A5
TrID 72.4% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
27.5% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter Ling
Tags:apk SAgnt Trojan:AndroidOS/SAgnt!MSR


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:AndroidOS/SAgnt!MSR)

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
US US
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.FileRepMalware.41139211.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
android expand generisk invalid-signature lolbin signed spymax
Link:
https://www.filescan.io/uploads/69c9f597e2df9aa488bd5766/reports/073b1897-66ce-4dd7-b3fb-8e2ce57513fa/overview
Result
Link:
https://incinerator.cloud/#/public/report/c648dec75136ea17e4a2e07cc72bbc9d/detail
Application Permissions
edit SMS or MMS (WRITE_SMS)
receive SMS (RECEIVE_SMS)
write contact data (WRITE_CONTACTS)
send SMS messages (SEND_SMS)
read SMS or MMS (READ_SMS)
read contact data (READ_CONTACTS)
list accounts (GET_ACCOUNTS)
take pictures and videos (CAMERA)
record audio (RECORD_AUDIO)
coarse (network-based) location (ACCESS_COARSE_LOCATION)
fine (GPS) location (ACCESS_FINE_LOCATION)
directly call phone numbers (CALL_PHONE)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
read external storage contents (READ_EXTERNAL_STORAGE)
Allows an application a broad access to external storage in scoped storage (MANAGE_EXTERNAL_STORAGE)
view network status (ACCESS_NETWORK_STATE)
set wallpaper (SET_WALLPAPER)
automatically start at boot (RECEIVE_BOOT_COMPLETED)
full Internet access (INTERNET)
view Wi-Fi status (ACCESS_WIFI_STATE)
prevent phone from sleeping (WAKE_LOCK)
update component usage statistics (PACKAGE_USAGE_STATS)
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2
Verdict:
Malicious
File Type:
apk
First seen:
2026-03-29T16:23:00Z UTC
Last seen:
2026-03-30T05:27:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Banker.AndroidOS.Agent.ws
Link:
https://opentip.kaspersky.com/de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2/results?tab=lookup
Score:
98%
Verdict:
Malware
File Type:
APK
Link:
https://malprob.io/report/de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2/
Threat name:
Android.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2026-03-30 03:42:17 UTC
File Type:
Binary (Archive)
Extracted files:
688
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zprfdxikn6vxsy5ubsmvrbrwb4hcha7ep74dfft3gnpnlkp2hra._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/260330-elfnnaet8s/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_all_IPv6_variants
Create hunting rule
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

apk de5f128ee8537d5bcb1da064cac431b078711c1f23ffc194b3d99af6ad4fd1e2

(this sample)

  
Delivery method
Distributed via web download

Comments