MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8
SHA3-384 hash: b47b6980d01d361cb927044281342ab24fe23c667cb9066fb3fc284ba7ba919a66974d226e192f07c78ede0ff9af0328
SHA1 hash: 82eaa443b81b89f5e8c046e269134c06931906b5
MD5 hash: 73e8bbe12f47bebc4d052bee8f929092
humanhash: earth-leopard-tennessee-freddie
File name:com.youyu-1.apk
Download: download sample
File size:2'649'555 bytes
First seen:2026-03-16 17:23:49 UTC
Last seen:Never
File type: apk
MIME type:application/zip
ssdeep 49152:NlhLKWCEhU8b7Rqjz5dF53YsWN5+EbR6aSFzIRMXn1WwYarNtG+omjHdHewLI:NjWWFhUSRoF53Ysz/aS6RMX1WwYarFjk
TLSH T145C53363F97A2864DCEB76B014811A84212AD3BF69A1C459009FD744AC0DED0FF66E7F
TrID 60.6% (.APK) Android Package (27000/1/5)
30.3% (.JAR) Java Archive (13500/1/2)
8.9% (.ZIP) ZIP compressed archive (4000/1)
Magika apk
Reporter juroots
Tags:apk signed

Code Signing Certificate

Organisation:zuoyuluntan wy
Issuer:zuoyuluntan wy
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-15T10:40:09Z
Valid to:2039-11-04T10:40:09Z
Serial number: 63dd0d3c
Thumbprint Algorithm:SHA256
Thumbprint: 834a392625047f4ce723e3f4bc4753d6f8d0dc06608a0af2fce03fb24a7cf1bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
CZ CZ
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.PUA.Tool.Obfuscator.TrashCode.1.3030.4447.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 crypto evasive fingerprint signed
Link:
https://www.filescan.io/uploads/69b83ce02000fc76c3e2fea5/reports/55f08da5-b267-42d2-a14c-bc0aa78e805f/overview
Result
Link:
https://incinerator.cloud/#/public/report/73e8bbe12f47bebc4d052bee8f929092/detail
Application Permissions
display system-level alerts (SYSTEM_ALERT_WINDOW)
mount and unmount file systems (MOUNT_UNMOUNT_FILESYSTEMS)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)
fine (GPS) location (ACCESS_FINE_LOCATION)
coarse (network-based) location (ACCESS_COARSE_LOCATION)
retrieve running applications (GET_TASKS)
read external storage contents (READ_EXTERNAL_STORAGE)
read phone state and identity (READ_PHONE_STATE)
Allows an application a broad access to external storage in scoped storage (MANAGE_EXTERNAL_STORAGE)
record audio (RECORD_AUDIO)
take pictures and videos (CAMERA)
access any geographic locations (ACCESS_MEDIA_LOCATION)
full Internet access (INTERNET)
view network status (ACCESS_NETWORK_STATE)
prevent phone from sleeping (WAKE_LOCK)
view Wi-Fi status (ACCESS_WIFI_STATE)
control vibrator (VIBRATE)
change your audio settings (MODIFY_AUDIO_SETTINGS)
change your UI settings (CHANGE_CONFIGURATION)
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8
Verdict:
Unknown
File Type:
apk
Link:
https://opentip.kaspersky.com/df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8/results?tab=lookup
Score:
66%
Verdict:
Susipicious
File Type:
APK
Link:
https://malprob.io/report/df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=344e7gvkrq5bstrcexm7hnlx3g55vextscwrl47yclbxocij7hua._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
android collection credential_access discovery impact
Link:
https://tria.ge/reports/260316-vy1scsds8j/
Behaviour
Checks CPU information
Checks memory information
Uses Crypto APIs (Might try to encrypt user data)
Queries information about active data network
Obtains sensitive information copied to the device clipboard
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:apk_flubot_w0
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:matches on dumped, decrypted V/DEX files of Flubot version > 4.2
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

apk df384f9aaa8c3a194e2225d9f3b577d9bbda92f390ad15f3f812c3770909f9e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3797430/
  
Delivery method
Distributed via web download

Comments