MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029
SHA3-384 hash: 9580383b3d5956a39f0a5e4cde99343bb2dbcf465bfafc6ceb44909e31317e457b29d1fc4e10dd6db333f2db19aced4e
SHA1 hash: 41066bf90788203bd3f5441020c35fc1cb00495f
MD5 hash: ee22a79526a9539b9264a3ca1546b88c
humanhash: seventeen-georgia-floor-cola
File name:HelloCS2.12安卓9去云手机限制版.apk
Download: download sample
File size:21'381'359 bytes
First seen:2025-12-01 20:33:55 UTC
Last seen:Never
File type: apk
MIME type:application/java-archive
ssdeep 393216:eqump09N4rHqa8GlZ1DOUnrqvAQ8Iq1Kb0eWB4xI1WrGDQUOtHldNGoH2I3Bdg69:XumpIurHx8s9FqL8b2RWfpDHvoV3BF
TLSH T103273359BA9CE10AF853E571C230DB13E18501257A88FA4B6F78C55C5EEFD82A347E8C
TrID 32.7% (.APK) Android Package (27000/1/5)
26.0% (.OXT) OpenOffice Extension (21500/1/3)
16.3% (.JAR) Java Archive (13500/1/2)
12.7% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
7.2% (.USDZ) Universal Scene Description Zipped AR format (generic) (6000/1/1)
Magika apk
Reporter juroots
Tags:apk signed

Code Signing Certificate

Organisation:Android
Issuer:Android
Algorithm:sha1WithRSAEncryption
Valid from:2008-02-29T01:33:46Z
Valid to:2035-07-17T01:33:46Z
Serial number: 936eacbe07f201df
Intelligence: 1706 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
IL IL
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
android base64 crypto evasive fingerprint loki lolbin persistence signed spyagent tracker
Link:
https://www.filescan.io/uploads/692dfbefff0653ea33452187/reports/645f6672-3ccc-4ecd-9179-250661349c37/overview
Result
Link:
https://incinerator.cloud/#/public/report/ee22a79526a9539b9264a3ca1546b88c/detail
Application Permissions
mount and unmount file systems (MOUNT_UNMOUNT_FILESYSTEMS)
read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)
read phone state and identity (READ_PHONE_STATE)
intercept outgoing calls (PROCESS_OUTGOING_CALLS)
display system-level alerts (SYSTEM_ALERT_WINDOW)
read SMS or MMS (READ_SMS)
send SMS messages (SEND_SMS)
directly call phone numbers (CALL_PHONE)
retrieve running applications (GET_TASKS)
modify global system settings (WRITE_SETTINGS)
read external storage contents (READ_EXTERNAL_STORAGE)
coarse (network-based) location (ACCESS_COARSE_LOCATION)
fine (GPS) location (ACCESS_FINE_LOCATION)
mock location sources for testing (ACCESS_MOCK_LOCATION)
record audio (RECORD_AUDIO)
Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)
list accounts (GET_ACCOUNTS)
read user-defined dictionary (READ_USER_DICTIONARY)
read contact data (READ_CONTACTS)
write contact data (WRITE_CONTACTS)
automatically start at boot (RECEIVE_BOOT_COMPLETED)
control vibrator (VIBRATE)
prevent phone from sleeping (WAKE_LOCK)
allow Wi-Fi Multicast reception (CHANGE_WIFI_MULTICAST_STATE)
kill background processes (KILL_BACKGROUND_PROCESSES)
full Internet access (INTERNET)
view network status (ACCESS_NETWORK_STATE)
view Wi-Fi status (ACCESS_WIFI_STATE)
change Wi-Fi status (CHANGE_WIFI_STATE)
access extra location provider commands (ACCESS_LOCATION_EXTRA_COMMANDS)
create Bluetooth connections (BLUETOOTH)
bluetooth administration (BLUETOOTH_ADMIN)
send sticky broadcast (BROADCAST_STICKY)
change network connectivity (CHANGE_NETWORK_STATE)
read/write to resources owned by diag (DIAGNOSTIC)
update component usage statistics (PACKAGE_USAGE_STATS)
modify secure system settings (WRITE_SECURE_SETTINGS)
access the cache file system (ACCESS_CACHE_FILESYSTEM)
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029
Verdict:
Adware
File Type:
apk
First seen:
2025-10-03T12:26:00Z UTC
Last seen:
2025-12-01T14:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
APK
Link:
https://malprob.io/report/f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029
Gathering data
Threat name:
Android.PUA.Presenoker
Create hunting rule
Status:
Malicious
First seen:
2025-10-03 18:28:29 UTC
File Type:
Binary (Archive)
Extracted files:
1464
AV detection:
14 of 35 (40.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7efj7nebhv7nts2aoj4semd7x2jgmeeqhkhj2fbgpifavitpsauq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
android collection credential_access defense_evasion discovery evasion impact persistence
Link:
https://tria.ge/reports/251201-zdasnavrdn/
Behaviour
Checks CPU information
Checks memory information
Registers a broadcast receiver at runtime (usually for listening for system events)
Listens for changes in the sensor environment (might be used to detect emulation)
Queries information about active data network
Queries information about the current Wi-Fi connection
Loads dropped Dex/Jar
Obtains sensitive information copied to the device clipboard
Queries information about running processes on the device
Requests cell location
Checks if the Android device is rooted.
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/754de3fd-669c-4628-9b4b-850c66815d6a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

apk f90a9fb4813d7ed9cb40727922307fbe926610903a8e9d14267a0a0aa26f9029

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3722922/
  
Delivery method
Distributed via web download

Comments