File name:

d33a46dbd1a5520f29e9a5cb00fd2468.apk

Full analysis: https://app.any.run/tasks/9b8121be-fc89-49ee-83ae-7516b42496be
Verdict: Malicious activity
Threats:

BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.

Malware Trends Tracker     >>>
Analysis date: June 19, 2025, 14:00:38
OS: Android 14
Tags:
btmob
rat
evasion
websocket
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with classes.dex
MD5:

D33A46DBD1A5520F29E9A5CB00FD2468

SHA1:

93756DC6497F628989F08CA445174D75903F4CB9

SHA256:

720720CC5B1B894D55B97E16374D0F68EAA25CF9E26C4BA4C9E7CBABD413EF81

SSDEEP:

98304:eE5Ve94wga9xoU6J1yyswiQRf8ZyVlCayP2d+D2cw/Z0gHwJWvVs6spEGf8LBXPs:/ghg6PEIWPmdBFtrMJVJ7cWKBQyM0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks whether the screen is currently on

      • app_process64 (PID: 2267)

    • BTMOB has been detected

      • app_process64 (PID: 2267)

  • SUSPICIOUS

    • Retrieves installed applications on device

      • app_process64 (PID: 2267)

    • Accesses system-level resources

      • app_process64 (PID: 2267)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2267)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2267)

    • Uses encryption API functions

      • app_process64 (PID: 2267)

    • Abuses foreground service for persistence

      • app_process64 (PID: 2267)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2267)

    • Retrieves a list of running services

      • app_process64 (PID: 2267)

    • Accesses external device storage files

      • app_process64 (PID: 2267)

    • Establishing a connection

      • app_process64 (PID: 2267)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2267)

    • Prevents its uninstallation by user

      • app_process64 (PID: 2267)

    • Starts a service

      • app_process64 (PID: 2267)

    • Checks exemption from battery optimization

      • app_process64 (PID: 2267)

    • Requests access to accessibility settings

      • app_process64 (PID: 2267)

    • Launches a new activity

      • app_process64 (PID: 2267)

    • Overlays content on other applications

      • app_process64 (PID: 2267)

    • Intercepts events for accessibility services

      • app_process64 (PID: 2267)

    • Checks if the device's lock screen is showing

      • app_process64 (PID: 2267)

    • Checks for external IP

      • netd (PID: 339)
      • app_process64 (PID: 2267)

    • Connects to the server without a host name

      • app_process64 (PID: 2267)

  • INFO

    • Stores data using SQLite database

      • app_process64 (PID: 2267)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2267)

    • Listens for changes in sensors

      • app_process64 (PID: 2267)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2267)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2267)

    • Retrieves the value of a global system setting

      • app_process64 (PID: 2267)

    • Detects device power status

      • app_process64 (PID: 2267)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2267)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2267)

    • Gets file name without full path

      • app_process64 (PID: 2267)

    • Attempting to connect via WebSocket

      • app_process64 (PID: 2267)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BTMOB app_process64 app_process64 app_process64 no specs app_process64 netd app_process64 no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
339/system/bin/netd/system/bin/netd
init
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2267wolg.eslup.tsacdaorb /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2306com.android.webview:webview_service /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2319webview_zygote /system/bin/app_process64app_process64
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
0
2361com.android.webview:webview_apk /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2490com.android.systemui.accessibility.accessibilitymenu /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2552com.android.settings /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
346
Text files
52
Unknown types
3

Dropped files

PID
Process
Filename
Type
2267app_process64/data/data/wolg.eslup.tsacdaorb/no_backup/androidx.work.workdb-journalbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/shared_prefs/wolg.eslup.tsacdaorb.xmlxml
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/no_backup/androidx.work.workdb-walbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/app_webview/last-exit-infobinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/shared_prefs/WebViewChromiumPrefs.xmlxml
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/cache/WebView/Default/HTTP Cache/Code Cache/wasm/indexbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/cache/WebView/Default/HTTP Cache/Code Cache/js/indexbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-indexbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-indexbinary
MD5:
SHA256:
2267app_process64/data/data/wolg.eslup.tsacdaorb/app_webview/Default/Web Data-journalbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
59
TCP/UDP connections
68
DNS requests
34
Threats
57

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.184.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
2267
app_process64
HEAD
200
144.172.93.125:80
http://144.172.93.125/yaarsa/private/yarsap_80541.php
unknown
unknown
2267
app_process64
POST
200
144.172.93.125:80
http://144.172.93.125/yaarsa/private/yarsap_80541.php
unknown
unknown
2267
app_process64
GET
200
34.240.185.29:80
http://checkip.amazonaws.com/
unknown
whitelisted
2267
app_process64
GET
101
144.172.93.125:8080
http://144.172.93.125:8080/
unknown
unknown
2267
app_process64
GET
101
144.172.93.125:8080
http://144.172.93.125:8080/
unknown
unknown
2267
app_process64
GET
34.240.185.29:80
http://checkip.amazonaws.com/
unknown
whitelisted
2267
app_process64
HEAD
200
144.172.93.125:80
http://144.172.93.125/yaarsa/private/yarsap_80541.php
unknown
unknown
2267
app_process64
POST
200
144.172.93.125:80
http://144.172.93.125/yaarsa/private/yarsap_80541.php
unknown
unknown
2267
app_process64
GET
200
34.240.185.29:80
http://checkip.amazonaws.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
451
mdnsd
224.0.0.251:5353
unknown
216.239.35.0:123
time.android.com
whitelisted
142.250.184.227:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
216.58.206.68:443
www.google.com
GOOGLE
US
whitelisted
74.125.133.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2361
app_process64
142.250.185.99:443
update.googleapis.com
GOOGLE
US
whitelisted
2361
app_process64
142.250.185.238:443
dl.google.com
GOOGLE
US
whitelisted
2361
app_process64
34.104.35.123:443
edgedl.me.gvt1.com
GOOGLE
US
whitelisted
2306
app_process64
142.250.186.99:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
2267
app_process64
144.172.93.125:80
QUICKPACKET
US
unknown

DNS requests

Domain
IP
Reputation
connectivitycheck.gstatic.com
  • 142.250.184.227
whitelisted
www.google.com
  • 216.58.206.68
  • 142.250.186.100
whitelisted
time.android.com
  • 216.239.35.0
  • 216.239.35.12
  • 216.239.35.4
  • 216.239.35.8
whitelisted
google.com
  • 142.250.185.174
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 74.125.133.81
whitelisted
update.googleapis.com
  • 142.250.185.99
whitelisted
dl.google.com
  • 142.250.185.238
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
clientservices.googleapis.com
  • 142.250.186.99
whitelisted
checkip.amazonaws.com
  • 34.240.185.29
  • 54.155.155.35
  • 54.171.252.5
  • 34.251.92.207
  • 34.251.69.2
  • 52.50.88.233
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
2267
app_process64
Device Retrieving External IP Address Detected
ET INFO External IP Check (checkip .amazonaws .com)
339
netd
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
2267
app_process64
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2267
app_process64
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2267
app_process64
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2267
app_process64
Device Retrieving External IP Address Detected
ET INFO External IP Check (checkip .amazonaws .com)
2267
app_process64
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2267
app_process64
Device Retrieving External IP Address Detected
ET INFO External IP Check (checkip .amazonaws .com)
2267
app_process64
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d33a46dbd1a5520f29e9a5cb00fd2468.apk