File name:

ely-loader-3.7_free.apk

Full analysis: https://app.any.run/tasks/fe03f257-f0a6-4f7d-8816-3bee8f47853f
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 17, 2026, 18:34:19
OS: Android 14
Tags:
tanglebot
rat
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with AndroidManifest.xml
MD5:

FEFE7E7705155272A454C4F8436879D5

SHA1:

7027EAB211DF2E8F145EC1D9F51F9A32E3D6743E

SHA256:

C7FACE33B86E78258D8CBFF670AB7F91059FA71B69E92D7EE52CA980628F1776

SSDEEP:

98304:u5Xa1sJ63JDhaACSYNCEdcvBo/yy+lfwb0t4gtk1wh++fyUe/js/F+fed8bR5/Y3:9DZ4mC7WHb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TANGLEBOT has been detected

      • app_process64 (PID: 4005)

    • Executes system commands or scripts

      • app_process64 (PID: 4005)

  • SUSPICIOUS

    • Accesses external device storage files

      • app_process64 (PID: 4005)

    • Uses encryption API functions

      • app_process64 (PID: 4005)

    • Accesses system-level resources

      • app_process64 (PID: 4005)

  • INFO

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 4005)

    • Loads a native library into the application

      • app_process64 (PID: 4005)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 4005)

    • Gets file name without full path

      • app_process64 (PID: 4005)

    • Dynamically loads a class in Java

      • app_process64 (PID: 4005)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:08:30 16:20:26
ZipCRC: 0x2e4bfc7f
ZipCompressedSize: 1607
ZipUncompressedSize: 5304
ZipFileName: AndroidManifest.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TANGLEBOT app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs app_process64 no specs

Process information

PID
CMD
Path
Indicators
Parent process
4005com.facebook.lite /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
4028com.android.traceur /system/bin/app_process64app_process64
User:
u0_a54
Integrity Level:
UNKNOWN
Exit code:
512
4040com.facebook.lite /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
65280
4041com.facebook.lite /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
65280
4117com.facebook.lite /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
65280
4123com.facebook.lite /system/bin/app_process64app_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
65280
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4005app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.binary
MD5:
SHA256:
4005app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫compressed
MD5:
SHA256:
4040app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫compressed
MD5:
SHA256:
4041app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫compressed
MD5:
SHA256:
4005app_process64/data/data/com.facebook.lite/cache/oat_primary/arm64/base.4005.tmpbinary
MD5:
SHA256:
4117app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫compressed
MD5:
SHA256:
4123app_process64/data/data/com.facebook.lite/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫compressed
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
8
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1921
app_process64
GET
204
142.251.141.100:443
https://www.google.com/generate_204
unknown
whitelisted
GET
204
142.251.141.100:80
http://www.google.com/gen_204
unknown
whitelisted
1921
app_process64
GET
204
142.251.140.163:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
2931
app_process64
POST
200
64.233.184.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
unknown
binary
778 b
whitelisted
2931
app_process64
POST
200
64.233.184.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnGzh88UBILStY-LTFEmX5TaqrCLZ0tACkq0=&request_id=7d2e0c49-6528-454a-93d1-66d21e3607c0
unknown
binary
11.8 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
142.251.141.100:80
www.google.com
GOOGLE
US
whitelisted
452
mdnsd
224.0.0.251:5353
whitelisted
142.251.140.163:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
142.251.141.100:443
www.google.com
GOOGLE
US
whitelisted
580
app_process64
216.239.35.8:123
time.android.com
GOOGLE
US
whitelisted
1921
app_process64
142.251.141.100:443
www.google.com
GOOGLE
US
whitelisted
1921
app_process64
142.251.140.163:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
2931
app_process64
64.233.184.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.251.141.100
whitelisted
connectivitycheck.gstatic.com
  • 142.251.140.163
whitelisted
time.android.com
  • 216.239.35.8
  • 216.239.35.4
  • 216.239.35.0
  • 216.239.35.12
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 64.233.184.81
whitelisted

Threats

PID
Process
Class
Message
1921
app_process64
Misc activity
ET INFO Android Device Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ely-loader-3.7_free.apk