URL:

xmanager.com

Full analysis: https://app.any.run/tasks/f609df27-9186-4fb9-91b9-0717619b212e
Verdict: Malicious activity
Analysis date: April 29, 2025, 13:38:26
OS: Android 14
Tags:
telegram
Indicators:
MD5:

6DA2114BFEF3315798E8D6CD9230275E

SHA1:

E6D59CD538C184C5AEA3D720D91230A40FBB4EA9

SHA256:

E9F27D474F853AC45E07A4DA564AB9C79948AB7F9818C587D31C4D4F6A0CF70E

SSDEEP:

3:fiZI:aZI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • app_process64 (PID: 2209)

  • INFO

    • Attempting to use instant messaging service

      • app_process64 (PID: 2209)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 app_process64 no specs app_process32 app_process32 no specs app_process32

Process information

PID
CMD
Path
Indicators
Parent process
2209org.chromium.webview_shell /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2210com.android.settings /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2257zygote /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2259webview_zygote /system/bin/app_process32app_process32
User:
webview_zygote
Integrity Level:
UNKNOWN
Exit code:
0
2311zygote /system/bin/app_process32
app_process32
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
72
DNS requests
28
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.185.131:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
2209
app_process64
GET
530
104.21.65.82:80
http://xmanager.com/
unknown
unknown
2209
app_process64
GET
301
185.230.63.107:80
http://xmanagerapp.com/
unknown
unknown
2209
app_process64
GET
530
104.21.65.82:80
http://xmanager.com/favicon.ico
unknown
unknown
2209
app_process64
GET
200
104.21.65.82:80
http://xmanager.com/cdn-cgi/styles/main.css
unknown
unknown
2209
app_process64
GET
301
149.154.167.99:80
http://t.me/xManagerSupport/403172
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
445
mdnsd
224.0.0.251:5353
unknown
142.250.185.228:443
www.google.com
GOOGLE
US
whitelisted
142.250.185.131:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
216.239.35.4:123
time.android.com
whitelisted
64.233.184.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2257
app_process32
142.250.185.99:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
2311
app_process32
142.250.185.131:443
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
2209
app_process64
104.21.65.82:80
xmanager.com
CLOUDFLARENET
unknown
2311
app_process32
142.250.185.78:443
dl.google.com
GOOGLE
US
whitelisted
579
app_process64
216.239.35.12:123
time.android.com
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.185.228
whitelisted
connectivitycheck.gstatic.com
  • 142.250.185.131
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.8
  • 216.239.35.0
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 64.233.184.81
whitelisted
google.com
  • 142.250.186.46
whitelisted
clientservices.googleapis.com
  • 142.250.185.99
whitelisted
update.googleapis.com
  • 142.250.185.131
whitelisted
xmanager.com
  • 104.21.65.82
  • 172.67.189.105
unknown
dl.google.com
  • 142.250.185.78
whitelisted
performance.radar.cloudflare.com
  • 104.18.31.78
  • 104.18.30.78
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
2209
app_process64
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xmanager.com