File name:	venmo.apk
Full analysis:	https://app.any.run/tasks/983f0753-8180-481b-a8a9-974e1c58480c
Verdict:	Malicious activity
Threats:	BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	April 11, 2025, 20:34:47
OS:	Android 14
Tags:	btmob rat
Indicators:
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with AndroidManifest.xml
MD5:	54615D15083BFAF108F07B545B20120D
SHA1:	05FB8C0D5E52F33FCAD37D9F06C4F7F6531703B8
SHA256:	F4E0C62BCE2AD484F42039F23614746032FD88F1319C88E7FA86789DA3F271A0
SSDEEP:	393216:6AsE32vMVabPD7KVXx4yWrudRfhgD/VkJwXJz:jJoMsbPD7KdiyWivfhgDAwB

ZipRequiredVersion:	-
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	1981:01:01 01:01:00
ZipCRC:	0xa0a50a88
ZipCompressedSize:	2886
ZipUncompressedSize:	10288
ZipFileName:	AndroidManifest.xml

PID	CMD	Path	Indicators	Parent process
2269	ssecca.egdirb.tfihs.load	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2301	zygote	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2315	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 0
2351	zygote	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2505	/apex/com.android.art/bin/artd	/apex/com.android.art/bin/artd	—	init
User: artd Integrity Level: UNKNOWN Exit code: 0
2508	/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~PUf4fmcIyoktnABrjM3pvA==/yxalag.kcats.hsem-Rughu0w-XQIGysUDpxVBPg==/base.apk --oat-fd=7 --oat-location=/data/app/~~PUf4fmcIyoktnABrjM3pvA==/yxalag.kcats.hsem-Rughu0w-XQIGysUDpxVBPg==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context-fds=10 --class-loader-context=PCL[]{PCL[/system/framework/org.apache.http.legacy.jar]} --classpath-dir=/data/app/~~PUf4fmcIyoktnABrjM3pvA==/yxalag.kcats.hsem-Rughu0w-XQIGysUDpxVBPg== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:32 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:67.95.78,app-version-code:679578,art-version:340090000	/apex/com.android.art/bin/dex2oat32	—	artd
User: artd Integrity Level: UNKNOWN Exit code: 0
2519	yxalag.kcats.hsem	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2565	ping -c 1 -w 15	/system/bin/ping	—	app_process64
User: u0_a109 Integrity Level: UNKNOWN Exit code: 512
2570	ping -c 1 -w 15	/system/bin/ping	—	app_process64
User: u0_a109 Integrity Level: UNKNOWN Exit code: 512

PID	Process	Filename		Type
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/app_webview/Default/Local Storage/leveldb/MANIFEST-000001		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/index		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/js/index		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/app_webview/Default/Local Storage/leveldb/000001.dbtmp		text
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/app_webview/Default/Local Storage/leveldb/CURRENT		text
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index		binary
		MD5:—	SHA256:—
2269	app_process64	/data/data/ssecca.egdirb.tfihs.load/cache/WebView/Default/HTTP Cache/Code Cache/webui_js/index-dir/temp-index		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	142.250.184.228:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
—	—	GET	204	142.250.74.195:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
—	—	GET	204	142.250.184.228:443	https://www.google.com/generate_204	unknown	—	—	unknown
—	—	GET	204	142.250.74.195:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2519	app_process64	HEAD	200	79.133.57.141:80	http://79.133.57.141/yaarsa/private/yarsap_80541.php	unknown	—	—	malicious
2519	app_process64	POST	200	79.133.57.141:80	http://79.133.57.141/yaarsa/private/yarsap_80541.php	unknown	—	—	malicious
2519	app_process64	POST	200	79.133.57.141:80	http://79.133.57.141/yaarsa/private/yarsap_80541.php	unknown	—	—	malicious
2519	app_process64	HEAD	200	79.133.57.141:80	http://79.133.57.141/yaarsa/private/yarsap_80541.php	unknown	—	—	malicious
—	—	GET	200	142.250.185.195:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=android_webview&milestone=113	unknown	compressed	23.0 Kb	whitelisted
—	—	POST	200	108.177.96.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	unknown	binary	699 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	unknown
—	—	142.250.74.195:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.184.228:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.250.184.228:80	www.google.com	GOOGLE	US	whitelisted
—	—	216.239.35.0:123	time.android.com	—	—	whitelisted
—	—	108.177.96.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted
568	app_process64	216.239.35.4:123	time.android.com	—	—	whitelisted
568	app_process64	216.239.35.12:123	time.android.com	—	—	whitelisted
2351	app_process32	142.250.185.227:443	update.googleapis.com	GOOGLE	US	whitelisted
2301	app_process32	142.250.185.195:443	clientservices.googleapis.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
connectivitycheck.gstatic.com	142.250.74.195	whitelisted
www.google.com	142.250.184.228	whitelisted
google.com	216.58.212.174	whitelisted
time.android.com	216.239.35.0 216.239.35.4 216.239.35.12 216.239.35.8	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	108.177.96.81	whitelisted
update.googleapis.com	142.250.185.227	whitelisted
clientservices.googleapis.com	142.250.185.195	whitelisted
dl.google.com	142.250.184.238	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO Android Device Connectivity Check
—	—	Misc activity	ET INFO Android Device Connectivity Check

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

venmo.apk

54615D15083BFAF108F07B545B20120D

05FB8C0D5E52F33FCAD37D9F06C4F7F6531703B8

F4E0C62BCE2AD484F42039F23614746032FD88F1319C88E7FA86789DA3F271A0

393216:6AsE32vMVabPD7KVXx4yWrudRfhgD/VkJwXJz:jJoMsbPD7KdiyWivfhgDAwB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Initiates background APK installation

Checks whether the screen is currently on

Executes system commands or scripts

BTMOB has been detected

SUSPICIOUS

Retrieves a list of running services

Creates a WakeLock to manage power state

Abuses foreground service for persistence

Acquires a wake lock to keep the device awake

Updates data in the storage of application settings (SharedPreferences)

Accesses system-level resources

Uses encryption API functions

Connects to the server without a host name

Establishing a connection

Accesses external device storage files

Triggers notification to user

INFO

Dynamically registers broadcast event listeners

Retrieves data from storage of application settings (SharedPreferences)

Retrieves the value of a secure system setting

Listens for changes in sensors

Detects device power status

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings