Malicious
Kaspersky tier-1 detection of Mamont dropper combined with direct-IP C2 contact pattern and obfuscation indicates malicious Android trojan.
83c1243cdabe409e0b…5ec508d500The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample triggered our direct-IP C2 heuristic, which flags contact to external IPs without DNS resolution as a strong malware indicator because it bypasses reputation systems. Kaspersky, a tier-1 engine, named the family as Trojan-Dropper.AndroidOS.Mamont, and two tier-2 engines (SymantecMobileInsight, K7GW) independently flagged malicious classifications. While tier-1 consensus is not strong (only 1 engine), the combination of a named tier-1 family detection, the direct-IP C2 pattern, obfuscation tags, and multi-tier agreement creates a coherent malicious profile. No sandbox execution verdict contradicts this, and no malicious host contact was found in our cache — but the absence of sandbox data does not negate the detection pattern.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Kaspersky (tier-1) detected HEUR:Trojan-Dropper.AndroidOS.Mamont.ae — named dropper family
MalwareTips.Synth.DirectIpC2 heuristic fired: 16 external IPs contacted, zero domains — direct-IP C2 is strong malware indicator
SymantecMobileInsight (tier-2) flagged AdLibrary:Generisk; K7GW (tier-2) flagged Trojan — multi-engine agreement on malicious classification
Obfuscated Android APK with reflection + embedded ELF; unsigned; no benign sandbox verdict or malicious host contact in our cache
Medium prevalence (96 submitters) and 37-day age rule out rare-new false-positive scenario; tier-1 consensus absent but tier-1 + tier-2 + heuristic convergence is strong
- No malicious sandbox execution verdict recorded
- No malicious dropped children detected
- No contacted hosts matched our malicious URL cache
- Medium prevalence (96 submitters) suggests known sample, not zero-day
- Tier-1 engine (Kaspersky) detected Trojan-Dropper.AndroidOS.Mamont family
- Direct-IP C2 contact pattern: 16 external IPs, zero domains — evasion technique
- Obfuscated code with reflection and embedded ELF binary
- Unsigned Android APK with no publisher verification
- Multi-tier engine agreement (tier-1 + tier-2) on malicious classification
- Dropper family typically used to stage secondary payloads
Block and quarantine this file. Do not install on any device. If encountered in a download or email, report it to your security team and the source platform. Verify any streaming app downloads through official app stores only.
adlibrary corroborated by 2 sources
- VT (75 engines)adlibrary
- MT AI EngineMamont
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 16 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence142.251.151.119 · 173.194.194.94 · 104.21.64.137
4 detections across 75 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- onstream-tv-1.1.1.apk
- Size
- 15.64 MB
- MIME type
- (unknown)
- Detected type
- Android
- SHA-256
- 83c1243cdabe409e0b398f29b89f737d919b4084520cccfd1e19fc5ec508d500
- MD5
- 4d5eb17c74d9dd2c7f095fd1dcb7a28d
- SHA-1
- 64d123f62b3d593cf605643799e729ee721e2991
- First seen (VT)
- 5/13/2026, 1:37:54 AM
- Last analysis (VT)
- 6/15/2026, 4:24:41 PM
- First scan (MalwareTips)
- 6/18/2026, 5:39:50 PM
- Last scan (MalwareTips)
- 6/18/2026, 5:39:50 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.