Safe
Android APK with no malicious detections across 17 tier-1 engines; direct-IP contact is benign for Google infrastructure.
9be0d408ff7054b7ad…74292fa557The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This Android APK received comprehensive scanning (67 of 76 engines reporting) with zero malicious or suspicious detections. All 17 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Avira, Fortinet, Emsisoft, F-Secure, Ikarus, GData, DrWeb, Avast, AVG) reported it clean. The only alert is a heuristic rule flagging direct-IP C2 contact, but analysis of the contacted IPs reveals they belong to Google and Cloudflare — infrastructure that legitimate Android apps contact routinely for services like Firebase and Play Services. Behaviour analysis shows only ambient techniques (application-layer protocol, encrypted channel) with no offensive MITRE techniques. The file is rare and old (3 submissions since March 2022, no recent activity), with no external intelligence corroboration, no dropped children, and no malicious host contacts.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
17/17 tier-1 engines reporting clean (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Avira, Fortinet, Emsisoft, F-Secure, Ikarus, GData, DrWeb, Avast, AVG all undetected)
Contacted IPs (173.194.194.94, 173.194.193.113, 142.251.183.95, 172.67.151.52) are Google and Cloudflare infrastructure — typical for Android apps
Behaviour: ambientCount=2, offensiveCount=0, no malicious sandbox verdicts, no dropped children, no malicious host contacts
Prevalence: rare_old (3 submissions since 2022-03-28); no recent feedback or community annotations
Triggered heuristic 'MalwareTips.Synth.DirectIpC2' (medium) is the sole alert, but pattern is benign for Android contacting Google services
- All 17 tier-1 antivirus engines report clean
- Zero malicious or suspicious detections across 67 reporting engines
- Contacted IPs belong to Google and Cloudflare — legitimate infrastructure
- Only ambient MITRE techniques; zero offensive techniques
- No malicious sandbox verdicts, dropped children, or malicious host contacts
This file is safe to use. The heuristic alert on direct-IP contact is a false positive in the context of Android apps contacting Google infrastructure. No further action is needed.
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 5 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence173.194.194.94 · 173.194.193.113 · 172.67.151.52
0 detections across 76 engines
How often this file shows up in the wild
Rarely uploaded, but has been around for a while. Often niche legitimate software or old internal tooling; not a strong malware signal on its own.
Forensic fingerprint
- File name
- nqpaoxc4m.dll
- Size
- 12.4 KB
- MIME type
- (unknown)
- Detected type
- Android
- SHA-256
- 9be0d408ff7054b7ad161912d8e05c3f507a94c8020a7c17eda14f74292fa557
- MD5
- c31072e649b7c7e078f995b78d4bb1c0
- SHA-1
- 015bcb88f69330a01040a82cd549052d39f5ec30
- First seen (VT)
- 3/28/2022, 8:06:02 AM
- Last analysis (VT)
- 12/11/2025, 1:21:04 PM
- First scan (MalwareTips)
- 7/2/2026, 7:12:29 PM
- Last scan (MalwareTips)
- 7/2/2026, 7:12:29 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.