Malicious
Android APK flagged as Wacatac banking trojan; direct-IP C2 contact and obfuscation patterns confirm malicious intent.
fb35a0e4d50de98115…9c09b44884The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This Android APK carries a single but high-confidence detection from Microsoft (tier-1) naming Wacatac, a documented banking trojan family targeting Android devices. The triggered heuristic 'DirectIpC2' flags direct-IP contact without DNS resolution, a known evasion technique to bypass reputation-based blocklists. File tags (obfuscated, detect-debug-environment, checks-gps, telephony, reflection) are consistent with Android malware anti-analysis and credential-harvesting patterns. Although only 1 of 67 engines flagged it and no sandbox verdicts confirmed malicious runtime behaviour, the combination of named-family detection, C2 evasion pattern, and obfuscation indicators converges on malicious intent. The medium prevalence (11 submitters, 2 days old) suggests a targeted or emerging sample rather than widespread commodity malware.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Microsoft (tier-1) flagged 'Trojan:Script/Wacatac.B!ml' — named Android banking trojan family
triggeredHeuristics: DirectIpC2 fired — 18 external IPs contacted, zero domains (C2 evasion pattern)
File tags: obfuscated, detect-debug-environment, checks-gps, telephony, reflection — Android malware evasion indicators
Behaviour: T1071 (C2), T1406 (telephony), T1426 (system info), T1513 (clipboard) — ambient but consistent with banking trojan profile
Medium prevalence (11 submitters, 2 days old) — not rare-new, but limited distribution suggests targeted or emerging sample
- No malicious sandbox verdicts recorded
- No malicious dropped children detected
- No contacted hosts in our malicious cache
- 16 tier-1 engines reported clean
- Named banking trojan family (Wacatac) detected by tier-1 engine
- Direct-IP C2 communication (18 IPs, zero domains) — evasion pattern
- Obfuscation and anti-debug checks present
- Telephony and clipboard access capabilities (credential theft)
- Unsigned APK with no publisher history
- Medium prevalence suggests targeted or emerging sample
Block and quarantine this APK immediately. Do not install on any device. If encountered in the wild, report the source to your mobile security provider and consider notifying the app store or distribution channel.
Wacatac corroborated by 1 source
- MT AI EngineWacatac
Files this sample writes at runtime
This file drops 1 child at runtime. None are currently flagged malicious in our cache.
- 7205d464eb08fe5d93b0…b5367fNever scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 18 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence142.251.151.119 · 172.67.151.52 · 173.194.194.94
1 detection across 75 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- app-10.1.5.apk
- Size
- 58.92 MB
- MIME type
- (unknown)
- Detected type
- Android
- SHA-256
- fb35a0e4d50de9811527178cbaba1b0444e2f1f56fd1fae779a80e9c09b44884
- MD5
- 60b98ce776e57737118b255491cda6e5
- SHA-1
- 003e34848483c99aa7ddec67e6441df1adc75949
- First seen (VT)
- 6/9/2026, 4:30:58 PM
- Last analysis (VT)
- 6/9/2026, 4:30:58 PM
- First scan (MalwareTips)
- 6/11/2026, 9:25:32 AM
- Last scan (MalwareTips)
- 6/11/2026, 9:25:32 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.