Malware Analysis Report

2025-01-19 05:29

Sample ID 210730-6jgqmjgpse
Target 79624_Video_Oynatıcı.apk
SHA256 f9a4dd42e1694b390c2c6e02b25c7cbf57947ab28aeea1f67ed54bc09de422d7
Tags
hydra banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9a4dd42e1694b390c2c6e02b25c7cbf57947ab28aeea1f67ed54bc09de422d7

Threat Level: Known bad

The file 79624_Video_Oynatıcı.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker infostealer obfuscation trojan

Hydra

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-07-30 12:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-30 12:28

Reported

2021-07-30 12:29

Platform

android-x86-arm

Max time kernel

4150542s

Command Line

com.axvfqumr.gzlamtk

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A

Processes

com.axvfqumr.gzlamtk

com.axvfqumr.gzlamtk

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/tmp-base.apk.classes4309444463039259700.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/multidex.version.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 009d5aa9ade8b7626144887eb356749a
SHA1 0c90de0b01b9ed510e7bb9141f805c2be0958b4e
SHA256 e77620c9f4e3057cd9726edfd9a8d54059826b4a11d38ba0d9cb37caf250a030
SHA512 2b8a9654345df31714e89017d3832c152a1abdcd8a0729a5762405d31960ac7ff81e188481600c78081690cb082c967423c6a1e6d8dbb81773ac5c07e0a23db6

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/prefs30.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 e134c9eefab6287f907cde730b6b022a
SHA1 30dff918cd01a5d2f4bdb23240b61d221a0792c8
SHA256 8932159554fa8f4e4950aff48653e82df933f0c8beb357811002c731736a39b0
SHA512 3eaac85c3e96301adc298cdb727d777205c0b3a2ea6e99ffbe27d130c788c5e9e44fe3e1a407236867bf71d709d6e45b83ad70c1fa4a14646889397f1ff51473

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-30 12:28

Reported

2021-07-30 12:29

Platform

android-x64-arm64

Max time kernel

4150543s

Max time network

75s

Command Line

com.axvfqumr.gzlamtk

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.axvfqumr.gzlamtk

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:853 tcp
N/A 216.58.213.6:80 ad.doubleclick.net tcp
N/A 216.239.35.12:123 time.android.com udp
N/A 142.250.178.10:443 udp
N/A 142.250.178.10:443 udp
N/A 172.217.169.14:443 udp
N/A 216.58.212.200:443 tcp
N/A 185.199.109.133:443 tcp
N/A 1.1.1.1:853 tcp

Files

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/tmp-base.apk.classes3919991389376536625.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/multidex.version.xml

MD5 c80a83073af8ed1cff7165995a9ef6b1
SHA1 29b6f4295563eaf5553a64c0ea3027dd9ed56465
SHA256 a66165d4e9c133df3de3bade1d0b41de77e843c6fcf7773aa98f637445248986
SHA512 89544979f7c637ca59ea83cfb02a8e487bf051accbfe751c1e020d96e3c4ec2caec662cb64ad053da943d35e0543c60a9eed67dd03e35ae9ffa91fe2a7db13af

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 deda1c53df33b7365afe0d188bcc1c2f
SHA1 6baa212c18ae696f553c4e0032621adb1fcf9250
SHA256 0bd9a4b0f794a3bb7669def1c02688744616b2ec94d0361f6b00b7f9bbf40f09
SHA512 42ff46797176f2033450f6421cdf52d1b724d7618117dac617892704fd62067b8d6b83d05a5656dfa17438c5fa2fe802e3df9a0db5aa7a7f372091c96b5f6774

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/prefs30.xml

MD5 1c6b6a6a91f2ccf7ac553f9a439ad69e
SHA1 270b45bc1c3255f95fecf8bfa85f7dbfc8fb5748
SHA256 a7958ee3107cac53056bac67328f317cf9e3aaf4533e1072f0c4f0334ebbffa6
SHA512 8a61fcab1bc82977f72af693d4a749ad41df81a9a9c6eaafee0f4ffd36a34f069a259c6b20046a8bce58a6eab526df122cb82e8d093be73cf5ff9d41e489bf8e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 3560a7887ed7c02ebd2e0b82eb518ae6
SHA1 a9decc3b7eb8ecf628a8aa58774ae4760f074063
SHA256 173f32031ff90c297504ba4be5c3dae314494b4e55707335d9b40b5b8032fea2
SHA512 79cc913dc94ca21f7c00c757894d121f8fd128edeb845981fd859e0d508c6dab04d59f7b2c9e174303dd9cb2d48a2e1f1c4a528ce02a2f0bf5920b09e92d36c4

Analysis: behavioral3

Detonation Overview

Submitted

2021-07-30 12:28

Reported

2021-07-30 12:29

Platform

android-x64

Max time kernel

4150542s

Max time network

33s

Command Line

com.axvfqumr.gzlamtk

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.axvfqumr.gzlamtk

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 185.199.108.133:443 tcp
N/A 216.239.35.0:123 time.android.com udp
N/A 216.239.35.0:123 time.android.com udp

Files

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/tmp-base.apk.classes7847346767771763537.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/multidex.version.xml

MD5 4ee5e60e1991b7b04fcedfdb7cb64180
SHA1 1d55589dd838bc1d006bcc5739e25cc83231f490
SHA256 4e389d65f02eb10efc16d51422da6d0b1894432637a761856e9ff3442345d1ad
SHA512 9d882b64047c701d21625c765c6955b92ef8d4b75e8f769db4234df9b5fa87f64c519a42f2c6617cee7b0f8f3ad60d7dde2ced8747b8296dd972bedc9261373c

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 08554bc0b13487a6aa8d393e5a1fc72d
SHA1 106d798dfac362565a754b7c06ebede4c8175597
SHA256 660bbafce88754884a4c44d7e7544e549654b4e71375d6c83dc66315b414739b
SHA512 5e31cede6a15606b40a67f9e4139df5df7d72ec1fd32cb2963c474b625a7d1b0f2abeb95929bc210918303a61266a22088d7884c4847535ee8359c6128ef4863

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/prefs30.xml

MD5 12d6ab1d27552f5788e1667ec0eb1360
SHA1 f0c1a775a55b7bb45fe65579b526cf4360c0c4d6
SHA256 52e178aa40fd1c71b3a4e8fdfb73fba744ac754430d94697f4d2aaa6823c0d18
SHA512 87eb0dba3f5fbb8801a5b8a07849c8634698d64333f77d548f4596221d2f3d7cba7288ebb0fe0b7f9357add2636b07c6e9cd24aa887dd6cce6d22a1b7e2d3d32

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 fc5d0a9143a48d8b100d4629e3fbccfb
SHA1 1083211f009133ae6909ed7a88bc06c7ef0dafc1
SHA256 86988ccc9a4ce2743a85fe217f1ed5478a75aa7cf3c56a067b0d14964abb8ada
SHA512 05d598558e4bafa965d729bbe2137868371934b0d6184cb926db527d9b767741776b00fab0d3f675f088465eef18084f9d9e14f1ca03fc891d594f96df5159f7

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.axvfqumr.gzlamtk/shared_prefs/pref_name_setting.xml

MD5 5f854fd1a111d406e531922b4789972e
SHA1 fbcf6ffdbb19a420c7b07b8ee20d2445430c3c95
SHA256 dfa8a55940d35e88c0b4400fea4b69594cc193b8b20c93afdbb870bb7cc4c747
SHA512 99e414e5a3d7cd7821c0886438c2fe4865b86fd5cf83f4a38c36032fbdb3251de01e0380d308b490913caf688aadb7b4b4dd3cc8d4807018e83d64904e36e230