Malware Analysis Report

2025-01-19 05:29

Sample ID 210809-tb1z8wxxm2
Target 87362_Video_Oynatıcı.apk
SHA256 d0e3ea241c345f8988d9f0b9064c1ac1cce7bb2390b28021ee925097372a8308
Tags
hydra banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0e3ea241c345f8988d9f0b9064c1ac1cce7bb2390b28021ee925097372a8308

Threat Level: Known bad

The file 87362_Video_Oynatıcı.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker infostealer obfuscation trojan

Hydra

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-09 12:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-09 12:26

Reported

2021-08-09 12:27

Platform

android-x86-arm

Max time kernel

719421s

Command Line

com.glvygfsf.qnnlsls

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A

Processes

com.glvygfsf.qnnlsls

com.glvygfsf.qnnlsls

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/tmp-base.apk.classes7639912305192254497.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/oat/x86/base.apk.classes1.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/multidex.version.xml

MD5 36cafb87392a623a78f1991f58e7f15a
SHA1 b06a6ef8b47d3714469b8588538f06d3a27dc5c4
SHA256 dfc61b8565b32faae6bebe0f93d7ad50b0b0aa36dc04b9c60b1454fd8b81b312
SHA512 40b403ba4c694462f4907ad1af51621909af39f15d8800228c3c97aac95afa85f9d7714e5b7ffe58e6cdf54d96429ef3bc6ec84048d19924a075a7717be576ca

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 727b2451a3b4f9028dd281fc0aff076e
SHA1 18e9ccb7dc848f581be8670e156e7f36b1290824
SHA256 9272b6f21623f681569a72cad8c86a95111b1b555e1b88c1066e9b2f590c6928
SHA512 2a735eed2364cb1f8a6a0f5c6e2a5235914e2a2d00bdf6d7aaca56f53398f57bd5bd2b1972ab7ee24100b17e822bcbbe80517c16c8f89f017cb7b7d910d96721

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 51d29952a045e2d79eff3e467b1bf0af
SHA1 9d027093b36e264e498118d7b31bd9bf8e24b8f9
SHA256 ed5a0461dbaadd0c6889fb4b42373a95e8793a0e7ca011db0a2dbbb2dc1efab6
SHA512 9d7f491e793aeeea82f55e02741683548ed4810463cf9b76c9c1499727e11159b5d36d32d6fa55b9dc24857665b41f71a836dd50b6b3da697fea17a94897787e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 e9e66a1e489e89eed1c90efd4fc08fbe
SHA1 d1bb7ad8d4ca286bc6eda915b46221ba78159a54
SHA256 43714d015783e5ababc7a04e9aa60189b6f1846efbbf83bb72cddd2018f0e39b
SHA512 10ce84b07a228d3f37b00548177e48620cc6312ca992f19be5527750b1f4c797124f6d40440c169f1bc292ae779d89cdf37eedcf764eeaf2c97792c7ff8a8ba5

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/prefs30.xml

MD5 1c6b6a6a91f2ccf7ac553f9a439ad69e
SHA1 270b45bc1c3255f95fecf8bfa85f7dbfc8fb5748
SHA256 a7958ee3107cac53056bac67328f317cf9e3aaf4533e1072f0c4f0334ebbffa6
SHA512 8a61fcab1bc82977f72af693d4a749ad41df81a9a9c6eaafee0f4ffd36a34f069a259c6b20046a8bce58a6eab526df122cb82e8d093be73cf5ff9d41e489bf8e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 d139ddcb8080d9fe2035461d7935a52c
SHA1 255014ad9ceb65d2fc530f249e6b242a95896432
SHA256 1284bebb82bbc49f4e2e33eca8c2cc3d6d748f5acdbdba8c8de6b6034c30f829
SHA512 6c02e34e2a4fc7014adcda4f0373176764b14ae2e549534c3de3601f6fd2aa88f133d0315d2c089aa0eff79773531b6d46ecf5114b781dce0dcbac57c351e6f2

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-09 12:26

Reported

2021-08-09 12:27

Platform

android-x64-arm64

Max time kernel

719407s

Max time network

46s

Command Line

com.glvygfsf.qnnlsls

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.glvygfsf.qnnlsls

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:853 tcp
N/A 216.239.35.8:123 time.android.com udp
N/A 1.1.1.1:853 tcp
N/A 172.217.16.228:443 udp
N/A 142.251.36.6:80 ad.doubleclick.net tcp
N/A 142.250.187.206:443 udp
N/A 185.199.108.133:443 tcp

Files

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/tmp-base.apk.classes1813085655365805824.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/multidex.version.xml

MD5 3c9bb86049c8a16e72804d1e97c457bb
SHA1 e400c59f82dbcbd9391b95399d2091028900b4b7
SHA256 0ffccdb37a3f12af7cd4f3c8261e95f7b152412f11df9c6df67878d398551a26
SHA512 b0ba1e821344787984a296f42a073a339181a5bb3f375418a367dd90a6ac57c5dcc3cecd9f23b16584160c36dc58baa9c5d809e74341a695b64c7e4b78a278b9

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 dc3ad32401cd8b4416451149a20c63d4
SHA1 5bee2d2fc8c13509c5a6a7e6701477634a540ee3
SHA256 91f3e809dc61149babad4cfb910933018fae200c7a4ecef5211f5b4a79d88d77
SHA512 98be3abd0ece156dffff7ecc7056adcb2eff50c6657367db343e7740710573e78cc637f2c29431f7b93a3ca85d7969d6af9739fa7ff8855e035a2791c04c7973

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/prefs30.xml

MD5 1c6b6a6a91f2ccf7ac553f9a439ad69e
SHA1 270b45bc1c3255f95fecf8bfa85f7dbfc8fb5748
SHA256 a7958ee3107cac53056bac67328f317cf9e3aaf4533e1072f0c4f0334ebbffa6
SHA512 8a61fcab1bc82977f72af693d4a749ad41df81a9a9c6eaafee0f4ffd36a34f069a259c6b20046a8bce58a6eab526df122cb82e8d093be73cf5ff9d41e489bf8e

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 b47b9f0fb6a00c4f64997182fc06c27f
SHA1 b387b5b27c8b4f9c0eb5d2ba69ae7bb30c386f1b
SHA256 ff9fa30823b0c346ae036364a4e27475d6bdf74e5e3728b09390b50112bacdc4
SHA512 47d848661dcfc9607ac8ba25966fef426a811f8cda0920c08e1a2025efcce709aa57e90a5d29b64c603f92b0a738065fdd42d7064355f0dbffd23c289d2ccdba

Analysis: behavioral3

Detonation Overview

Submitted

2021-08-09 12:26

Reported

2021-08-09 12:27

Platform

android-x64

Max time kernel

719409s

Max time network

40s

Command Line

com.glvygfsf.qnnlsls

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.glvygfsf.qnnlsls

Network

Country Destination Domain Proto
N/A 1.1.1.1:853 tcp
N/A 216.239.35.8:123 time.android.com udp
N/A 1.1.1.1:853 tcp
N/A 185.199.111.133:443 tcp

Files

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/tmp-base.apk.classes4034024073546850103.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.glvygfsf.qnnlsls/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 0919b5e9b8cf76f592f20ea5a256f38b
SHA1 98b0107bd6d0a22ef6e2da1e479d3ceda7a6b06e
SHA256 0b02b766d931ec614b6ecb41159217fc0f07ee4c2664b3190f4cd566ee8d4f46
SHA512 14ce5d59a107f1851ff5f644ee00a45843938b9bd970ceb0bde22c9ce5cd5a145c0d5ee11eabda0f93249f5b1e2c9cf9a48658a9e801946f2d24d1c33dc44f3f

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/multidex.version.xml

MD5 b0c4107e420c542664853c5e703a6189
SHA1 f3a6a6c8de95f205d1c83b28a0643f8b82b6b6a0
SHA256 917a2e96fa37410044f112f182083177c8b078fd8e00930a5c4a31bc8881cc03
SHA512 b107e4614624ad9f9992b45e7dbe2404ee0b85c6d64647a9fe22a195b3f009c39b2f08c0b8e7e06ac92f867801a21ecc2c7ca8ff91f4db8a65d23448914e08c3

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 d94f753c5c1b9c4da2cb2bf30eba5798
SHA1 43c58b82b8a2711625b4434ce4924ccb06cb1bdc
SHA256 ab1a93b57121d0cf60e758643fd37cba9eb28340df58ed0fce5609b9db3d8255
SHA512 cd8d2112b668ff24b3ddbf49e5c32769ae606e9117c1199c3dc7e1c0ec0b85c93d285052ff11dfa3b1f5a7bdcc1d19ffd3fef2301fecf63159b1c253114d7385

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/prefs30.xml

MD5 12d6ab1d27552f5788e1667ec0eb1360
SHA1 f0c1a775a55b7bb45fe65579b526cf4360c0c4d6
SHA256 52e178aa40fd1c71b3a4e8fdfb73fba744ac754430d94697f4d2aaa6823c0d18
SHA512 87eb0dba3f5fbb8801a5b8a07849c8634698d64333f77d548f4596221d2f3d7cba7288ebb0fe0b7f9357add2636b07c6e9cd24aa887dd6cce6d22a1b7e2d3d32

/data/user/0/com.glvygfsf.qnnlsls/shared_prefs/pref_name_setting.xml

MD5 3250bd4508a7eb48e9c2893f54f4a0a7
SHA1 ab510b35048f616d003b6500e0b574684a2a1bde
SHA256 01038adf5e5135f213e444b442e3586fdc4bb003132d5eb0fe0f3eea30bafe5e
SHA512 a6e16877eeb7d51829b80e9c97f8413510c480b185f112eaf170816173269dd455e6f53c50c8ea41576b91391a71ab64a7b4f1251047777ac661cbe224d5779b