hydra | 5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9 | Triage

Analysis

max time kernel
965278s
max time network
123s
platform
android_x64
resource
android-x64-arm64
submitted
12/08/2021, 08:42 UTC

Sharing

Report Analysis Logs

General

Target

38157_Video_Oynatıcı.apk
Size

3.0MB
MD5

6ebeb85ffe32db161606a7c53722b890
SHA1

dc93b4458efebbc4a15a330840f0c92359e4de95
SHA256

5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9
SHA512

6c89168da5662aef9e5753f802e16791668c1820971304b349f5560e829dfec272f13eb3726a4d0c0f339579b4ca006f1d4acc904513c71da69a0a4ecf7c2c69

Score

10^/10

hydra banker infostealer obfuscation trojan

Malware Config

Extracted

Family

hydra

C2

http://miguelgonzales123.xyz

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip	4173	com.bllgeqgp.qbyoikh

Uses reflection 3 IoCs

description	pid	Process
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4173	com.bllgeqgp.qbyoikh
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4173	com.bllgeqgp.qbyoikh
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4173	com.bllgeqgp.qbyoikh

com.bllgeqgp.qbyoikh
1⤵
- Loads dropped Dex/Jar
- Uses reflection
PID:4173

Network

GET

http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

Remote address:

172.217.168.198:80

Request

GET /ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0 HTTP/1.1
User-Agent: GoogleTagManager/4.00 (Linux; U; Android 11; en-us; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
Host: ad.doubleclick.net
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 302 Found

P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Timing-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
Date: Thu, 12 Aug 2021 08:42:16 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: https://adservice.google.com/ddm/fls/z/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=*;dc_lat=0
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
Server: cafe
Content-Length: 0
X-XSS-Protection: 0

1.1.1.1:853

tls

804 B
3.4kB
11
8
1.1.1.1:853

tls

7.1kB
17.7kB
63
38
172.217.168.198:80

http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

http

650 B
871 B
6
4

HTTP Request

GET http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

HTTP Response

302
172.217.16.232:443

ssl.google-analytics.com

tls

1.3kB
5.7kB
8
6
185.199.109.133:443

gist.githubusercontent.com

tls

1.4kB
5.6kB
8
7
1.1.1.1:853

tls

882 B
4.0kB
11
11
1.1.1.1:853

tls

1.2kB
1.1kB
10
10

224.0.0.251:5353

8.8kB
46
142.250.178.4:443

https

3.0kB
6.9kB
5
5
172.217.17.78:443

https

6.3kB
13.1kB
11
14

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads