Analysis
-
max time kernel
965278s -
max time network
123s -
platform
android_x64 -
resource
android-x64-arm64 -
submitted
12/08/2021, 08:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
38157_Video_Oynatıcı.apk
Resource
android-x64-arm64
0 signatures
0 seconds
General
-
Target
38157_Video_Oynatıcı.apk
-
Size
3.0MB
-
MD5
6ebeb85ffe32db161606a7c53722b890
-
SHA1
dc93b4458efebbc4a15a330840f0c92359e4de95
-
SHA256
5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9
-
SHA512
6c89168da5662aef9e5753f802e16791668c1820971304b349f5560e829dfec272f13eb3726a4d0c0f339579b4ca006f1d4acc904513c71da69a0a4ecf7c2c69
Score
10/10
Malware Config
Extracted
Family
hydra
C2
http://miguelgonzales123.xyz
Signatures
-
Hydra
Android banker and info stealer.
-
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip 4173 com.bllgeqgp.qbyoikh -
Uses reflection 3 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 4173 com.bllgeqgp.qbyoikh Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4173 com.bllgeqgp.qbyoikh Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4173 com.bllgeqgp.qbyoikh
Network
-
GEThttp://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0Remote address:172.217.168.198:80RequestGET /ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0 HTTP/1.1
User-Agent: GoogleTagManager/4.00 (Linux; U; Android 11; en-us; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
Host: ad.doubleclick.net
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 302 Found
Timing-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
Date: Thu, 12 Aug 2021 08:42:16 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: https://adservice.google.com/ddm/fls/z/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=*;dc_lat=0
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
Server: cafe
Content-Length: 0
X-XSS-Protection: 0
-
804 B 3.4kB 11 8
-
7.1kB 17.7kB 63 38
-
172.217.168.198:80http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0http650 B 871 B 6 4
HTTP Request
GET http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0HTTP Response
302 -
1.3kB 5.7kB 8 6
-
1.4kB 5.6kB 8 7
-
882 B 4.0kB 11 11
-
1.2kB 1.1kB 10 10