Malware Analysis Report

2025-01-19 05:27

Sample ID 210904-12sh2seed3
Target 98173_Video_Oynatıcı.apk
SHA256 6253cac300eabed08691f1dd70f93ce86513ce98d2a577007efa0cb3a2560aa5
Tags
hydra banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6253cac300eabed08691f1dd70f93ce86513ce98d2a577007efa0cb3a2560aa5

Threat Level: Known bad

The file 98173_Video_Oynatıcı.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker infostealer obfuscation trojan

Hydra

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads name of network operator

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-09-04 22:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-04 22:09

Reported

2021-09-04 22:11

Platform

android-x64

Max time kernel

3000896s

Max time network

156s

Command Line

com.dhmqdmkq.ibjtwkn

Signatures

Hydra

banker trojan infostealer hydra

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dhmqdmkq.ibjtwkn/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Reads name of network operator

Description Indicator Process Target
Framework API call android.telephony.TelephonyManager.getNetworkOperatorName N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A
Acesses field javax.security.auth.x500.X500Principal.thisX500Name N/A N/A N/A

Processes

com.dhmqdmkq.ibjtwkn

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.110.133:443 tcp
US 216.239.35.12:123 time.android.com udp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp
SE 178.132.78.156:80 kerrihuffman1237.online tcp

Files

/data/user/0/com.dhmqdmkq.ibjtwkn/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dhmqdmkq.ibjtwkn/code_cache/secondary-dexes/tmp-base.apk.classes241187091308527696.zip

MD5 6971ffe821832058875dfb93c16c1850
SHA1 352bb340ba440467fc20b5910c582c556fd441d5
SHA256 d6f5a82a061d8c3ea36d6ef4e630a40e411dba64a9add7f5b14d5cb5af0df3e0
SHA512 bb1296d358d2ba9c47ec2a0c9abc46b4dc1bfe2cf42de03922838d6d2eceebae642ef6fecc4fbc05c584f11348647960d9aef2302443c62b0158b024a5ee489a

/data/user/0/com.dhmqdmkq.ibjtwkn/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 3d0f6518a0fd4d068283d6822177d144
SHA1 0b7122cf891bf804f161aa40dca2e44bc044bedd
SHA256 c558cd6e6c71cbe0c7082bca2617da1d49f1e3323345b729cf33a8072995de09
SHA512 2ec557cca2873125f4969ec716bd23090150fc6aef344f430519edbf1eef96f959180f5148771ad6f1f747c193316fc25413f915473571ee8bb2d9de8b67ef9c

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/multidex.version.xml

MD5 ebf3f70940476de7ceef49694e7dd6a8
SHA1 791019ac98dcf1087027838b1be08261f9f9a5af
SHA256 484dd43bc6adba19f683ea88611836437a64dbdbe050ff9c35d90166757fc364
SHA512 c5cecf6e5877f6b5f7a19305f9429ed2ccabe379575c0f510ff786df10034cae3c00f43c40cc91d05c7288e570e3d4e4ecde1388b53adf3a4ce3fbb390479d5e

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/pref_name_setting.xml

MD5 ffadbbb359172fe72de9bfceac381aee
SHA1 a2e79713802e2f63d7655f2451fdbea0e3ebb2c3
SHA256 6cb0f7fe03270464925825177c5721e8c0efbd08a24e98ba8f96f895554f7e71
SHA512 bc47d184ab653c180e93bd468b032879122a3165fc788f2bd14d2aa10c1e3b1cac14305b2ed5bd4f10f9e75ea2c09f4c44832d0e06ec6cb0726ac3770d14cd16

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/prefs30.xml

MD5 12d6ab1d27552f5788e1667ec0eb1360
SHA1 f0c1a775a55b7bb45fe65579b526cf4360c0c4d6
SHA256 52e178aa40fd1c71b3a4e8fdfb73fba744ac754430d94697f4d2aaa6823c0d18
SHA512 87eb0dba3f5fbb8801a5b8a07849c8634698d64333f77d548f4596221d2f3d7cba7288ebb0fe0b7f9357add2636b07c6e9cd24aa887dd6cce6d22a1b7e2d3d32

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/pref_name_setting.xml

MD5 8423827f1cd383f71cf4ad816a7a0d5b
SHA1 a48e9eb8d06f03d51cf3f579e79b280ee99fd319
SHA256 3061ad18c96750b60a16c201fd44450f3c104be2a1c50fdc7bbeb648ea455953
SHA512 7f36f9ea84f9736b8a6e31ad9bbfc4e54bdbd149c690b076c9fffef4c5c863ef3a189f367051fb60cf588ffc1c4d5552212969947994e928cb89e3363a1a2267

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/prefs30.xml

MD5 e019bcf7d0a40cf2c2683ad78aceaa46
SHA1 5efe2f7866e4ef6ee10d1162a9abee52896f0063
SHA256 81870b3cb6496af6490dc493a0df888e99364eaa7127b60560850020d29476bd
SHA512 a07e93bcb0750c08d08ee98aaca8729954c69390c4a6dcfeee4f0428e059914994f393723c9fac4d0da89afbf25cfc8e6691fed738ef20b655d97ccdf2976dd6

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/prefs30.xml

MD5 48d52a59268f60a0d2fa9839ac2d9cda
SHA1 c312ced945a128b8a22be6d0177f3b82dfefd265
SHA256 f8494898a3bd94e4c9477aad03692250fcc321ac9f9136bb27a27f9652e07425
SHA512 5faf6a6a57cdb8a156c774e46002782a9a2c5c9d32cf581f1c138f282ddc065120c08c1144d2277fb950cdf4473ae4ead23e7afdd2fd634688144cbf59be7f2b

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/1222122121.xml

MD5 c28fc2966426ac4c63611d586af79930
SHA1 c77b20b082268e67f454eac4d536a903d1001544
SHA256 abbc2492c2f66f9ee33c6f918cce44d12ca5f02ccc1219c25c5d37b3802b0017
SHA512 a259e504f93233fdce545621a8593afa9ffd48c90abd3e0d589d44ec9a5d4409aa65230114a9a5ad983f447a450fc94f69a2775fabb14e78ed656bd734c11635

/data/user/0/com.dhmqdmkq.ibjtwkn/shared_prefs/pref_name_setting.xml

MD5 02c2f1cf26917cfaeec1fed3d1350157
SHA1 1db859b0d24d3014604b77d850e1f95bf7346523
SHA256 8775b77679de28b7df7c8717fb5515701fd04b428b9a292ad8d1cf46d9bcacf6
SHA512 4b2ba8c1cf9cf16473fd83f5adf5a344edec6aaadc37be533df6801450ef6ce223252e6371bca7b78812965fbfa2ed710f7a25592c18d4a5b7eb861c71649042