hydra | f5ebbc1b6bdf423b74ec36c8674c4a1b9b4da15603607df21608a99915aa8658 | Triage

Analysis

max time kernel
3108315s
max time network
99s
platform
android_x86
resource
android-x86-arm
submitted
02-02-2022 07:07

Sharing

Report Analysis Logs

General

Target

bawag-psk.apk
Size

5.2MB
MD5

c6797facaa0c79a3186387ee65219866
SHA1

6576ea2be110d383b2ca04722dda635814bc565e
SHA256

f5ebbc1b6bdf423b74ec36c8674c4a1b9b4da15603607df21608a99915aa8658
SHA512

3a4beb10587392889385f5965866b7d123e5823664bfc6b146c9f2331e38ed59901057cb9134e13e7f4a427d757acd4cacb8671f0ad5fe616028af2e3e04d887

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.pepmqjty.kdwmpwq/ukkgTeieyf/gu6tyyIgTupiGwU/base.apk.dfd8pji1.gha	5188	/system/bin/dex2oat
/data/user/0/com.pepmqjty.kdwmpwq/ukkgTeieyf/gu6tyyIgTupiGwU/base.apk.dfd8pji1.gha	5041	com.pepmqjty.kdwmpwq

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com

Reads information about phone network operator.

com.pepmqjty.kdwmpwq
1⤵
- Loads dropped Dex/Jar
PID:5041
- com.pepmqjty.kdwmpwq
  2⤵
  PID:5188
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:5188
- com.pepmqjty.kdwmpwq
  2⤵
  PID:5425
- toolbox
  2⤵
  PID:5425
- com.pepmqjty.kdwmpwq
  2⤵
  PID:5479
- /system/bin/sh
  2⤵
  PID:5479
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5479
- com.pepmqjty.kdwmpwq
  2⤵
  PID:5670
- /system/bin/sh
  2⤵
  PID:5670
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5670
- - /system/bin/ndk_translation_program_runner_binfmt_misc
    3⤵
    PID:5743

/system/bin/ndk_translation_program_runner_binfmt_misc
1⤵
PID:5755

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads