hydra | 64d0257352222162db7125f27e4ef16958c515326adab554d50698a1685e46ef | Triage

Analysis

max time kernel
1171968s
max time network
134s
platform
android_x86
resource
android-x86-arm
submitted
01-03-2022 14:18

Sharing

Report Analysis Logs

General

Target

psk.apk
Size

7.1MB
MD5

975f5eff0e960994608742678ca70208
SHA1

e311d4f346b363665c462658889ddfb73c4dd8da
SHA256

64d0257352222162db7125f27e4ef16958c515326adab554d50698a1685e46ef
SHA512

7a2fbbb412504f431d6fdbd1f3390ab725eb7cd5ae37afaccf604d0d329ab6cecba45c90d48ef722a680026eac13356987ba4fdf85845c2cb689f0fce8119622

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.otdvrvmj.hqlhtve/ThgGhuajff/8g6IHGhjgU8fygI/base.apk.Gkjhp8h1.GIf	5181	/system/bin/dex2oat
/data/user/0/com.otdvrvmj.hqlhtve/ThgGhuajff/8g6IHGhjgU8fygI/base.apk.Gkjhp8h1.GIf	5118	com.otdvrvmj.hqlhtve

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	ip-api.com

Reads information about phone network operator.

com.otdvrvmj.hqlhtve
1⤵
- Loads dropped Dex/Jar
PID:5118
- com.otdvrvmj.hqlhtve
  2⤵
  PID:5181
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:5181
- com.otdvrvmj.hqlhtve
  2⤵
  PID:5464
- toolbox
  2⤵
  PID:5464
- com.otdvrvmj.hqlhtve
  2⤵
  PID:5549
- /system/bin/sh
  2⤵
  PID:5549
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5549
- com.otdvrvmj.hqlhtve
  2⤵
  PID:5602
- /system/bin/sh
  2⤵
  PID:5602
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5602
- - /system/bin/ndk_translation_program_runner_binfmt_misc
    3⤵
    PID:5628

/system/bin/ndk_translation_program_runner_binfmt_misc
1⤵
PID:5638

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads