Overview

overview

10

Static

static

7

E74C08FD6A...96.apk

android-9-x86

10

E74C08FD6A...96.apk

android-10-x64

10

E74C08FD6A...96.apk

android-11-x64

10

Analysis

  • max time kernel
    74953s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20220823-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
  • submitted
    21-03-2023 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk

  • Size

    3.4MB

  • MD5

    b61470b9b40cc8a08b3244ae70a187f2

  • SHA1

    fb5458ab4445ca6fbc77a2197585e4f8a5af0e32

  • SHA256

    e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196

  • SHA512

    678b66b4f17f8371a876579ad7e5741c2f0b673f668463a9b714d773231493fb39aaf7dd48eacf848e6483813fc557787dfa350e801605f05662e03a8da6d9f7

  • SSDEEP

    98304:2ejRZZYQi4+v4UakNXRoZq8mrw/JhjH4Ta:XnizLakoX3JyG

Score
10/10
hydrabankerinfostealertrojan

Malware Config

Extracted

Family

hydra

C2

http://saygosesgoforesosne.net

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.flee.rail
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:4074
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.flee.rail/app_DynamicOptDex/oat/x86/XfOkior.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4125

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json
    Filesize

    1.3MB

    MD5

    032e1a1b4b49c11d3eb7c3104a05f55d

    SHA1

    fd43fa9f1a8e00e63f147a9337691114b31334c4

    SHA256

    ec43b47a030fd2865e4a8f2524ee28c994b0e7095ce0274c9c79b39ff1b876ad

    SHA512

    f9eedd13eb7578eaa68e6aee4ee45c0d49163dadcf371a1279e1bce1562cb02383a10ba3e5dd6dc1257aeb86d1a42aff0f8ab01da652f4433798ec637093e1ee

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json
    Filesize

    3.6MB

    MD5

    1ac9b8b312fb9e32ef83d0e75993a85f

    SHA1

    0f8efe3668c3ffef97492f705047f03028888a10

    SHA256

    46f3cba22930221ff53e23f3988a24eedee3e20fefbf1966f2c2a4b97124aad9

    SHA512

    c990304ffa84e41800106e3114ffe7f9baf5c3d27676d7e442a0bac7a7bcdbd027e5361983b314539fede8cf1452aae38aacec1d9047f52d70fae484e5f96ad3

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json
    Filesize

    3.6MB

    MD5

    7d66063b17e478007eaf7d8e13305e05

    SHA1

    bb0360fe73fa8aa8be409114e7d84fbfb09e6d99

    SHA256

    a7df9f982dbad9adce236859a1ae6c79206b27ebbd8e8730f09e9461dd595757

    SHA512

    11adefd47732d652f535aa8f58d3a2cb13586b56dc21d4ff2c686d93a6d7bf9344c8c7b89535a3eb78506c2f86676c1f7cf79b6f8083caa410b383384e43a3ae

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json.x86.flock
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/oat/XfOkior.json.cur.prof
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/oat/x86/XfOkior.odex
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/oat/x86/XfOkior.vdex
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • /data/user/0/com.flee.rail/shared_prefs/pref_name_setting.xml
    Filesize

    131B

    MD5

    6086ea8ca5c01d5f51ba153a7a76d400

    SHA1

    51bd08c54ecc0312ac475ea3a4a071a9176f1614

    SHA256

    8081021356f68abee5bbc0c67a6ff9574a610a462c234dd6b88c3f44ef4c22a8

    SHA512

    b1320495bbea212a81ef10e6cab3c49ea1e88622c028eff4578b6d08d0005effcd5801fb64328e1d180dabc3e01adc7e7d08adaf3fd91ae62a75e18e27734bbe

    Download Submit