hydra | e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196

Analysis

max time kernel
78548s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
21/03/2023, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
Size

3.4MB
MD5

b61470b9b40cc8a08b3244ae70a187f2
SHA1

fb5458ab4445ca6fbc77a2197585e4f8a5af0e32
SHA256

e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196
SHA512

678b66b4f17f8371a876579ad7e5741c2f0b673f668463a9b714d773231493fb39aaf7dd48eacf848e6483813fc557787dfa350e801605f05662e03a8da6d9f7
SSDEEP

98304:2ejRZZYQi4+v4UakNXRoZq8mrw/JhjH4Ta:XnizLakoX3JyG

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://saygosesgoforesosne.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/memory/4534-0.dex	family_hydra

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.flee.rail
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.flee.rail

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json	4534	com.flee.rail

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.flee.rail

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ip-api.com

Reads information about phone network operator.

com.flee.rail
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4534

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json

Filesize
1.3MB

MD5
032e1a1b4b49c11d3eb7c3104a05f55d

SHA1
fd43fa9f1a8e00e63f147a9337691114b31334c4

SHA256
ec43b47a030fd2865e4a8f2524ee28c994b0e7095ce0274c9c79b39ff1b876ad

SHA512
f9eedd13eb7578eaa68e6aee4ee45c0d49163dadcf371a1279e1bce1562cb02383a10ba3e5dd6dc1257aeb86d1a42aff0f8ab01da652f4433798ec637093e1ee

Download Submit
/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json

Filesize
3.6MB

MD5
7d66063b17e478007eaf7d8e13305e05

SHA1
bb0360fe73fa8aa8be409114e7d84fbfb09e6d99

SHA256
a7df9f982dbad9adce236859a1ae6c79206b27ebbd8e8730f09e9461dd595757

SHA512
11adefd47732d652f535aa8f58d3a2cb13586b56dc21d4ff2c686d93a6d7bf9344c8c7b89535a3eb78506c2f86676c1f7cf79b6f8083caa410b383384e43a3ae

Download Submit
/data/user/0/com.flee.rail/shared_prefs/pref_name_setting.xml

Filesize
131B

MD5
8c9aa9899e23c0e2a7b612be315a5ccd

SHA1
40ea686a7085abe22fbc3664358d85c35d2b9ca6

SHA256
ac9992024a33e42eb08b667fc83ffab3cd21c656647c7374d8286aac930316a1

SHA512
b8f9fbb8cd68e86e3724d9a773578d07710c0baa89f179e211fb27067b98f5bc964128fcaa00734e176bd5187277c3ade04c5fc00d633bbed7eb52a6a9def970

Download Submit