Overview

overview

10

Static

static

7

E74C08FD6A...96.apk

android-9-x86

10

E74C08FD6A...96.apk

android-10-x64

10

E74C08FD6A...96.apk

android-11-x64

10

Analysis

  • max time kernel
    78548s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20220823-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
  • submitted
    21-03-2023 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk

  • Size

    3.4MB

  • MD5

    b61470b9b40cc8a08b3244ae70a187f2

  • SHA1

    fb5458ab4445ca6fbc77a2197585e4f8a5af0e32

  • SHA256

    e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196

  • SHA512

    678b66b4f17f8371a876579ad7e5741c2f0b673f668463a9b714d773231493fb39aaf7dd48eacf848e6483813fc557787dfa350e801605f05662e03a8da6d9f7

  • SSDEEP

    98304:2ejRZZYQi4+v4UakNXRoZq8mrw/JhjH4Ta:XnizLakoX3JyG

Score
10/10
hydrabankerinfostealertrojan

Malware Config

Extracted

Family

hydra

C2

http://saygosesgoforesosne.net

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 1 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.flee.rail
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    PID:4534

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json
    Filesize

    1.3MB

    MD5

    032e1a1b4b49c11d3eb7c3104a05f55d

    SHA1

    fd43fa9f1a8e00e63f147a9337691114b31334c4

    SHA256

    ec43b47a030fd2865e4a8f2524ee28c994b0e7095ce0274c9c79b39ff1b876ad

    SHA512

    f9eedd13eb7578eaa68e6aee4ee45c0d49163dadcf371a1279e1bce1562cb02383a10ba3e5dd6dc1257aeb86d1a42aff0f8ab01da652f4433798ec637093e1ee

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json
    Filesize

    3.6MB

    MD5

    7d66063b17e478007eaf7d8e13305e05

    SHA1

    bb0360fe73fa8aa8be409114e7d84fbfb09e6d99

    SHA256

    a7df9f982dbad9adce236859a1ae6c79206b27ebbd8e8730f09e9461dd595757

    SHA512

    11adefd47732d652f535aa8f58d3a2cb13586b56dc21d4ff2c686d93a6d7bf9344c8c7b89535a3eb78506c2f86676c1f7cf79b6f8083caa410b383384e43a3ae

    Download Submit
  • /data/user/0/com.flee.rail/app_DynamicOptDex/oat/XfOkior.json.cur.prof
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • /data/user/0/com.flee.rail/shared_prefs/pref_name_setting.xml
    Filesize

    131B

    MD5

    8c9aa9899e23c0e2a7b612be315a5ccd

    SHA1

    40ea686a7085abe22fbc3664358d85c35d2b9ca6

    SHA256

    ac9992024a33e42eb08b667fc83ffab3cd21c656647c7374d8286aac930316a1

    SHA512

    b8f9fbb8cd68e86e3724d9a773578d07710c0baa89f179e211fb27067b98f5bc964128fcaa00734e176bd5187277c3ade04c5fc00d633bbed7eb52a6a9def970

    Download Submit