Overview

overview

10

Static

static

7

play.apk

android-9-x86

10

play.apk

android-10-x64

10

play.apk

android-11-x64

10

Analysis

  • max time kernel
    844015s
  • max time network
    308s
  • platform
    android_x86
  • resource
    android-x86-arm-20220823-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
  • submitted
    30-03-2023 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    play.apk

  • Size

    3.3MB

  • MD5

    495c6f125cdf7000744754939c317dd1

  • SHA1

    67f4772359774348a4571f4f2f5889bdd20eb428

  • SHA256

    17a4c3bf778a3c82506e420151c64978f5bea83bb49947bc2d907bf530ac34e9

  • SHA512

    ecb246d14f46d6e45d89dfe4a9116befbede05d6b623442967e0a6e1f8a51124dbd70c4a0ae07f3f3fdf722a17f39e722690437738e5d635697021c7223c99ef

  • SSDEEP

    98304:/xePnBfIvlnIKjeemBoBqbrPtR6gEElDVn8rMaLWEEADBLxS4H:J0BQyAsKKrPtR6pElpn8waLWEbO4H

Score
10/10
hydrabankerinfostealertrojan

Malware Config

Extracted

Family

hydra

C2

http://fermankaygoscone.com

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.dance.vintage
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:4089
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dance.vintage/app_DynamicOptDex/rKk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dance.vintage/app_DynamicOptDex/oat/x86/rKk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.dance.vintage/app_DynamicOptDex/rKk.json
    Filesize

    1.6MB

    MD5

    6939b1e327dfc7fb12a2525048e79629

    SHA1

    9cade1a973fb9d03e9e60725ce729cac6190a5cc

    SHA256

    9268521108da189b2c4056512e79c2c5aca6164f23fac07843aab4480d3893b9

    SHA512

    9e41163f8006a1adea403f06b0cbae0ff67e3d07397487285b57854b7d05f17b12945ec3a9c4af2e6694a7c8a326fe055d54ee13334dbd8b63dc228d04d96398

    Download Submit

  • /data/user/0/com.dance.vintage/app_DynamicOptDex/rKk.json
    Filesize

    4.4MB

    MD5

    ccef967106d54932d358afd3ac8ac5d6

    SHA1

    eac1a32b62955e4efe1e6666576d69dc06008e88

    SHA256

    f85811ae77b9675e35cc54ecc63442c741adf4a9d34659d7c374e7900b7d3307

    SHA512

    bfcb239b058e2d375233dbfcc02caa0db1b6cca8647eb43c702f5aa35f7b7862109447d3bb9d261baf0c7940a2f97c7ba6bda89db29382c9845b3aaed52d9087

    Download Submit

  • /data/user/0/com.dance.vintage/app_DynamicOptDex/rKk.json
    Filesize

    4.4MB

    MD5

    93157c4f705712e8b6004b094c808424

    SHA1

    5a31ad317dd28216f71d0caeab8ac1f70c491905

    SHA256

    4794d5481c97abba38e89a265dadbc9625ab004c53ea0c412b51e4b75f0e5dee

    SHA512

    18c8fac3ceaaccaa821c0710a10e84da0b30d011e3ebb2eaa92fca586221a241cb23305d3032b334b104dde4c7fcd7db3c4c7fe2acb85926c158cba95d557907

    Download Submit