hydra | 56b42b7ce829306afb00ddca01bed06ed486f77f9b9337724a43e79247c4eb81

Analysis

max time kernel
1189771s
max time network
314s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
03-04-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56b42b7ce829306afb00ddca01bed06ed486f77f9b9337724a43e79247c4eb81.apk
Size

3.1MB
MD5

aba560b5c5c356f5b9075c7c31024672
SHA1

bc5db278ac3446e78e6afeab50f2566572fca076
SHA256

56b42b7ce829306afb00ddca01bed06ed486f77f9b9337724a43e79247c4eb81
SHA512

96d46381eccf6d6551a8227507a3c5a7ddf06be02d346f9a6570909a0c3cdd85978c8233d666e8568d52578b9aad7a031fbaad6be8505bc237d13f9f6d76a9c3
SSDEEP

98304:Y2fKuZOxKQcJLtQt7jXW1RMhQJ2gyWZX2R:RfKvXZFjXKSi2BWZmR

Score

10^/10

hydra banker evasion infostealer trojan

Malware Config

Extracted

Family

hydra

http://haylozkalyozbasdes.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/memory/4408-0.dex	family_hydra

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.evil.immune
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.evil.immune
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.evil.immune

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.evil.immune/app_DynamicOptDex/eSQnLgO.json	4408	com.evil.immune

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.evil.immune

com.evil.immune
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.evil.immune/app_DynamicOptDex/eSQnLgO.json

Filesize
1.6MB

MD5
a3e207a449266647fea8dda47751bfed

SHA1
d6410f0161755fd7eb83ad2cd176718b697c4882

SHA256
db5636d57c57792cab4d283a4b5497d7d442f5ac526ccbeb7e045e59c95d6902

SHA512
58b0acae12fa041bf92deffb2f7763c6ffb5236da9b7ae0ae8c537aa2f76caffb45d89a9530a483311b3fa88ac7b619d8af8dea967b5c7432e0329392465b7b2

Download Submit
/data/user/0/com.evil.immune/app_DynamicOptDex/eSQnLgO.json

Filesize
4.4MB

MD5
8b4066d81234e0bf98540e07505dba4e

SHA1
fbdeba72428c31e30f0ce6324643a3e2a7ed638f

SHA256
a33572f3ce39f672e8bb6ee84f626b427f6784bcd7e0b3c13d9bcc70cfe1f3ff

SHA512
ca6a31b3943a01f07d0f267fb531a61286150a754527616987bc70b9597cd020787c59a45146ec89861528b7d8febb82fdafed0670aab70a9b26e78345a8542e

Download Submit