hydra | b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e

Analysis

max time kernel
3518890s
max time network
145s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e.apk
Size

1.2MB
MD5

cf050524e311430413cf6e4f5bf4fd80
SHA1

bfdd6b22fd8c0a418212e4d1fc4c3009c55d070f
SHA256

b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e
SHA512

bbe5b0f0c572205f59071a53532a24b50d236b14aca7c0a8e76b75cfa2f1ded6764e376ed1138651bf6b9cf3d6e89399d6848084cc8135c9db3a37ca8bdd082e
SSDEEP

24576:ykkkrRUhjjjiXC5p4RsRbfPJkxq5vKVMHzlnhJV3YY/DNXl:BRAjOCPRb3JkivKVIlnhJV3Fl

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.excite.vacuum/app_DynamicOptDex/yuUS.json	family_hydra

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.excite.vacuum

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.excite.vacuum
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.excite.vacuum

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.excite.vacuum

ioc pid process

/data/user/0/com.excite.vacuum/app_DynamicOptDex/yuUS.json 4333 com.excite.vacuum
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

163 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.excite.vacuum/app_DynamicOptDex/yuUS.json	4333	com.excite.vacuum

flow	ioc
163	ip-api.com

com.excite.vacuum
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4333

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.excite.vacuum/app_DynamicOptDex/oat/yuUS.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.excite.vacuum/app_DynamicOptDex/yuUS.json
Filesize
239KB

MD5
6db6360030535dbe7a25ec31f8d52e63

SHA1
7ca25dc4af543a29741dc609bb3486237be705e2

SHA256
bafd568eec04acdc89bb01ec6dd1dba0ca484487caa4b4f6c6aa80307d2483d0

SHA512
e5762d9f170d14b9391ef9881a13a402eba50de18e296e5010fd1b98634ba6944ea1066b5d4fbc2ef5499a067945cb2188962ebed1b600dea5e1deea909c133f

Download Submit
/data/user/0/com.excite.vacuum/app_DynamicOptDex/yuUS.json
Filesize
574KB

MD5
291a7fd599d7c94b8fb85a58b2326c79

SHA1
76c8563b0aab60d1333a836b4e7168bc243479b2

SHA256
18be2e790a556f4bd49aad5abcb389fde7eeb2d6ebbd523f3a42b33c4adfe29f

SHA512
c93464a8fd4104205ed94004520954ad706c8125463782d4e34a34d95146b4501b292a62a5df06c8e07d92de70914693c9c6747a3d52368bcacd34c301d215bb

Download Submit
/data/user/0/com.excite.vacuum/shared_prefs/pref_name_setting.xml
Filesize
131B

MD5
ff265a24ded510a8b46eeed41072a953

SHA1
7e3309d420d2d63511634c29942d5f2ac42a74c1

SHA256
183692e06996cd4e412a2b808bb088a25503776e37ea0a52e2280c071201a497

SHA512
48edfd3052193daac62288c7f7dbfbc1ab65e2136243eb603d0f723295ebbcc257cd382866164e1a2706eed7e970ecbb9d2d4709c9144f3542c34ecd53f42ee8

Download Submit