hydra | a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec

Analysis

max time kernel
3518895s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec.apk
Size

2.4MB
MD5

1b5f1dfe3bb361d3b49bbe6c257d15b7
SHA1

bb2fc3f5a9d83f57170e58e47d77406088ddca45
SHA256

a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec
SHA512

59192b55fb440ccc2d53245b0eaebb5340712d26166ff258a584971ded7c5618d0653f6ac5b78467a8ef5f988397828b4cdcfc8c022e9d16939857c04b4e022b
SSDEEP

49152:A5fbH5QSQpB4QczFiziv6WmEcJ0S8o7jEho/TK5OW4N:A5fr63RczwzTnjDgWW5aN

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://flocomonuncomunters.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/memory/4527-0.dex	family_hydra

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.quiz.public
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.quiz.public

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.quiz.public/app_DynamicOptDex/SFTi.json	4527	com.quiz.public

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.quiz.public

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com

Reads information about phone network operator.

com.quiz.public
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4527

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.quiz.public/app_DynamicOptDex/SFTi.json

Filesize
1.3MB

MD5
eb6455b79b9d97da49636f52f4115409

SHA1
d192c93bf516cd75a1d4926e13c0fb1b64f87ac3

SHA256
336d1293dd2e21ea145f437ca387a5c8d2ead20bb6c789335eec2bd161d4de62

SHA512
e470c2409b2357e870dfa243075188b3886e7b38096c123146932c1c45b9cd6a1f6390060a9515b928bf74748d3525b4e414e62a210bbea2273195970b31ae3a

Download Submit
/data/user/0/com.quiz.public/app_DynamicOptDex/SFTi.json

Filesize
3.6MB

MD5
1495b9ac312e2adad198b70e4b993969

SHA1
968fb1cf9bbdd52658f4a136f90ee6fe6c92d448

SHA256
fa172aba9fac5e75af6b90703fcbbf08074ff96aa9b1613d534a73bf1de36ad9

SHA512
645e9d664f36c486a80e3176e0ab1b8eaf77c74a10ac7c0e568bf79cb91d2c6a48f7a8edf2443e3dcec58873b8cabe6a83ad14ca84df8b350286a9e183f66ce4

Download Submit
/data/user/0/com.quiz.public/shared_prefs/pref_name_setting.xml

Filesize
131B

MD5
d04118693bcfa411545e8648fb30d629

SHA1
0ad8f78158d5357312c7abf6aa810414936a6470

SHA256
2738bcff6bae1e34affe960cd4b11fb29c57f51bed1fa42ae3946db48176c565

SHA512
db9cbe51bf0479897ce9adb49889895505dc0b3cb0e945f068ff28957c259a72f33353610f83fc4d11f747764d6c27216da43c6c0ffe8a71d296f8973d2c6a7d

Download Submit