hydra | a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656

Analysis

max time kernel
4067060s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
02-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656.apk
Size

3.4MB
MD5

b532c2f074b1b02bb3dd32dfcdb213cc
SHA1

6e3ab01f4b61acb298d222b39550a3e13d94e47f
SHA256

a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656
SHA512

aeb1603a37fb2e05b1a2fd713982f49ded2a4f9ca6d49aded099c58f73f6413cb226211b91ff894fbb42833c92fa065184b42a0c8165b1f8adade168e52a3825
SSDEEP

98304:xnyhun2hLmRDhLZmz7CsLhPLA+Xs2ou6V2j8:Fn2BSZcrL5LD82bQ

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4322-0.dex	family_hydra1
behavioral3/memory/4322-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.slow.what
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.slow.what

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json	4322	com.slow.what

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com

Reads information about phone network operator.

com.slow.what
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4322

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json

Filesize
1.9MB

MD5
7d7b807b469bcdd03444eea742b845b6

SHA1
4c552de814fc255b809e63c55a6a569c5db29874

SHA256
9d395af2917c557e038faaa5f0c824e649cbdba2b1d712d137348d40e61d7f67

SHA512
e4f7f26da763b4e2e5b9bf181afca262ce1884852652decbbfb6c8c87aca08c902afea3f2341a8617fbc34df0b3a8891367a61e36dcfe47fe782e3bb56bed76a

Download Submit
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json

Filesize
1.9MB

MD5
ea0212cf5bd0b1688a687daf4f0a55aa

SHA1
19d07f1ea637b1fd38f26ebfa9ddc3de651c580a

SHA256
45a3903e21ef933e1f559211c330f2736cbb385d4d0864476f731deb8f1f7f05

SHA512
0c5462f288350d28ce50387c401f2cf4d4050ed4b10876153a131c608e3f70c892c6d2b6cb1e59838f492f66d5c0650cabb180797e2e3cf58e1c7110b7bf424c

Download Submit
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json

Filesize
5.0MB

MD5
089a53915168ce1f768c275ec5770b09

SHA1
1618578dbf0e24cd7443553465883bbd0852da6c

SHA256
d27a4c00f3f6ce345b2dd01b14df4d198b5dc4430bf6619d852888212d21e389

SHA512
8b350be4fd6c347610358b9213f8c394f6cbb8491cad52375f7e701f9aa139298077512dc500e0177a1c6752b51ae5c776f356fbf6f15aeb4c9c64b669062198

Download Submit