hydra | 8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430

Analysis

max time kernel
4126691s
max time network
153s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
03-10-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hydra.apk
Size

2.8MB
MD5

d1a68785559ae6b0049a2bd1798277a1
SHA1

8ea0706e77e57810ff1bc9073f3701772f032557
SHA256

8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430
SHA512

b4c676c19dedf7b582598bc8bc9d3bf260b3847564d7da755cf9e694abdf2ad3555da526b7ff847dcbddf75b9d1183924a29078d181b313fcec18c8b5349637a
SSDEEP

49152:Ucz4N3omNn0M+CGN3SPXLD8S/obeUQGkfC1T3Eb0KizuNAGq6BXk2M:LrmR0vCSC/robeZGkfk0xA1XX

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://lalabanda.com

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral1/memory/4137-0.dex	family_hydra1
behavioral1/memory/4137-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wife.dizzy
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wife.dizzy

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.wife.dizzy/app_DynamicOptDex/KCFj.json	4137	com.wife.dizzy

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.wife.dizzy

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Reads information about phone network operator.

com.wife.dizzy
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4137

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wife.dizzy/app_DynamicOptDex/KCFj.json

Filesize
1.3MB

MD5
f84f5fda1df953a8fbe24c17bacdf3ae

SHA1
044b7ca9f5988e175bea21312e81043aa17c9027

SHA256
e31d73a78d821a4ee86e55c77432c3c52ef01a8cb7be18fda83faf50772f7ffa

SHA512
0fb2a6900c79f673df5089ead0bfbbff7582cd17c0094cff3c90cfab2e2f64eb3b1d0ceebb70f6df113b7a68ae13e837477a3e9512efa33530901ccff52bbfd7

Download Submit
/data/data/com.wife.dizzy/app_DynamicOptDex/KCFj.json

Filesize
1.3MB

MD5
9b4f8f8895a6e4ccfb5a1b2e0279c3f6

SHA1
6ec87b70d5fcc55f9e9fcd8cb9407d721f7a6068

SHA256
fd87c4f7c8ece0448dab67a0b689c4a417a153081059750295fbed29a1422b03

SHA512
e9049874ccb34af36b6a6837771867532ed0d73b02117de2d3f9908ed96f9c118ff0922702b6b3bd55dba90bac4e335aa7f5769c5c21ac49582a0c5551b5b408

Download Submit
/data/data/com.wife.dizzy/app_DynamicOptDex/oat/KCFj.json.cur.prof

Filesize
1KB

MD5
7116efacd108593b7eec1a8bb345ed9c

SHA1
61f9e7d3d50aee0b684edfe1ab5bfb7f1bde3dd9

SHA256
77732660463bd49cc2cd3d94db39b71f0e4f321447d3a651ec8ddaa3d6773607

SHA512
023f91523225a065ef54932209e10b2dc6a4b8e39413e6f52d7bf5febb88d359486b5677357ed77a212ae26925d4a4492747f0ac87ad380016829fbe667e0b79

Download Submit
/data/user/0/com.wife.dizzy/app_DynamicOptDex/KCFj.json

Filesize
3.6MB

MD5
7135f1564d788d4f037d1fce183fb480

SHA1
d0b34f23799c14770a8b5fc1f1a1d81697bb6f53

SHA256
df7bbead42e925c5b6b349c89c5fa85b8dbd113317acf05fed32243b4827f6b3

SHA512
d4ad950737096138a221850f58180962b5a29e81b4b6866f041f2ca7d3b0d03a2262ce7e081eb71c72d28c057e760521bb986136729be506b934f44ec04ebea2

Download Submit