hydra | a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66

Analysis

max time kernel
519627s
max time network
133s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
11-10-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66.apk
Size

2.1MB
MD5

9c5ff70c77af1a4e0d85d9f1ad4413fb
SHA1

a63125f958524cf3a5bd4715074dd87b61b0c9dc
SHA256

a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66
SHA512

ec6b6057a96f002ab6bd2d65caac27ad73e10b191b6d4ace29043770a2df61108685f08e5618458bd50c3387658cbe6d69adb2afffde53acf006ea82176a31d1
SSDEEP

49152:4bcOkWKBs6BJPZwxitfcbE1Nyvk4wW50lbNmQqM8DWi1B4O:4bc1u6XPlN18+N9nuD

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://ikincikahromesdod.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra1
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.payment.whale

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.payment.whale
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.payment.whale

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.payment.whale

ioc pid process

/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json 5038 com.payment.whale
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
15 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	5038	com.payment.whale

flow	ioc
14	ip-api.com
15	ip-api.com

com.payment.whale
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5038

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.payment.whale/app_DynamicOptDex/anyOSUp.json
Filesize
1.3MB

MD5
c7c1db6983e11cf4d40c7ead5dd2edf7

SHA1
dbd1168f748b624629990c0121a0f56b2fcf5c36

SHA256
6e5d9094e58f675dcb474a4b5db19db8e6f55b8b74c5a0eadcb839839c9f3ac1

SHA512
75b34d9da722897bef1108553bedae2bc60f81e653e5bb306f060ea32a05cf8c2dc54bce444ef4b9e373fd67932d6a5f61312d853bf70d10fff044556e367d3a

Download Submit
/data/data/com.payment.whale/app_DynamicOptDex/anyOSUp.json
Filesize
1.3MB

MD5
1a6ec1793372ff4f292482d59f699650

SHA1
04fc6bb65db8bf55751172dfda47c27765ae2f90

SHA256
b2e9333f4549c67a68ca20593d4396a574afa3ac7aecbba943af57e48def0887

SHA512
8c273c92d67d7a8d53a7ca313f139f9fe2d7b39b8b9315da62f30ee31dde86447a7eb38c6a3c9a09f17574cca9b70ba9e20c2d2ae27a03c44b31bae3a99fb8f7

Download Submit
/data/data/com.payment.whale/app_DynamicOptDex/oat/anyOSUp.json.cur.prof
Filesize
1KB

MD5
742c6e4cb1f6d965c55d7b7c0bf0f8b8

SHA1
c4369cfec7a474a2394f1690adc7b8ee7f99c4c3

SHA256
47885e39e70ada47e5556574bb14e5091524d4ada7403e5a1f62a4b2606bdf84

SHA512
bb2d8eef4067febd3df8be0dbadd9e57fabb66664b407f820141121981525ac87e15bd0c8623df06ad03bfac5509fa48f5486a2cc3a9c846efc2aff86c5dde68

Download Submit
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json
Filesize
3.6MB

MD5
96b1a5462bede312113ea1aa86407aa1

SHA1
0e038706aa39226e130552e80dacb1976fc60da5

SHA256
96b187cbda3239fd0e0a691c69578cd1ba59fdd976afab49e689341a159b4608

SHA512
c3242d13108dbb23c52d56a156ed5d9297b1f24ebd1becdcf4a5d13dc69554cd666a79c4fcb87f73d444a4d02d00e95782360da2509101db05d898c3b2059ce6

Download Submit