Analysis

  • max time kernel
    1091962s
  • max time network
    161s
  • platform
    android_x64
  • resource
    android-x64-arm64-20230831-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
  • submitted
    13-10-2023 04:44

General

  • Target

    b59d43079747f8f280d0f2080cbee060e9fb7d3e0ccdd2882f6f5ffcac350efc.apk

  • Size

    3.2MB

  • MD5

    28e8e9410267495b26dac4e384d7d738

  • SHA1

    35e4c10b45c3354a32cd8e57bf1884e06a42988b

  • SHA256

    b59d43079747f8f280d0f2080cbee060e9fb7d3e0ccdd2882f6f5ffcac350efc

  • SHA512

    073140a03ee40e9589a40c0c9fff205c60e9aef333989ddda01aa43bf1e6cb708e756a00edc8ccd2b6fb9d247d17f0763c1603ff4b46226d0cf4c45e583a4c99

  • SSDEEP

    98304:WeBihQKs25/JKqFA3jA0VQMULcIyEJmdzFTUFqdtCryR:XZkKqF6A0VQ7JyEJGzmqvCGR

Malware Config

Extracted

Family

hydra

C2

http://polkamoturnos.com

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.virus.medal
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    PID:4526

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.virus.medal/app_DynamicOptDex/rFaq.json

    Filesize

    1.3MB

    MD5

    0a2754a0222186176cc7093cd5ca13da

    SHA1

    325223f01d6ce06092a87b44dc4a5ce32fe09226

    SHA256

    e58e8fad7b8904f7e950ee3b0577a93fd0bc25c5a7974d823dd9a468ed057120

    SHA512

    0467e4389e67283c4389e5b04b35a2c29910b27a41b3c97bdc463614b71d809d3bfdf2259b2c6bdb5cbf6ff61b3e86e5435847a2db60d9c7af12384071c82800

  • /data/user/0/com.virus.medal/app_DynamicOptDex/rFaq.json

    Filesize

    1.3MB

    MD5

    6f8d0c43ba928b1362a744b37322c4ed

    SHA1

    8ce9cff444a2a394939c71c0f2d98743a57a104e

    SHA256

    f6a4e0a1eaee870d7224f7d9455dd4775d3ef6a65eb63d0b4261c3bc785e4329

    SHA512

    c64ceefaab1af30716bebc4ed00a8b3af69d7f9f0d3e83f224565d1ed1737b153eb9b088171799bdafe7735bba186fd53ff11669c45c9297639b3e7a90990523

  • /data/user/0/com.virus.medal/app_DynamicOptDex/rFaq.json

    Filesize

    3.6MB

    MD5

    117cdf3d73499a5cda6d1f361b37712f

    SHA1

    c45bd1aaae9da1bc6e064eb83a95e99196f827ed

    SHA256

    a65a79a43f77cb8ce44d674b0285012f059c41501825f881e8ddc53f4d47268a

    SHA512

    572549870c72fad3cd88f08dd9602ba265213ec11119a4d5e1c86da2e3c6dc1b66fc893496f5a936356e380016c52cdb0d1f7eb5933e8793a98450aa587d37ec