hydra | 817dd433f3854717f8923d0b91daa9616bf22872cf4f30f5278f63fc310a9693

Analysis

max time kernel
808881s
max time network
157s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
14-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

817dd433f3854717f8923d0b91daa9616bf22872cf4f30f5278f63fc310a9693.apk
Size

3.1MB
MD5

590f836626e83e163b57e9aaba3550f6
SHA1

c9c1a7ede7fd212ae42dd55314cefcb75d0d2da3
SHA256

817dd433f3854717f8923d0b91daa9616bf22872cf4f30f5278f63fc310a9693
SHA512

9e770d2483f0f3fe1c0c4f7544b89d77437f86fbffe4188c1399499c24dfd27348696abd9edc9803c399d76a6f77d641dd892b7c625f6f2f56844197f73ff365
SSDEEP

98304:g4tzA6xu3CtC+YiS7CdgF30Ky8mhQZfr5P:g4txxu3ACaS7Cc30KyWF

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4662-0.dex	family_hydra1
behavioral3/memory/4662-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.motor.hobby
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.motor.hobby

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.motor.hobby/app_DynamicOptDex/Hed.json	4662	com.motor.hobby

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Reads information about phone network operator.

com.motor.hobby
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4662

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.motor.hobby/app_DynamicOptDex/Hed.json

Filesize
1.9MB

MD5
fbdce6eaf430f1d1ca19ce9780de2ead

SHA1
2f6d27bfad0e7bc68fd6060f297a017e2fba1991

SHA256
0bb6c29c47280a79f2bc8aa1af9a3bf28a6288a8cba579baed23bfa6a4b38ee5

SHA512
0c85a7c19b2168df5f37781e07c9835553fd20a6f94d0a44b3a7c0319f2da7cdae1570ba3e904b9fd57e4ca8639f333cd9ec706466855ae1202b99d232993c15

Download Submit
/data/user/0/com.motor.hobby/app_DynamicOptDex/Hed.json

Filesize
1.9MB

MD5
ac1cc071f5c9c80e172247523155b185

SHA1
48d92e47974304f4d37372bc94dfb3332b2661d7

SHA256
5be3a339a1beea789e0c783fb5d3281fc1d4a3313f3c2e61b8983a925ca430ff

SHA512
fe196025fccab621166a7107bb735a9956aec44670ef1636a453af75268ddaab46b315c251107819df4d8377c06c4e2377dc2df0d1fd7722f7bf0cfd44c2de89

Download Submit
/data/user/0/com.motor.hobby/app_DynamicOptDex/Hed.json

Filesize
5.0MB

MD5
5c031c79dbe11082ece199a62aa471b7

SHA1
1a7e2d5b8b524c0fd1082fcb564ef2e6095c8ccc

SHA256
60e34f9cbd66cce374fcecbc92e209f6593c4b109795bb0ad48b37756d5fd3ee

SHA512
dd2fb0bdfcf10f9a40544ff59cb8b13824ee8b791e6b040047bf069ecc39af292f025146764a2e7b5c18fa8858aafbfff2ea6b4b096c904a216f6a6412605681

Download Submit