hydra | cf95fc04703d711dcdc8916535dc0a058966fcfa4ac758dc36699ae469bd90bb

Analysis

max time kernel
2796427s
max time network
163s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
06-11-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf95fc04703d711dcdc8916535dc0a058966fcfa4ac758dc36699ae469bd90bb.apk
Size

3.1MB
MD5

67aa789ed858a78f6ca1f7cb6f6411d7
SHA1

f67e857fdbada5c1dd929dfb552dc39eb82acd07
SHA256

cf95fc04703d711dcdc8916535dc0a058966fcfa4ac758dc36699ae469bd90bb
SHA512

54844aa9ebc73fdfe5b1bad25604da23d6edab24225c53a2e6bee1f9122594bc24baf82d2c285e3745c8f79e0abd7d24bb79748c19cfecb881a3ff67974bf6e9
SSDEEP

98304:WBeghwapHRr2Kf9utMb+sph0qtJpoBMI5l+bKXWM4R1:WBeRaLZFutMbJe4Ytl+2N4R1

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://aykomediki.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.bulk.glue/app_DynamicOptDex/tI.json	family_hydra1
/data/user/0/com.bulk.glue/app_DynamicOptDex/tI.json	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.bulk.glue

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulk.glue
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulk.glue

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.bulk.glue

ioc pid process

/data/user/0/com.bulk.glue/app_DynamicOptDex/tI.json 5124 com.bulk.glue
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
71 ip-api.com
97 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.bulk.glue/app_DynamicOptDex/tI.json	5124	com.bulk.glue

flow	ioc
15	ip-api.com
71	ip-api.com
97	ip-api.com

com.bulk.glue
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bulk.glue/app_DynamicOptDex/oat/tI.json.cur.prof

Filesize
1KB

MD5
41a1941cad4d6bd67b3629b3aa3c0c63

SHA1
200b0ff7ee7becb1c1cace6119ce13b61c8f247f

SHA256
3ad7b2c614bb1ac3deaf9d6b87756e650fce6625fe03be2a38b14f5761065fe2

SHA512
5b0b22a74ea27aa6a87ff251defefeb24522302d1148c03b150f6a6a2dc1ed8b4ebfe76e498ab299f32795e33649b0f63920e647936e75c24e044c515cfd234e

Download Submit
/data/data/com.bulk.glue/app_DynamicOptDex/tI.json

Filesize
1.6MB

MD5
c0329676cccbbf125e09f01cfeaf9a8d

SHA1
3b5f4128551c3a86d0b66195ef7436dc2f3bc3b6

SHA256
12f215e2baa08da6de73ad16d5b7ff211b6b3cffbacfe16e27bcdbbc98991013

SHA512
e3563f00dc243e5d4f3a8308e4f3f1664ba0fb426f9b49aee89f50fdeca7287bc123aa7731dc40d361611a0903523fb91b5c9c806bd8fac0a3ef7cd4f7b450bc

Download Submit
/data/data/com.bulk.glue/app_DynamicOptDex/tI.json

Filesize
1.6MB

MD5
1ed8e655c29eabe5db0fee02dea33b7b

SHA1
dc2c8cffb373072c347fc6d9931dd9563cbe299c

SHA256
d89b6c62097f5fea0371b0a17cecdc307bbb6ddd7ac8cd443fe66a759166b882

SHA512
c14a759deea27f209188d8be113c4505772b7e8b36891059111888498cf6e3118b37b9198dd0ed529b7758d1bef2bb8a973e12a319f1918049471fb94d1482d2

Download Submit
/data/user/0/com.bulk.glue/app_DynamicOptDex/tI.json

Filesize
4.4MB

MD5
a4fd8805700bc5c9b41a892171b94c74

SHA1
f956690ac8025296df4e43a55205c159f9049ec6

SHA256
30c02a29fe3af4b305397e538ab66240d8a1c14eaf71f1633adb376647e521f0

SHA512
b1553d87b8b408a7355aa7e675e2b0ce6ce59d8ac454f5c685f6309d17a9cb8206b6a6a407b409c5bd3b47b7a5299de63d8580f2f27ea8928e4babb4c71e90fc

Download Submit