hydra | b0d137f1f9ad7588c6bdd0bdd94652b1ecbf4d30354025eee036d96f223b1273

Analysis

max time kernel
3228088s
max time network
147s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
11-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d137f1f9ad7588c6bdd0bdd94652b1ecbf4d30354025eee036d96f223b1273.apk
Size

2.8MB
MD5

0d95b3fedb55bdb90276467169c28cb4
SHA1

31079fc2813413577b6065da0185afb27e9b4755
SHA256

b0d137f1f9ad7588c6bdd0bdd94652b1ecbf4d30354025eee036d96f223b1273
SHA512

a6c864bebd041cfca6fabd62dfe5f289d66b92ba5e28c7ee9ad01c3b2f6ed1debafe9c78739302be3c0bea2c51a668a97e3effc9e622ba267aff8d9127721f68
SSDEEP

49152:QmyJGiuVhbtuUykHhRPAikjLY6TsoogbpP/BAfrC2Baw3PDsmgtf5mVqrKT4mDS6:QmyJGiuV2Uyk0i4Y6TsiBAfDBa/mgGVv

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://fioklksisisakkkkas.com

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4505-0.dex	family_hydra1
behavioral3/memory/4505-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sense.balance
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sense.balance

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.sense.balance/app_DynamicOptDex/ytxftkF.json	4505	com.sense.balance

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.sense.balance

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Reads information about phone network operator.

com.sense.balance
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4505

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sense.balance/app_DynamicOptDex/oat/ytxftkF.json.cur.prof

Filesize
1KB

MD5
fa306547abcae595d405d50212ea0ad8

SHA1
1604aef545136f6a7ae1dffe6e5cba8db6bd7a6a

SHA256
0ace89916f340de1279c406c94150e77603d63f81732979ef817ace693e8fae0

SHA512
5a0920bc6e191149e5953e7d1a98d1c82f2772095637d09431395a1e70ab113432abac5817739d92d711858eb944c431bd84ed0901ee914296e9b2c3a149757d

Download Submit
/data/data/com.sense.balance/app_DynamicOptDex/ytxftkF.json

Filesize
1.6MB

MD5
8fbce57b625bfba74035f27ccdc4cc10

SHA1
532bf8ca44ab9f1dd11c25cc9522e40cb0b77c91

SHA256
fb68688f80986cc596e8f30b4e046734d5e1b747acdc62623b17e6eed23feb3c

SHA512
a488eb1a7b66c66a71d43ea62bb18f04207d0e05cc83cf03640470104f095a9fd5dcac5b51d43786c7c69bcd704081bac47c1fe086dcd0bf4b7b2e41f5a9c676

Download Submit
/data/data/com.sense.balance/app_DynamicOptDex/ytxftkF.json

Filesize
1.6MB

MD5
9dd8b97df15c93ff0f759bf27ecbb303

SHA1
b9026dcf4b68627f32e5d81a1b9ab03b5f0d022e

SHA256
bdbcad82ff25fe5612739fc553a38530605ce512d3532fe0d457c4bf27fc9c2c

SHA512
03d1c6167e792db18ef5889faf8a66cd8c50d68bb2a3ffc47da1f48775b0a8e91312b932e1b2523202226405f45374f68e50a9bb8d7ec9c9793a5789abb191ed

Download Submit
/data/user/0/com.sense.balance/app_DynamicOptDex/ytxftkF.json

Filesize
4.4MB

MD5
c04b17dd6fb25e27c60cc93483ba68b2

SHA1
79ba39f3beb798bdce2644c4a5f89cb1bbcd99b8

SHA256
817120a36e2e255a7c51da023dfb565dbeb9e64dcc5edcccb40e01c177923b4a

SHA512
2c5c3ac6681dddf08ee551c4e146f1b7827ea22791b8ac24777293325108722fb99ad882bb3f9a8e01619168aa7419a189839a84da56427c247dea63dfc86fbd

Download Submit