hydra | 527d81766a0d37a117b7d38938ee88adea64ba99e44cd47f534d2fef1360a90b

Analysis

max time kernel
3314489s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
12-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

527d81766a0d37a117b7d38938ee88adea64ba99e44cd47f534d2fef1360a90b.apk
Size

2.9MB
MD5

37184e75d764b25208619ac89960103d
SHA1

4dfdd81923c82bdd7182b8d4377968e655e976d2
SHA256

527d81766a0d37a117b7d38938ee88adea64ba99e44cd47f534d2fef1360a90b
SHA512

9d304b3adda32a5fd51e0522e8605d360f3ac5b5be93934ed5ea4374ad91411e41d6674ed1d10c13f7ef4941c623df229a595bef569e3da821cae90e193c45fe
SSDEEP

49152:6iU00JGitbPPuJzkHxR2M+bnd3mjitA28GxT/TgTORLJ5hj1s/z1Q/QXo:yJGitqJzk94ntm2TXxIORLsb1Q/T

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://cioroapapoldoapolawe.org

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4600-0.dex	family_hydra1
behavioral3/memory/4600-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.vicious.depth
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.vicious.depth

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.vicious.depth/app_DynamicOptDex/ORIj.json	4600	com.vicious.depth

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.vicious.depth

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Reads information about phone network operator.

com.vicious.depth
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.vicious.depth/app_DynamicOptDex/ORIj.json

Filesize
1.6MB

MD5
20ebec3a6c0d83497989fdc844a7b266

SHA1
8b810af9756caef62efd48ca2be6ff6ef9062caf

SHA256
497321a931c799fcc61094307665e7f9fcb26324b5240bb5e99b7a6a7e30c68b

SHA512
78f4311f422fb66ba89efd3f157bf3e6faaa5d2e2bb6d1d1a6aa2007c5aec82b8682c557b0010033cba8863aa79823d41f29fc2cd3cc33cf92bdc44719431f71

Download Submit
/data/data/com.vicious.depth/app_DynamicOptDex/ORIj.json

Filesize
1.6MB

MD5
c104d679805c0473fd154195e7ba80cf

SHA1
763e3ac1f15713438dd9c608f6f94f29a3472607

SHA256
00ad423ab487c8a4e7309c798c4a7a5b20648fcbcc0bd3f1ba2d8f777e1048db

SHA512
d813af0471a6fb110e049db041a693895791f5d4969a0faf9185fe64cc3685eceabffcc913cba434afbe8cbfa848abd54d81caf2a867ad6468e3ad723e1e14c0

Download Submit
/data/user/0/com.vicious.depth/app_DynamicOptDex/ORIj.json

Filesize
4.4MB

MD5
93732af40fb03e352577e250a3500f8a

SHA1
08e3c3aab7524d770cbcdf597d043796c4578316

SHA256
8cd199f412b8bcfcd9dc4d8957e5d74d31348f43b3363729aa1402ba18d1d227

SHA512
55efaec342acb6a409e6fff8b15663e39ba8f366bf1aababa2ccf7b757f29c1fa9ee6ed36680a599d52d868090698c2f424c969a9da4a88c97c78b5e2329f990

Download Submit