hydra | 3fc91b032c9fdbd7eef055f5596e7c6f45b163019ab86af102e44df31966ec44

Analysis

max time kernel
402324s
max time network
153s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
28-11-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc91b032c9fdbd7eef055f5596e7c6f45b163019ab86af102e44df31966ec44.apk
Size

3.0MB
MD5

8658787a0d5a6b7dbee0ae22dd193d4d
SHA1

231660f83f1c32cc08d4b1d4bf7eb03a4a18beee
SHA256

3fc91b032c9fdbd7eef055f5596e7c6f45b163019ab86af102e44df31966ec44
SHA512

5512e9894c2d8a767ad1fd2a41e5104388da7f81fecaabcb001f6aa3c31a96ea043a0b0b7aa929ce7facbe455a982a6ce574f7f5d18630454a38cf265d9e469d
SSDEEP

49152:EDfvHtz/p0qosFuZ+FkDG8Z4KLvlj5bl3/y3cSTkGVTSmJOQlyBILAkklymKZs:qfv7/w6kqWr3KM6kGxDyBfkeyW

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral2/memory/5106-0.dex	family_hydra1
behavioral2/memory/5106-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.boss.butter
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.boss.butter

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.boss.butter/app_DynamicOptDex/BhUjK.json	5106	com.boss.butter

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
68	ip-api.com
100	ip-api.com

Reads information about phone network operator.

com.boss.butter
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5106

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.boss.butter/app_DynamicOptDex/BhUjK.json

Filesize
1.9MB

MD5
1caf4e80f11a70398164a82f95ad0dd8

SHA1
52ede92d9986ae45241b2f9c1cdab6cc6aa07857

SHA256
3890cdcc44a8b2916ad382dd48dfd190589e068af774078d9b62f95158e84083

SHA512
4cff8a09bc8c3e182686d6c86d00399667f4ff5ca3e0b8939b5a7f7f5f41bf27b29893711946a0e5a47d36559b69baac43f7e8acf315488b3617b0df9d56443a

Download Submit
/data/data/com.boss.butter/app_DynamicOptDex/BhUjK.json

Filesize
1.9MB

MD5
92456f247ee56926a8f031744087d699

SHA1
4946e57d4829709d10afd71daae709e43ebe209b

SHA256
01f60860114d740fe37b5cf5160a757105f74126a7a1582f99d73a2364fb5355

SHA512
03238877bf358f4f1a632bc218759a8332a7423b298c8b05eaa207e0bc270644a54f31ccb945e2eeef4fa69ffe949ea6d1fbd25952f83376ce25a18480d9b9dc

Download Submit
/data/data/com.boss.butter/app_DynamicOptDex/oat/BhUjK.json.cur.prof

Filesize
1KB

MD5
5ae7dfbc6963a1becb9fe09580fe0d6e

SHA1
3ffb285736918e3dd6f9b32d2ff4bd71d1379319

SHA256
fab436d047d329adc6eb07d54572ba1729ecef5ec97ff5a04b028ad51e7875d2

SHA512
3b90cb8f74ca50b014bacd31fe77493b0572ecd308e88e79200eedeb33032ce7fb01261035dd2e9a435ae8758dc98b5150a6b91b8e653a76da1704921771e2ee

Download Submit
/data/user/0/com.boss.butter/app_DynamicOptDex/BhUjK.json

Filesize
5.0MB

MD5
b849cbba8d099d24e879fe4d691030cc

SHA1
5aa3dabe43e791c1262e72960fd155fc36b452e0

SHA256
21b562f2ccb7099612361fe26ad15434d4877daf00d266b307cba53d9d13e2fc

SHA512
e896509d54833c674a777487e4a3b8ee7a828054c7bfdd03c31cbd015ed55f8418eeeaedff2c6c71829f92ac5035dacccba3978673201dc3bdf263441ca24ff4

Download Submit