hydra | 75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0

Analysis

max time kernel
2320691s
max time network
149s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0.apk
Size

3.2MB
MD5

abcef2353f293e694fe3073b53528441
SHA1

0ecf181ad163bf5dc4e316ac61b3d2453ade356c
SHA256

75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0
SHA512

253a63c8c677826085727ef6d73b01142503424c3f952515bd9e6bfe0b4900e9c1b08faeb98f3790042255994ff9d57f274066315981711c0f32e1936bf3a608
SSDEEP

98304:Vz2v/oOd4+e/h8WBJbiBUUPBnzvU0C/MHpCNnvB:koJ+e/h8WfmBxVRqMJC/

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4596-0.dex	family_hydra1
behavioral3/memory/4596-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.knee.grit
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.knee.grit

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json	4596	com.knee.grit

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.knee.grit

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Reads information about phone network operator.

com.knee.grit
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
1.9MB

MD5
fb546b96e7982734b8c2fcd30400e7ab

SHA1
bc506453e267ae32c2941bfddecc845140b019d9

SHA256
385151bb68cbdd60ea8c33c112a7cd38add4d8a16aefca8ab5567527725c753e

SHA512
5646c3f0a8730cb1951cff3f5a5afd545211c7058f89e4c4935171996c7581a6b61ae7cadd9a44d85e12e2f30bcdd8fcaf5d3a229ded045880a0cb0c64e1f7f3

Download Submit
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
1.9MB

MD5
bae8c88e3546f04cb826c200cfbd48f1

SHA1
0d6cef6090f93935e6d278bace6fdcc3174fe42e

SHA256
53e39e0a17f463163cbc93268cd47b01a4bb2159412dc0ea11854a9782c5ca13

SHA512
d34930bc57a1822af793471be1f55954c32a05645a4e96bd8d7708731d61f64076f2d3062cf00d7a5e97a14cbb8f86818a22c43da13760568492c2cb2bdc18af

Download Submit
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
5.0MB

MD5
d95f1101eeab1f220343e0ed048ef7c0

SHA1
cdc16afc942ad5a8d4b6ceae23edbcfa67ecd01a

SHA256
33da05b58fd65c304b74a640a9851b5f6783ee6a7272e4b60908663c35fea4b7

SHA512
166a8d8e20046d6437da342e01203aa951b68eb1bc4da8d2b7ec6ac1a4a73a4121a49df7e4ebd27bf48a51b5050c36cbb836cce747c50bdeb4ac0254b783497f

Download Submit