hydra | 73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975

Analysis

max time kernel
2271589s
max time network
155s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
Size

6.4MB
MD5

168b29ef92c0931eb31531fa049adc58
SHA1

02813110ec1d35371b69613b4226246c4745aa95
SHA256

73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975
SHA512

e5f3788607294a31ccf41a6fde470ac08916eccdaca57caeb8cf2acf3e710f011e245bf91422c60fdef1a6a58ba9456f8e47ae0cda8882b57710a8c0259b88ce
SSDEEP

196608:UIOdjjuuxyUmCaK/fK/8K+t8qLpZ/7xceP77J:UIujjuukNKHk8VnH/FP7t

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral2/memory/5003-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dazgytun.vfohonn
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dazgytun.vfohonn

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u	5003	com.dazgytun.vfohonn

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Reads information about phone network operator.

com.dazgytun.vfohonn
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:5003

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/tmp-base.apk.gFg88py4046593695756840564.F8u

Filesize
243KB

MD5
c4d9e658cae7e5119531dcc4a97e131b

SHA1
3991dfb6443535346178e7f2c4e34e643a29131d

SHA256
c05bdd49c8de20b6325cd4a3328e3617e14ba235ff4118b4e9f858c3a67d04c8

SHA512
dc5201597c07b21f3b0668e352fcfbd1615dca41699bd8504841cfd5edb1793f9ed88104bfc368a2fa42656b962b9d5f50085103c6de9173e52f9f9eb4b562e0

Download Submit
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u

Filesize
7.4MB

MD5
596ea494f59e8bf2768ce30a98a6ce06

SHA1
bf7ef788bfbf671f23617d5322ad1a7db4a27123

SHA256
13e0b11f7733a44824d0fd56034fcf43e2b73b3709dac4e7dcc97260952f1518

SHA512
565b337eed6f8f476f91f41a94f9fa29042564be70570d81c10fb759b0a16db45db580d01ad642b95b3d686c40a53f27c1e0470f4007ec776ea75542169bac05

Download Submit