Analysis

  • max time kernel
    2271593s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    20-12-2023 00:23

General

  • Target

    73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk

  • Size

    6.4MB

  • MD5

    168b29ef92c0931eb31531fa049adc58

  • SHA1

    02813110ec1d35371b69613b4226246c4745aa95

  • SHA256

    73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975

  • SHA512

    e5f3788607294a31ccf41a6fde470ac08916eccdaca57caeb8cf2acf3e710f011e245bf91422c60fdef1a6a58ba9456f8e47ae0cda8882b57710a8c0259b88ce

  • SSDEEP

    196608:UIOdjjuuxyUmCaK/fK/8K+t8qLpZ/7xceP77J:UIujjuukNKHk8VnH/FP7t

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.dazgytun.vfohonn
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4614

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    raw.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.110.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 0B8E:391231:199826D:1AA0D6F:6582EA3B
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:21:46 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lon420107-LON
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078506.045871,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 38dadd63b496f3a581e2d497c7ee2a28a66b72cf
    Expires: Wed, 20 Dec 2023 13:26:46 GMT
    Source-Age: 44
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 99f0249c171f2fa0
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Dec 2023 13:21:55 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 313
    Access-Control-Allow-Origin: *
    X-Ttl: 56
    X-Rl: 43
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 4D80:13C720:1624937:17117EE:6582EA6C
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:22:25 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7326-LHR
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078546.954509,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 641e5a3bbb27a71391ec10df75fd92b8a74547db
    Expires: Wed, 20 Dec 2023 13:27:25 GMT
    Source-Age: 37
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 4D80:13C720:1624937:17117EE:6582EA6C
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:22:45 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7324-LHR
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078566.972410,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 652c1e9532eadb886cae028c23b4967c18741ee9
    Expires: Wed, 20 Dec 2023 13:27:45 GMT
    Source-Age: 57
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:23:06 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7374-LHR
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078586.999627,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: eb0a4d0f2dc9163660b4066292d23a03c9b667d8
    Expires: Wed, 20 Dec 2023 13:28:06 GMT
    Source-Age: 16
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:23:26 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7346-LHR
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078606.012935,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 37e3135582b41e2eb8518a087a5e0c49c56f1431
    Expires: Wed, 20 Dec 2023 13:28:26 GMT
    Source-Age: 36
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:23:45 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7364-LHR
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1703078626.997617,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 52e1b8c0036877a210c90fd82cf4445169a6dfa8
    Expires: Wed, 20 Dec 2023 13:28:45 GMT
    Source-Age: 56
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.110.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 7BDA:11EED1:1ACE3AD:1BD721F:6582EAF5
    Accept-Ranges: bytes
    Date: Wed, 20 Dec 2023 13:24:06 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lcy-eglc8600022-LCY
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1703078646.047731,VS0,VE128
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 181b588c3d5b667af7fa1a9aad108145d10b0af4
    Expires: Wed, 20 Dec 2023 13:29:06 GMT
    Source-Age: 0
  • 216.58.213.14:443
    tls, https
    695 B
    40 B
    1
    1
  • 216.58.213.14:443
    tls, https
    695 B
    40 B
    1
    1
  • 216.58.213.14:443
    android.apis.google.com
    tls
    4.9kB
    8.9kB
    24
    23
  • 142.250.187.234:443
    tls, https
    1.3kB
    40 B
    1
    1
  • 142.250.187.234:443
    tls, https
    530 B
    40 B
    1
    1
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
    5.8kB
    8
    7
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    5.8kB
    11
    11

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
    622 B
    4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 216.58.201.100:443
    tls, https
    923 B
    40 B
    2
    1
  • 216.58.201.100:443
    www.google.com
    tls
    11.5kB
    10.1kB
    31
    38
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.8kB
    10
    9

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.8kB
    10
    9

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.8kB
    10
    9

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.9kB
    11
    10

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.8kB
    10
    9

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.110.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    1.9kB
    11
    10

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 224.0.0.251:5353
    3.7kB
    11
  • 142.250.187.234:443
    https
    51 B
    50 B
    1
    1
  • 142.250.187.238:443
    https
    51 B
    50 B
    1
    1
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    raw.githubusercontent.com
    dns
    71 B
    135 B
    1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.110.133
    185.199.109.133
    185.199.108.133
    185.199.111.133

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u

    Filesize

    7.4MB

    MD5

    596ea494f59e8bf2768ce30a98a6ce06

    SHA1

    bf7ef788bfbf671f23617d5322ad1a7db4a27123

    SHA256

    13e0b11f7733a44824d0fd56034fcf43e2b73b3709dac4e7dcc97260952f1518

    SHA512

    565b337eed6f8f476f91f41a94f9fa29042564be70570d81c10fb759b0a16db45db580d01ad642b95b3d686c40a53f27c1e0470f4007ec776ea75542169bac05

  • /data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/tmp-base.apk.gFg88py3526127071834448994.F8u

    Filesize

    1.4MB

    MD5

    6ee5292878de973ee7bccefc99117078

    SHA1

    89ade14f507ecf86203c4c012b401e065a236ca5

    SHA256

    b958a3c16e3874a2bf5718b8f111357f470ad752b4c141d979e8f5f5755a26e1

    SHA512

    3d1ee2ca8bf9213240b2746eaedf41071da21a760e3c122d9c7eba2fbdd21cf1ed98799cb3295bb3ced8705fb46cdb4d7c936fd8575ce0f8dd066adbe120498b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.