hydra | 824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f

Analysis

max time kernel
2340197s
max time network
161s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f.apk
Size

7.2MB
MD5

15d7fdda9dd8ad83c24137e8679b3281
SHA1

f0fb7702219964e1867699c45a1d009409cc465f
SHA256

824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f
SHA512

d51f86029710f02ea50e509c411b70f5368561ea0e67c6372dbc67c417526f6907e1cc35cc2f8c62b2940e9d0e66a06b05f314550a0295b9dac873fb41e0c5f5
SSDEEP

196608:UZ82ycSjyviRe37EmD86Rn4Tzc8ihqQXCubLDaADXq:UZATjyp3tDLn43c8iyKLDc

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_hydra1
behavioral2/files/fstream-2.dat	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.trend.debate
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.trend.debate

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json	4984	com.trend.debate
/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json	4984	com.trend.debate

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Reads information about phone network operator.

com.trend.debate
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.trend.debate/app_DynamicOptDex/LJb.json

Filesize
5.2MB

MD5
0408c31db302046b1e22ae4af4c0a82d

SHA1
791766862acc0bd9a994748d644ceb5566421874

SHA256
ecb5db9fbaeec2408a3be88262d153c9ece6e60724eb0930ef1ac29ddc8263b0

SHA512
0895342a30e8f54e2f0e9368336826e07503b051f3dbbe7f7e8a02f27c73299b2442e0392880944b44e4628c69d0ade702f4f79faf256c8396bc35c216677b22

Download Submit
/data/data/com.trend.debate/app_DynamicOptDex/LJb.json

Filesize
5.2MB

MD5
958a4b570d9adcafbb8c202d0f725d17

SHA1
2e1619f14dd6c901bf1e4fe4f3b5f361e64a84d9

SHA256
b4f06c4b9c4a3c8a4f7501337dfd96804152dc74335750689979b3a1f7f5a704

SHA512
cbfa42ad0757ffa9921e854b86aec9fa6b7d1d4ac970e58742cb1cca16b18a5fba1f51a1fcdb90202d0dc89872b112ca5572347741c99b3aa5903c8f891f97f1

Download Submit
/data/data/com.trend.debate/app_DynamicOptDex/oat/LJb.json.cur.prof

Filesize
540B

MD5
66e5fbccd59815ccefe38d3b5386c1b7

SHA1
450d96a2dac68164ad062f8655687ee4536e96f2

SHA256
9f1e38a941992679b9a644e6145380c4ee28884dc6a1d18489ab9cef360e599b

SHA512
7f0e3ccf5090448f1a5e1d36e2c3e4247fa3631d6b8a430b372c81a8eddbcf1b31c654b306d5b6c95da32bfa8cd9bddff6f4fc1757f2b30503a56f0a8e7e7ea6

Download Submit