hydra | 824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f

Analysis

max time kernel
2340379s
max time network
163s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20/12/2023, 04:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f.apk
Size

7.2MB
MD5

15d7fdda9dd8ad83c24137e8679b3281
SHA1

f0fb7702219964e1867699c45a1d009409cc465f
SHA256

824fd338bc6728c891cde35ab8cb77c268b60ed291d2b465e289133a5f60869f
SHA512

d51f86029710f02ea50e509c411b70f5368561ea0e67c6372dbc67c417526f6907e1cc35cc2f8c62b2940e9d0e66a06b05f314550a0295b9dac873fb41e0c5f5
SSDEEP

196608:UZ82ycSjyviRe37EmD86Rn4Tzc8ihqQXCubLDaADXq:UZATjyp3tDLn43c8iyKLDc

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/files/fstream-2.dat	family_hydra1
behavioral3/files/fstream-2.dat	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.trend.debate
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.trend.debate

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json	4571	com.trend.debate
/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json	4571	com.trend.debate

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Reads information about phone network operator.

com.trend.debate
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4571

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json

Filesize
5.2MB

MD5
0408c31db302046b1e22ae4af4c0a82d

SHA1
791766862acc0bd9a994748d644ceb5566421874

SHA256
ecb5db9fbaeec2408a3be88262d153c9ece6e60724eb0930ef1ac29ddc8263b0

SHA512
0895342a30e8f54e2f0e9368336826e07503b051f3dbbe7f7e8a02f27c73299b2442e0392880944b44e4628c69d0ade702f4f79faf256c8396bc35c216677b22

Download Submit
/data/user/0/com.trend.debate/app_DynamicOptDex/LJb.json

Filesize
5.2MB

MD5
958a4b570d9adcafbb8c202d0f725d17

SHA1
2e1619f14dd6c901bf1e4fe4f3b5f361e64a84d9

SHA256
b4f06c4b9c4a3c8a4f7501337dfd96804152dc74335750689979b3a1f7f5a704

SHA512
cbfa42ad0757ffa9921e854b86aec9fa6b7d1d4ac970e58742cb1cca16b18a5fba1f51a1fcdb90202d0dc89872b112ca5572347741c99b3aa5903c8f891f97f1

Download Submit