hydra | 83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917

Analysis

max time kernel
2350577s
max time network
153s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917.apk
Size

6.9MB
MD5

09c03c318ab6a1b5f201f81480de022f
SHA1

01b01d29b8b62e8152438740f8956c8a0ab730a4
SHA256

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917
SHA512

52ae7f63a3b91fc681f77aad31e2cde23c916394c77c354c0913ec32415847887dad8e16069a6d1036aa3c678e23922cef2d76ef6feb10b70458af6534827ce9
SSDEEP

196608:GM6ePkMV3JKPaCalpxnz2A55eHKMeW2aNyeyrMhGyNL:GM5Pp5KSCaNnz9aK8G2L

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral2/memory/4983-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rhwnanvo.prupgwg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rhwnanvo.prupgwg

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	4983	com.rhwnanvo.prupgwg

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Reads information about phone network operator.

com.rhwnanvo.prupgwg
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4983

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/tmp-base.apk.w8jqGoI3591272316912337273.gu8

Filesize
1.8MB

MD5
38645f9fb85938ddda82989512d96aa8

SHA1
eae7b23f8af9d6af893c38a0740b41f2ef645ac5

SHA256
f238163d21eaae3c175caf7be6643c47d29a2dbd9020d4ea9d0641afab0ccbca

SHA512
68917337484ad4418791eb0679b7500a3fd0b5d45be0fc0d33abaac91a533ec8533d94dc3a6dbda4c36983c891c9ac5a95e84c27e97a318e2bbd38e42ea4d813

Download Submit
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8

Filesize
7.4MB

MD5
cc32b7410f7250c0f9afeed4a489a427

SHA1
811455f73cc9aa0c4a1cbafc94d936001297a623

SHA256
8c59a4d341dd808acb09ec04793a6b37b0e516e9c19bc592df67d159829a9eab

SHA512
0f9e2498f656485f87d074379080c7146b2cae87d8bd313d18a279557a2234e6e63e5d2ff8019d52f186dbb15fb3405da0aa6e39d26954c7bcd091bac5d1f3b8

Download Submit