hydra | 83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917

Analysis

max time kernel
2350575s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917.apk
Size

6.9MB
MD5

09c03c318ab6a1b5f201f81480de022f
SHA1

01b01d29b8b62e8152438740f8956c8a0ab730a4
SHA256

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917
SHA512

52ae7f63a3b91fc681f77aad31e2cde23c916394c77c354c0913ec32415847887dad8e16069a6d1036aa3c678e23922cef2d76ef6feb10b70458af6534827ce9
SSDEEP

196608:GM6ePkMV3JKPaCalpxnz2A55eHKMeW2aNyeyrMhGyNL:GM5Pp5KSCaNnz9aK8G2L

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/memory/4588-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rhwnanvo.prupgwg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rhwnanvo.prupgwg

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	4588	com.rhwnanvo.prupgwg

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Reads information about phone network operator.

com.rhwnanvo.prupgwg
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8

Filesize
7.4MB

MD5
cc32b7410f7250c0f9afeed4a489a427

SHA1
811455f73cc9aa0c4a1cbafc94d936001297a623

SHA256
8c59a4d341dd808acb09ec04793a6b37b0e516e9c19bc592df67d159829a9eab

SHA512
0f9e2498f656485f87d074379080c7146b2cae87d8bd313d18a279557a2234e6e63e5d2ff8019d52f186dbb15fb3405da0aa6e39d26954c7bcd091bac5d1f3b8

Download Submit
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/tmp-base.apk.w8jqGoI3882912557799955294.gu8

Filesize
1.1MB

MD5
bb84117d3111b5fb5b48b2bf2931398a

SHA1
10f43669768083cd7454fa97403753676438c795

SHA256
77d076fe3e9304c82e0148d4660eae2f0dcb4eaf6e75fbe441b8f01bbd820130

SHA512
f6fdda7d7989e34aa1084484367548fd6cd4d96b96ca7f0b71587d801e093bb841a977b5a7b2cb11acd76fb8b7ad3e1a2ef76150cfa72c2a33378eeb34f99515

Download Submit