hydra | 8b9158ba3138949586cca3973a975745302f6d7e285299cb6b38c53a7c353f2c

Analysis

max time kernel
2372923s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b9158ba3138949586cca3973a975745302f6d7e285299cb6b38c53a7c353f2c.apk
Size

3.3MB
MD5

0359ed6cf8b99cd8b7f41512755661de
SHA1

cbb56158e4cd662b51b58f61f6efcb2dac4fb7a5
SHA256

8b9158ba3138949586cca3973a975745302f6d7e285299cb6b38c53a7c353f2c
SHA512

e09085e2f5b083c5c3edee06e022105ad96f3c7b8842205e5690c9e7b98ba85dcdc66cf4d72a2863c72c1794e2a5ae7eefde9c97d52f271e92ec9d3c1af48fe0
SSDEEP

98304:TRCDv8/eakNx0Zq4MQEOLMGbcjeB5UY7neMKSR:dM8mRxDLQIEJnLR

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4588-0.dex	family_hydra1
behavioral3/memory/4588-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.churn.crystal
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.churn.crystal

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.churn.crystal/app_DynamicOptDex/FBG.json	4588	com.churn.crystal

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Reads information about phone network operator.

com.churn.crystal
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.churn.crystal/app_DynamicOptDex/FBG.json

Filesize
1.9MB

MD5
d85f6b50c4674f22b783f2380d873445

SHA1
017efe11b15f7293b8ba7e48b2065864018c7be3

SHA256
809ee8d099b57fb69cc170d1c16b24ca0df67aeeff0e8846824a95bb000ebf63

SHA512
f41614f1e67b3dff8c9b95cfc61e490568e4132f2377902f2aaa204b4cc061e104688e6615bd3a1475fd629527207f746d5985ce70096c0d32f35ffe856b3b3a

Download Submit
/data/user/0/com.churn.crystal/app_DynamicOptDex/FBG.json

Filesize
1.9MB

MD5
7b4e954d8bb0be2fd843eaee2ddfb775

SHA1
4c87212a47c5a6e7b7136fed5a9ebe33858c2209

SHA256
9fc0b364741be0893cd66043f49c0ca0c7af608b0b7f417905adff4a73510f77

SHA512
0ee91ee0f6b4c1100e140e659d3d0ce38ed5048864dd0d25ba7d30278a2fc120b766c1fbaee36f30f8a5101fa32f08f15d39583300487a4c1dd13144aa8d80ec

Download Submit
/data/user/0/com.churn.crystal/app_DynamicOptDex/FBG.json

Filesize
5.0MB

MD5
0143e9febfc6d0ff7d33bfc457c46384

SHA1
8dc57856294c219551d9806f40f8048e04e630fe

SHA256
a03aa26bbe25cf37773ed9378745a675a775c1a27c1c9c13f4eecab4117d8678

SHA512
631112637bcaf70c765efe3697bd1f13dc00647829d1a6f80facce0a32054c0e83eeb5fc06b73e04f983f72effac24e6b921909f550f90e5391f995a7f47279a

Download Submit