hydra | 8de309b3b12ec3f0115d8522179c825d77f111a56aa268f7eacb68afaa4d33c3

Analysis

max time kernel
2382319s
max time network
148s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de309b3b12ec3f0115d8522179c825d77f111a56aa268f7eacb68afaa4d33c3.apk
Size

3.0MB
MD5

43cd96c840d9f2c91ff47948ad7e734b
SHA1

3001104f5014c576a840fdf6f3734a44a2361404
SHA256

8de309b3b12ec3f0115d8522179c825d77f111a56aa268f7eacb68afaa4d33c3
SHA512

a4b6e533e9314728ef47aa7e448d0f890d24521b42c6bcfd6a57b6f3074a37016fca55eed8db4b40e1afb04b7fd8fd6b55bf04ae646db3b12ae134d4483cf20d
SSDEEP

49152:SEsaNpGD0I8RlP2Oe/SOVjdxTtWNWon/cQrS8Y9vpLMP3E:fsaNpGwJu7VjdxT0N8GS8Y9vpLMM

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4511-0.dex	family_hydra1
behavioral3/memory/4511-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.garbage.appear
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.garbage.appear

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.garbage.appear/app_DynamicOptDex/smFZWxD.json	4511	com.garbage.appear

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Reads information about phone network operator.

com.garbage.appear
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4511

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.garbage.appear/app_DynamicOptDex/smFZWxD.json

Filesize
1.9MB

MD5
ac0ee887726e1047ac7374a5f8ffd4fc

SHA1
12b93d0b2f0fa0f53cc399ce45779c7090e2edc9

SHA256
1eafc72a4da52b387a3a51f86cf9021d81cac16ffbeb5dad4625f928832c2744

SHA512
fdc8e03bdc6f9513b4c755e4982e7cc2a13310c38795c05a47770544ced949a4d2427c796417ac8e559b23586ffa4e60bf6f862f7e90a758a25b4afedda5bf85

Download Submit
/data/user/0/com.garbage.appear/app_DynamicOptDex/smFZWxD.json

Filesize
5.0MB

MD5
854e9bae18bb376e651ad2c0a624ab06

SHA1
5851daca98f585c4a74c56346cf1e333e53539dd

SHA256
2ec148b30c11fe04333d61e1b1381a6da153ff5f93746346dd14365c6ef66355

SHA512
84efa443f8baa267da47215e2008b1f4655d72a505e10f36d47ea36eeb82da43d313953fff6d319c1cb665079615464fd7319fa3a4c031f52600395ece522b42

Download Submit