Analysis
-
max time kernel
2491906s -
max time network
163s -
platform
android_x64 -
resource
android-x64-20231215-en -
resource tags
androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system -
submitted
20-12-2023 10:56
Static task
static1
Behavioral task
behavioral1
Sample
a6d27ba039ac9cb0d5a6a3cffca2002feb9ecb8cfed54ce5c0a768064084d43d.apk
Behavioral task
behavioral2
Sample
a6d27ba039ac9cb0d5a6a3cffca2002feb9ecb8cfed54ce5c0a768064084d43d.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
a6d27ba039ac9cb0d5a6a3cffca2002feb9ecb8cfed54ce5c0a768064084d43d.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
a6d27ba039ac9cb0d5a6a3cffca2002feb9ecb8cfed54ce5c0a768064084d43d.apk
-
Size
6.2MB
-
MD5
e5445cda1bf1f82fc1fd4edb1317c41f
-
SHA1
8b3d7122a94bb1694e1d3e33cbbd056e4350598b
-
SHA256
a6d27ba039ac9cb0d5a6a3cffca2002feb9ecb8cfed54ce5c0a768064084d43d
-
SHA512
84dcd079ac022faf2707c2cdb48bc656320307e0d03d58748de78a7fa73bfe8c071a491bdc4401e7b8d31e60024cae43c947307ffdc64d7c54e4f185076fe0bc
-
SSDEEP
196608:m8+atol4aXiwsyOKu/EywCJ8Uvqjn1AzA3dU6Ecsk:m8+ayeNwsL3Nw7UvqjKQU69sk
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
resource yara_rule behavioral2/memory/4913-0.dex family_hydra2 -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ombththz.ufqsuqx Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ombththz.ufqsuqx -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf/base.apk.gjGyTF81.88g 4913 com.ombththz.ufqsuqx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Reads information about phone network operator.
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf/tmp-base.apk.gjGyTF85880433976209060901.88g
Filesize1.1MB
MD54789222bb84f50f7c1297eaa69e702ca
SHA179744725c471c0f3e57fdfce8f5a12800761d14d
SHA2565abfdd117ef2b14ad9abd57405150c18d93312bb46e0151cb6a5187744e95de0
SHA5123a96ad8eea480d33a2139db7b8fc6ae381dc3819891a9c7fddd72f9b44b5e9be8cf69ef446a56782824915d6ed79e1c25c6ba47086f55c7d4b2a366db16c1535
-
Filesize
7.4MB
MD551e100964dbe5ee426745201f1f8b705
SHA1936ce15dcb75bff6409e79dccfa5137691982159
SHA256e2e6b1095041c1cdb89ed390e884de77f4c8aa8f2d820ecf1ccdd1faba2da427
SHA51263c9e95a2e3923134177aa36e87deceb652d3ae5bd8bea1a4db57f5ecbba53fc9ded9f263e18e37bef57c6b47430adfd04aa7933fc523f29a6556121e0cd42e7