hydra | a7f6a3bdcc8049e70ee08fa5e67966e83f6624b0231024dc20eeaad948307681

Analysis

max time kernel
2511616s
max time network
149s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7f6a3bdcc8049e70ee08fa5e67966e83f6624b0231024dc20eeaad948307681.apk
Size

6.1MB
MD5

f0db0430dc99ea4ec1099d7511f1677d
SHA1

49f57f37ae162de72603b0aecc0b5979133819d2
SHA256

a7f6a3bdcc8049e70ee08fa5e67966e83f6624b0231024dc20eeaad948307681
SHA512

54c00ed3d0444a15b732e7427a1aa675803140e8ee4b183f311c075e2395e04d52bef5648d107e1ccf0002fe2d2e8990a118c3cf0a446a21ce13a0009821c41c
SSDEEP

196608:FH44nzjyoKMtr4rIaRCZEApuQJOj2OkE0TFc:x3nPptrWR6EAkinTFc

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/memory/4473-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.vdycsthh.rrdlvkz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.vdycsthh.rrdlvkz

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.vdycsthh.rrdlvkz/9fgk8aGGgI/yyIfIo78IHgjayi/base.apk.TdaTIjy1.kGy	4473	com.vdycsthh.rrdlvkz

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Reads information about phone network operator.

com.vdycsthh.rrdlvkz
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4473

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.vdycsthh.rrdlvkz/9fgk8aGGgI/yyIfIo78IHgjayi/base.apk.TdaTIjy1.kGy

Filesize
7.4MB

MD5
8993b5c4987c3f37a701d78401eb1312

SHA1
94cf44aaca2a787d8836d3b7df2b62ae765c048d

SHA256
a7097b0ecbbe52f77688f9d61e3ff203c95f191b5e8ea026454cc9af4db73418

SHA512
901a826f9dc421adcb9486a427770075762d950a819b0a5b29032e0d407723a4e4fb279d25e369575de844ed97edb8361244a36929f92ac4eaf13e61675df129

Download Submit
/data/user/0/com.vdycsthh.rrdlvkz/9fgk8aGGgI/yyIfIo78IHgjayi/tmp-base.apk.TdaTIjy4744658668795815246.kGy

Filesize
2.8MB

MD5
cb820bd454d0b28d9be8dfce0d5e66c5

SHA1
5f3ea281dbb8255fbdcf37e1953b8df3786d3fd6

SHA256
2937e0b34fd10c107ce8e2bff3496645ae5dd634e548598d61d7059182635602

SHA512
d3489908dca9f9d4b5d134de4af2f1c8a16355d1f679a59151b054e26061591a72f56d40cad1153ba23a7cc9f10eeade47e13a952c68f248a8abbcbf169ffdb1

Download Submit