hydra | ab2e9fd467a198b293b276abc08d1a1c6a5e9679d5a89d1b45e31eb64b59238a

Analysis

max time kernel
2525189s
max time network
149s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab2e9fd467a198b293b276abc08d1a1c6a5e9679d5a89d1b45e31eb64b59238a.apk
Size

3.4MB
MD5

71e293f29e636112e0a00ebac8cf3eb8
SHA1

c78b484b536d03a71f37c573f1ce5290507ce330
SHA256

ab2e9fd467a198b293b276abc08d1a1c6a5e9679d5a89d1b45e31eb64b59238a
SHA512

ee4fa7cbd8f27cd77265f3282850fb5bfa93086034fb94569f2274f1acd93333f4e9a6ed4ea4e2302c429b4a2ed6cd83f404793e9d18fa4f3864fef5209620f9
SSDEEP

98304:WkOK6nCcmZ79ZpkLSGKI0QXTPAvZAmGXVkqHpI:WDxvmJ9bkuGX07CB2OpI

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4630-0.dex	family_hydra1
behavioral3/memory/4630-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.belt.space
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.belt.space

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.belt.space/app_DynamicOptDex/ZZ.json	4630	com.belt.space

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Reads information about phone network operator.

com.belt.space
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4630

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.belt.space/app_DynamicOptDex/ZZ.json

Filesize
1.9MB

MD5
91b36ba79dd46f62d557a69e1a4a1458

SHA1
2f40011a40c48c8fa6be9281f49414fc77b1bff8

SHA256
6e23c7bf2c0caef429ce4a83c9f6842fc29c50754aa5b238a162bb5637fdb6f7

SHA512
fe4400016647e1aca4a1037e5b333ce0a32ceb6d14427cb11b3357e888e5f282130bd9bb8ee6aef447082c1319a0b6cce4bbdf849076655a86844d1c7a1ba4a3

Download Submit
/data/user/0/com.belt.space/app_DynamicOptDex/ZZ.json

Filesize
5.0MB

MD5
412826ee6d6fab98a5471008a2cd1118

SHA1
17ae43b5a9128d4df9c140833bf696c42bf04ccb

SHA256
26fdc35c4216c1b7a810ac2e341630cca4b5faa92561df7c42ccb6ea408a8d7f

SHA512
8f2c5b00a730a114384f7250d2a728283909da3849bdc6f2a222891a318db520fa414ff03135afb07bf3ef44aa5af8d5efb716f1a74cf4221a5c89321d963678

Download Submit