Analysis
-
max time kernel
149s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
22-01-2024 04:36
Static task
static1
Behavioral task
behavioral1
Sample
6ebeb85ffe32db161606a7c53722b890.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
6ebeb85ffe32db161606a7c53722b890.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
6ebeb85ffe32db161606a7c53722b890.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
6ebeb85ffe32db161606a7c53722b890.apk
-
Size
3.0MB
-
MD5
6ebeb85ffe32db161606a7c53722b890
-
SHA1
dc93b4458efebbc4a15a330840f0c92359e4de95
-
SHA256
5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9
-
SHA512
6c89168da5662aef9e5753f802e16791668c1820971304b349f5560e829dfec272f13eb3726a4d0c0f339579b4ca006f1d4acc904513c71da69a0a4ecf7c2c69
-
SSDEEP
49152:92UEyQygv2WCra6iKmRxdehYOE82PNSKpekboCtEQeiem9b5oZ9kw6PZzjC:92Qgv2WSa6ir8sSb6oCN5d7Pc
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bllgeqgp.qbyoikh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bllgeqgp.qbyoikh -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip 4294 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip 4265 com.bllgeqgp.qbyoikh -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator.
Processes
-
com.bllgeqgp.qbyoikh1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4265 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4294
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/tmp-base.apk.classes5499267511848226158.zip
Filesize378KB
MD580ccafc1f828a3fe8d9307a30c7a9756
SHA153e9082aa74d71b59f353345d7855239db39c094
SHA25620fa911e7822db256785a610d273d057a15c68244948de63d181f657d4aee335
SHA512dd26b5af1642a871420f924ae53040b440d7cee693b7539feef6b2ddad4f48c5c17b995c5a7b2a053ca4ed4a755b12e865bfe959957fe5285b8c81ba1e3d164e
-
Filesize
902KB
MD5c6e4e50a0836907b8b835ecb4c625afe
SHA1db6ab5956d76ac93220caae4e6f2027388ff0f4e
SHA2560a727212bbda63bf47d700cf121712e76da1a7815236c75036f2bb6eb7132eb9
SHA512db4ef195acc872adbada9d01df8e47a25a0762f9ebb13e479e09e06a5de73d39c2a217b7c3ca477195506dfdea7ec2e4a5194a300280e7dcc05dac9794c1e7d8
-
Filesize
902KB
MD517b7abdbdb0fec8364a877ac363163ef
SHA17f441912fa0c46de58a1dc8de4689c72704cbead
SHA2567ee911539603a426a9c80a73c176e4bb4cf483a92b89c044e36c67bb83805f29
SHA51284faaae771288b17e93c2aabac17493e0f5229b00e5634b9ae2468b06553a3f44ef071db9996162f469182be93d094b862eb57ce7e4d01be7e8e14ed416ebd2d