Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

91e93a3b47...ca.apk

android-9-x86

10

91e93a3b47...ca.apk

android-10-x64

10

91e93a3b47...ca.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    05/02/2024, 11:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91e93a3b47bd97744abbce5dc98330ca.apk

  • Size

    3.3MB

  • MD5

    91e93a3b47bd97744abbce5dc98330ca

  • SHA1

    d6aac3de005d3af50a8780f1c0b3a0e5f42b672a

  • SHA256

    a89c50af8a2a4d8061031f966d5b4237b0c7e52851a30a115e76df0e7dc917d5

  • SHA512

    dfa0718aa4eb54c07aad488b1b911214d66caf5ac60666fbd4941f8f83c45832097987aed4cada6bed4e4a4005ea8aed74bf09441fc116d5ebb2113bc3e55a3b

  • SSDEEP

    98304:wwskdTAKH/apxtB9OwDcMbW4ys/ojSiNqnAuzb+kSf:wwVx/aDtHex6lnAMlS

Score
10/10
hydrabankerinfostealertrojan

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.ryzrsjmu.umppsnu
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4627

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    gist.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    gist.githubusercontent.com
    IN A
    Response
    gist.githubusercontent.com
    IN A
    185.199.111.133
    gist.githubusercontent.com
    IN A
    185.199.109.133
    gist.githubusercontent.com
    IN A
    185.199.108.133
    gist.githubusercontent.com
    IN A
    185.199.110.133
  • flag-us
    GET
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    Remote address:
    185.199.111.133:443
    Request
    GET /raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json HTTP/1.1
    Authorization: 99f0249c171f2fa0
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: gist.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 41DA:3E141D:530F13B:5676E43:65C0CAC9
    Accept-Ranges: bytes
    Date: Mon, 05 Feb 2024 11:47:26 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7343-LHR
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1707133646.371901,VS0,VE132
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 0fcecc39fe6bfec3dc413118014c3b54ed099512
    Expires: Mon, 05 Feb 2024 11:52:26 GMT
    Source-Age: 0
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 99f0249c171f2fa0
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 05 Feb 2024 11:47:36 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 313
    Access-Control-Allow-Origin: *
    X-Ttl: 57
    X-Rl: 43
  • 142.250.178.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.8kB
     8.1kB
     21
    19
  • 185.199.111.133:443
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    tls, http
    1.5kB
     5.8kB
     12
    12

    HTTP Request

    GET https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

    HTTP Response

    404
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
     5.9kB
     8
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
     622 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.187.196:443
    tls, https
    922 B
     40 B
     2
    1
  • 142.250.187.196:443
    www.google.com
    tls
    11.4kB
     12.6kB
     32
    37
  • 224.0.0.251:5353
    3.7kB
     11
  • 216.58.204.74:443
    https
    51 B
     50 B
     1
    1
  • 142.250.200.14:443
    https
    51 B
     50 B
     1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    gist.githubusercontent.com
    dns
    72 B
     136 B
     1
    1

    DNS Request

    gist.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.109.133
    185.199.108.133
    185.199.110.133

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.ryzrsjmu.umppsnu/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    902KB

    MD5

    f39c9cd89641b4f65d267bfbfaf30b9f

    SHA1

    81c5a75624a54f321cb6cb104f50b69f96f6cc92

    SHA256

    dc2aa758b72917de84a28e0d534c6e22953f3175e47e3fae14ad555cbc22e56a

    SHA512

    f9928f76f1eb9df75f28f32c156908c576edd84fb5ed0e9c607c9fdd169db507ddb08935a4a3ed34e1d011908eb620a2c234535b29a87cd39b23ad519f8be9c9

    Download Submit

  • /data/user/0/com.ryzrsjmu.umppsnu/code_cache/secondary-dexes/tmp-base.apk.classes6139371591515794866.zip
    Filesize

    378KB

    MD5

    d6b7a9ba3172ee634cffffedcbabb071

    SHA1

    8971ad4ca5af436c4ce4b1e857f509dbf72a668d

    SHA256

    6356ec826febe313021bff4586739462c346eac9d034c5f983c93e1da7fa811d

    SHA512

    0419efb856713a3a0abcf19ae12139419a9ee537c141837e0019028e1b36233ef5e0485d395f28c0b4b94206d9f427b19be303a98877df257f31dde5703e20e4

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.