Malware Analysis Report

2024-10-19 12:04

Sample ID 240730-1xrqys1flk
Target d1bffe037087229a3ee86d4ab6a5f9e8f9de9c97b062055dcc09e95a0a63d7a7.bin
SHA256 d1bffe037087229a3ee86d4ab6a5f9e8f9de9c97b062055dcc09e95a0a63d7a7
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1bffe037087229a3ee86d4ab6a5f9e8f9de9c97b062055dcc09e95a0a63d7a7

Threat Level: Known bad

The file d1bffe037087229a3ee86d4ab6a5f9e8f9de9c97b062055dcc09e95a0a63d7a7.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Looks up external IP address via web service

Queries the mobile country code (MCC)

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 22:02

Reported

2024-07-30 22:09

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

137s

Command Line

peace.close.visit

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

peace.close.visit

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 74ff72f8e4bcb5900c2a77b23de3ac08
SHA1 1831e0eb53a220944e34887750e80ef15f712fbd
SHA256 a4264e05a0e7d5706f172e4e147ba67554746afe777ccbba42f704c568ee57e4
SHA512 1df2abd8bf4592973c1ec684f1abf346fb58fdf5fb1cb74034bf8917474c6eb763d52615f6c76a8aa0230d43012744c4370513e5be2b07b50296d0f22c0a2422

/data/data/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 7495823ba52181d27f45f06d201af7a5
SHA1 5289daca409d49f3b2978fd74797f595eef34021
SHA256 ed5ab4f6f745d018831406077343ce16f52a15f171e69d6c33392e207b10620c
SHA512 f8c06ffda50f7c4b3dda241818808cad082f4ec77b985dad483a78d56630bd1dcdee45412a4069bac3d2434707bcb243e9998c2fb558c46af226310a9a8cbc33

/data/data/peace.close.visit/app_DynamicOptDex/oat/coiC.json.cur.prof

MD5 3a2bf16ab01f351598dd1d2aafed1e75
SHA1 b02aea3e066d1c7a441bfb30b4120549f003c406
SHA256 d7e7eb747379b7d1eb6f4aa156584b4bbd9bddc9a379e907e1ffa271e2fffd9c
SHA512 e9f6fdf4b2462b35bcdda5f1954bf683b6f03cc73cb291c30916c8ba956ec76f769041214840182aaba63a3404685b7d8e944e046fd85db9113e67b86522b7fe

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-30 22:02

Reported

2024-07-30 22:10

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

136s

Command Line

peace.close.visit

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

peace.close.visit

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 74ff72f8e4bcb5900c2a77b23de3ac08
SHA1 1831e0eb53a220944e34887750e80ef15f712fbd
SHA256 a4264e05a0e7d5706f172e4e147ba67554746afe777ccbba42f704c568ee57e4
SHA512 1df2abd8bf4592973c1ec684f1abf346fb58fdf5fb1cb74034bf8917474c6eb763d52615f6c76a8aa0230d43012744c4370513e5be2b07b50296d0f22c0a2422

/data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 7495823ba52181d27f45f06d201af7a5
SHA1 5289daca409d49f3b2978fd74797f595eef34021
SHA256 ed5ab4f6f745d018831406077343ce16f52a15f171e69d6c33392e207b10620c
SHA512 f8c06ffda50f7c4b3dda241818808cad082f4ec77b985dad483a78d56630bd1dcdee45412a4069bac3d2434707bcb243e9998c2fb558c46af226310a9a8cbc33

/data/user/0/peace.close.visit/app_DynamicOptDex/oat/coiC.json.cur.prof

MD5 84e9c2ec91d9e82e3bbb589018af220e
SHA1 cff9e09c2f3a067afb40c2afc3670f520b7fcdef
SHA256 917fdca1828d10e85c4c5aaeacdc0c260b66646537e8dd8c79c56b71c509b323
SHA512 e8abf05f7716f85fc7c795a2e602efe810d0c1528658e34dd2fad8a7a2d682c26c0d657447df8d6033f1d8b315302fbc152d7550b856b9ee0c825d0614e4466b

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 22:02

Reported

2024-07-30 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

133s

Command Line

peace.close.visit

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A
N/A /data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

peace.close.visit

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/peace.close.visit/app_DynamicOptDex/oat/x86/coiC.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 74ff72f8e4bcb5900c2a77b23de3ac08
SHA1 1831e0eb53a220944e34887750e80ef15f712fbd
SHA256 a4264e05a0e7d5706f172e4e147ba67554746afe777ccbba42f704c568ee57e4
SHA512 1df2abd8bf4592973c1ec684f1abf346fb58fdf5fb1cb74034bf8917474c6eb763d52615f6c76a8aa0230d43012744c4370513e5be2b07b50296d0f22c0a2422

/data/data/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 7495823ba52181d27f45f06d201af7a5
SHA1 5289daca409d49f3b2978fd74797f595eef34021
SHA256 ed5ab4f6f745d018831406077343ce16f52a15f171e69d6c33392e207b10620c
SHA512 f8c06ffda50f7c4b3dda241818808cad082f4ec77b985dad483a78d56630bd1dcdee45412a4069bac3d2434707bcb243e9998c2fb558c46af226310a9a8cbc33

/data/user/0/peace.close.visit/app_DynamicOptDex/coiC.json

MD5 052f1acfae80a88950f31597f4a9bef3
SHA1 a2fe90ec0b675b87c45d7d1976946c7384002861
SHA256 b0ffe7f488447cec35909b8f70756f8fd2c69b012e1251e9ce848a280c8b84e1
SHA512 042364ff97da1950b80d4b395b826c945cb7e5299be1764059411547a193d989a1aae66edbe10d339a8a7821ab8f50c61d560257b2ce5194dceaf12559ac6158

/data/data/peace.close.visit/app_DynamicOptDex/oat/coiC.json.cur.prof

MD5 2857e33c32289395d1882c5626f23c92
SHA1 0437eae6e243c844f2219df6a491f10bbf7e677f
SHA256 fde36dcdb878f5de2a8d11e53359cb42db0a84e5ca16a5a4f5e4f1b88de43ffb
SHA512 67f1ab0936b15abeb94966a463b0af3ef6e58e1a186d64479cd724f1259f6644e064e9e317fe14a5f0a552efa7ee4fba941e7e34031a0428797122976a0cfc5a

/data/data/peace.close.visit/app_DynamicOptDex/oat/coiC.json.cur.prof

MD5 33b3a8ea4ccd4dc380f9863245e1eee7
SHA1 47eb1b4594bb3a30b20cc648288f2ab1ae7b3c1d
SHA256 d21a7fde1e3d92e324abb739f550fc004a7a320405fe302fb23bc94ef2c53d16
SHA512 10ea0ef3f5e3322f673578137f901e217c14ea39e7ea644a2ec28344f095fd71667303cf0ec0ca60f96e881d033ba76be57ff10d769ff3c460b963ed78ba9a52