Overview

overview

10

Static

static

6

VIRUSS.apk

android-13-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    58s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    08-08-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VIRUSS.apk

  • Size

    3.9MB

  • MD5

    390fd73da69bf2ab9c6482e1021b5fcc

  • SHA1

    97d64248009a2c7ff2b14329177af40b99365096

  • SHA256

    806d430ab6c6d78d26061a2d837e8236a45994acd43d6e623495391dd8bc0df8

  • SHA512

    34fb32899bf78512c4d05538963eed2b2a6a742211bf0a3ff2c8faf946f543499de8e14b457fe00953ebde69d73f286ee2a44c7f0187f7ef89cc53e006347e97

  • SSDEEP

    98304:9xQVlf5YcCWEjgQxJNEKVPl+1SPuCHienhIg15bd6gNxEMHszD0X9:DQVxG9RBV93rCafkIsz+9

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://91.215.85.182

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.sujctyjtq.vkvcjdzky
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4339

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.sujctyjtq.vkvcjdzky/app_app_dex/voqoopl.ngw
    Filesize

    2.7MB

    MD5

    d460095c25bb466cb85387e94340e035

    SHA1

    bdfbfda33a19cff130dc03be76d1c8e0adfaadb4

    SHA256

    05645a44ba4aa8c9b7124ad91c44f3bb355fde79a26b8dbdd7e4bc3e6e04cd13

    SHA512

    a9b70fc2410a015dc93273f087457b479a7e7d5bd5d62dcf8a5df5ffc3c40a54e73bc4bf3725bdb5f0a23b4a73a51f35f9159b848a96e0602227142e45ecd3d8

    Download Submit

  • /data/user/0/com.sujctyjtq.vkvcjdzky/files/nicgiv.rfu
    Filesize

    22B

    MD5

    76cdb2bad9582d23c1f6f4d868218d6c

    SHA1

    b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

    SHA256

    8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

    SHA512

    5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

    Download Submit