Malware Analysis Report

2024-10-19 12:01

Sample ID 241012-1x2wxsxhjr
Target f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.bin
SHA256 f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d

Threat Level: Known bad

The file f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra payload

Makes use of the framework's Accessibility service

Reads the contacts stored on the device.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Looks up external IP address via web service

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

155s

Command Line

com.wrvtxgtyw.smummwdba

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wrvtxgtyw.smummwdba

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.zip

MD5 4890922ecde189d6686c1e3c50fa37e0
SHA1 4364f994f0f90e68e4450a01be0ac1b4fe9fd306
SHA256 5ae390c8de96ab86e363dd250c55223e92760bb5f6fd54b1d3b1fdb1ce17ff88
SHA512 21fba657e721c8283141d111e66ea7941105e29cc5042f93135b90c0c3849df617ec6a71e6ec025fcef89a8b4849ebc0a2faf666c0a53fe97f8d10fa2affcf3c

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.dex

MD5 0ea51d3dc91a966d6c9a2e311ad47e9b
SHA1 f9ac13d2acdd6073ad94bfcc5d34095f30f200f2
SHA256 83619b12444677c6ea30ae0dea665b56f982139d2c53c1397f149e09e2b15dbc
SHA512 8f069b2785cfeb76878782c719969d9b19350360f1095886195906487a3e7c7d6abe946c8ff773b727af367c33849fdd07b28eacd90573680c9417d662185cc9

/data/data/com.wrvtxgtyw.smummwdba/app_dex/classes.dex

MD5 bc2ffcc90c77b5e669be3051afa3ad98
SHA1 cd451b97de257c43ee7ca3b78a3d3ef62003baf2
SHA256 ebea12e284a0209754ac3ad54db9f97296e1d8fc84d4f56ea1230e31520d9cc8
SHA512 00a27ef1399b7efd333cca7fcd17b2eb49f67b8adb0bebba54c4ecf9164a619258bd417579a4f7a86fc7d74f6881d1324a9a68fc28cbc5380a31a1a618d6df59

/data/data/com.wrvtxgtyw.smummwdba/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.wrvtxgtyw.smummwdba/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 3fecb8a5828fe074f90663f62ede7d4a
SHA1 558ec382bd9d406388a3216eeee8fc08a12f8387
SHA256 4f7f7f720436488ffe88e7d455327c0ccf7bf61dab7f8c18b5c58af7981da3f5
SHA512 3946067e28483687a98c4a329869ffc336be01a51f79f6e04ea85fe13d8d37a0a9df4fd037229a2e97b344ba5b3752978797bda527850f5f6e667847ffc52c40

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

160s

Command Line

com.wrvtxgtyw.smummwdba

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wrvtxgtyw.smummwdba

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp

Files

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.zip

MD5 4890922ecde189d6686c1e3c50fa37e0
SHA1 4364f994f0f90e68e4450a01be0ac1b4fe9fd306
SHA256 5ae390c8de96ab86e363dd250c55223e92760bb5f6fd54b1d3b1fdb1ce17ff88
SHA512 21fba657e721c8283141d111e66ea7941105e29cc5042f93135b90c0c3849df617ec6a71e6ec025fcef89a8b4849ebc0a2faf666c0a53fe97f8d10fa2affcf3c

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.dex

MD5 0ea51d3dc91a966d6c9a2e311ad47e9b
SHA1 f9ac13d2acdd6073ad94bfcc5d34095f30f200f2
SHA256 83619b12444677c6ea30ae0dea665b56f982139d2c53c1397f149e09e2b15dbc
SHA512 8f069b2785cfeb76878782c719969d9b19350360f1095886195906487a3e7c7d6abe946c8ff773b727af367c33849fdd07b28eacd90573680c9417d662185cc9

/data/data/com.wrvtxgtyw.smummwdba/app_dex/classes.dex

MD5 bc2ffcc90c77b5e669be3051afa3ad98
SHA1 cd451b97de257c43ee7ca3b78a3d3ef62003baf2
SHA256 ebea12e284a0209754ac3ad54db9f97296e1d8fc84d4f56ea1230e31520d9cc8
SHA512 00a27ef1399b7efd333cca7fcd17b2eb49f67b8adb0bebba54c4ecf9164a619258bd417579a4f7a86fc7d74f6881d1324a9a68fc28cbc5380a31a1a618d6df59

/data/data/com.wrvtxgtyw.smummwdba/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.wrvtxgtyw.smummwdba/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 0becc8f86fefc1f07d4527a3fa82813b
SHA1 076bb5553fe81702c28651a7e9729ca8c60be9b3
SHA256 acd2251ad8b6b4c5956112e794e0c79af67ffe405455e8c0954358374c771e2b
SHA512 fcf3828c685615e5233b34b4be3adfa68c8b3a3200b7ebdfbe349df3adae695b1c2e6ae8b0a7576f33d0d58bbd300bfbc3778e5ca950eca7bf801819c2924721

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

162s

Command Line

com.wrvtxgtyw.smummwdba

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.wrvtxgtyw.smummwdba

Network

Country Destination Domain Proto
US 216.239.36.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
GB 142.250.187.225:443 tcp
GB 142.250.179.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp

Files

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.zip

MD5 4890922ecde189d6686c1e3c50fa37e0
SHA1 4364f994f0f90e68e4450a01be0ac1b4fe9fd306
SHA256 5ae390c8de96ab86e363dd250c55223e92760bb5f6fd54b1d3b1fdb1ce17ff88
SHA512 21fba657e721c8283141d111e66ea7941105e29cc5042f93135b90c0c3849df617ec6a71e6ec025fcef89a8b4849ebc0a2faf666c0a53fe97f8d10fa2affcf3c

/data/data/com.wrvtxgtyw.smummwdba/cache/classes.dex

MD5 0ea51d3dc91a966d6c9a2e311ad47e9b
SHA1 f9ac13d2acdd6073ad94bfcc5d34095f30f200f2
SHA256 83619b12444677c6ea30ae0dea665b56f982139d2c53c1397f149e09e2b15dbc
SHA512 8f069b2785cfeb76878782c719969d9b19350360f1095886195906487a3e7c7d6abe946c8ff773b727af367c33849fdd07b28eacd90573680c9417d662185cc9

/data/data/com.wrvtxgtyw.smummwdba/app_dex/classes.dex

MD5 bc2ffcc90c77b5e669be3051afa3ad98
SHA1 cd451b97de257c43ee7ca3b78a3d3ef62003baf2
SHA256 ebea12e284a0209754ac3ad54db9f97296e1d8fc84d4f56ea1230e31520d9cc8
SHA512 00a27ef1399b7efd333cca7fcd17b2eb49f67b8adb0bebba54c4ecf9164a619258bd417579a4f7a86fc7d74f6881d1324a9a68fc28cbc5380a31a1a618d6df59

/data/data/com.wrvtxgtyw.smummwdba/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.wrvtxgtyw.smummwdba/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 e2dba3a80be5fc266acee23a86c30a30
SHA1 83dc2ca0e9f6524893294baabf427ffe20fd94a8
SHA256 bbc3e4df7858c9243c62a3dff4f8b1bdd302e2a8d641f44da9cb008ebd85ccff
SHA512 e962abf4894095a2ac45a7262d47b9e85026e79e33d7be81737cb41723032b8fcc2dd665fa7ee0661a1708f777f46f9971d0d5dcdd6caab2fa9edf933dfb9d7f