Overview

overview

10

Static

static

6

3cbb781b86...cd.apk

android-9-x86

10

3cbb781b86...cd.apk

android-10-x64

10

3cbb781b86...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    19-10-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cbb781b869982c73980cea6e96aa18f9d1f4aaee96ced38291c2481adb44ccd.apk

  • Size

    5.0MB

  • MD5

    b5f231d6028f434a98ca31b81d4ee6b5

  • SHA1

    b23cf7c3c7a04973a428f8ec6a052fc62143888b

  • SHA256

    3cbb781b869982c73980cea6e96aa18f9d1f4aaee96ced38291c2481adb44ccd

  • SHA512

    668aa7274ba674e612317f69dae427df881d4c9c140996e8d7f89e7c3efb66ccd133748f9b4558c15a1c0ebe093fde91d107e013baa2a405f6d0f4af03339dae

  • SSDEEP

    98304:k/Ix+SSeBexGm/KaOTgWRluKG+pkG0kjW+GTrWeNS:hx+SCxGmiVluKxbW+GGMS

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://darisamu.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.dktizxcuq.gqvxiovlz
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4413
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dktizxcuq.gqvxiovlz/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dktizxcuq.gqvxiovlz/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4437

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dktizxcuq.gqvxiovlz/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    b842340384fdaba5fc4fa449a067ae74

    SHA1

    2e907af7ce9a9d5a53e94d4896986a6f67c6547e

    SHA256

    c248c6c6d448acf41f5add78f60331f2da35d99da16a91e7823e987ac96ae021

    SHA512

    06240971af8c1278afbe34422fc0a9661e8cdc8702de085852b5334d0fb0ee06f73c3e13d629ca710c4a9b1ba294904a0cc0b247647254c18e879fb83c4040b2

    Download Submit

  • /data/data/com.dktizxcuq.gqvxiovlz/cache/classes.dex
    Filesize

    1.3MB

    MD5

    4a1f765647cb43bcef0142791ae65e13

    SHA1

    b271d78bb961b80851feec8a5859fa006e825cff

    SHA256

    f68ff420181d0d21da343020d1de80dff5c286774350b9eba4f657acd0129da0

    SHA512

    6bfe262e2a4e629f815cfba67fbac0344b553f5d9530def46f46153e4e296e79cef11a6084549b3575de1da38cd33ba09e65eca7b5c616eeb66df01da6080966

    Download Submit

  • /data/data/com.dktizxcuq.gqvxiovlz/cache/classes.zip
    Filesize

    1.3MB

    MD5

    99abf5f2e169ff57c596463df750e084

    SHA1

    c60e39f9c1cd16dbd678c0c95f6a12e3e01f2fc4

    SHA256

    314263c5eaba7a258673867e37b279d13edbf5bda17a5d69c144d8ccd2f8f9cf

    SHA512

    deeec669f7547abf123fdd3d5b57a2d0bf810abd761ac0d9ce1c6538dc546dec3f69cdf7c23c66e28910c2e5550faad3e866efd19ac224c725a49ac6a4aa8483

    Download Submit

  • /data/user/0/com.dktizxcuq.gqvxiovlz/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    cab6e2fa0e216b4c38794d7ff015b7f1

    SHA1

    c895a0f91116bb2520b349c5393ab5aa21206197

    SHA256

    da7fd3378229f063887cc33b91ee8c6f6ee2ad8b1f27b3a8a46f579e90bcb382

    SHA512

    c94c79d2ccb51ec8270c750c6d619767ca1c4500c219f292bb94566bedfda86f8e89568587f85a166499785698bc711f2259d52ccb24a40492ad8a7ff3fa6922

    Download Submit