Overview

overview

10

Static

static

6

cf61fabe36...fb.apk

android-9-x86

10

cf61fabe36...fb.apk

android-10-x64

10

cf61fabe36...fb.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21-10-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf61fabe36b8e414e9a68e45527e59f479febbb5a5063c5615b0ee7e264cf9fb.apk

  • Size

    4.4MB

  • MD5

    08c28b133e548fb3635ab74076e565a5

  • SHA1

    f04f1e62ae4bf2af4d976d25946abe1e242740ce

  • SHA256

    cf61fabe36b8e414e9a68e45527e59f479febbb5a5063c5615b0ee7e264cf9fb

  • SHA512

    6419d3a571a60fd19452e0420b00da0d309add7f46c9fe0a865dbfd654e9c0cc0c2db1d300a1b38f84b69ce5efd4621ad073ccd16f79fbceab49382c7f76099f

  • SSDEEP

    98304:veaIDq984A4UaWIgJ4Bltvf3TENVZVwMa2gECLj060LeJuPvgNaQtyMT35u4snJt:FIGzA4OIgJ4BltnwbZLa2VCLOLeJungm

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://haluksamu.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.xqdslasfp.dhfldpzsi
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4396
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xqdslasfp.dhfldpzsi/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xqdslasfp.dhfldpzsi/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4423

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xqdslasfp.dhfldpzsi/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    d5e3a97540633d2500dd849b9e4f5166

    SHA1

    bb82f98ec463a77f1b355464fd3f14038c355d49

    SHA256

    7305fddee36ce521c99c1bed73c4c951e5f18b2a1629441f865d6c94effa8786

    SHA512

    7244fcfd47b737e9b3bb926c552cdd4fdc5432f1f4b4554f0937cfabbdec671043c674bf5735a4bb72b67e9505e11b553257261a0813359436e73dbe191f4717

    Download Submit

  • /data/data/com.xqdslasfp.dhfldpzsi/cache/classes.dex
    Filesize

    1.3MB

    MD5

    f6961af86b8e684183b14d7449065e24

    SHA1

    f91ecdbd68493762b3e970ab5c01886a2f331f4c

    SHA256

    12a5d10fcd276aa0eba7788ee20e8a58ffb0f903d52d17e31b4d3edb32a43d17

    SHA512

    347f96d105670b93ba59447ca832f229ba4cf7d2a098892e5444d792634d501a97d6314a413f787edc8bac36bf19521ef5096be952355bb9de2c8c222cba6f23

    Download Submit

  • /data/data/com.xqdslasfp.dhfldpzsi/cache/classes.zip
    Filesize

    1.3MB

    MD5

    3cf9313c5ed85ddfc36b44517a768bea

    SHA1

    c27c6843b565fe1c2a3179ecac83647f3fd1f1ba

    SHA256

    491988d6d5149aaed121d89b4ec6feddbc090c26c42b8e35e9582ef5dfa8d068

    SHA512

    585e110e408e196a6fe8e65f1d9a752db21620ea1b0f362426e9696d6cd6afb6b516f0e958fa4b51741cfa01faf05fb4749c9489dbfad21c1e386da8db1be27b

    Download Submit

  • /data/user/0/com.xqdslasfp.dhfldpzsi/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    601dd5a8c8b10c9deafaac5513053a02

    SHA1

    0d9c4ecb6351228a10bb5378ea03b1ab9c50c02a

    SHA256

    0fae2f0726878dc53e1ca72ce73d97fb65bfa89dc87969739a79f193bbbadb5d

    SHA512

    d01459fbaa0628b20a8287ffe593966d8e1635be06dd9510029282ef2382b294e054287ee2c439570208e0563d5f42b6cb69e1615a3db2b46d0911b33f200766

    Download Submit