General

  • Target

    ae2c9f1bf54bdb91f637e97ab55ebdb351db90bfe8a1dd562d306fd8f2b64829.bin [MConverter.eu].apk

  • Size

    4.2MB

  • Sample

    241104-r1411s1elg

  • MD5

    756ba52ca12d1b164d2e7c61132a572e

  • SHA1

    0fb696d51f76345fdc14878ed275d2fae82d8883

  • SHA256

    ae2c9f1bf54bdb91f637e97ab55ebdb351db90bfe8a1dd562d306fd8f2b64829

  • SHA512

    0188371806960da89d96606358817a5e03b4360b1906a309de501517ad0f73fc1b63381c4c50ecd6cfcaeccbbd65f92c6af4eb2f0fbb39e9a84308050e7ca162

  • SSDEEP

    98304:vJXolE4qHSm50lf4BRvOHGq+IDTNIZjKD+tIvxR3W:q8Sq6f4BRvOHbCjnIvxg

Malware Config

Extracted

Family

hydra

C2

http://seferasofirezdoles.xyz

Targets

    • Target

      ae2c9f1bf54bdb91f637e97ab55ebdb351db90bfe8a1dd562d306fd8f2b64829.bin [MConverter.eu].apk

    • Size

      4.2MB

    • MD5

      756ba52ca12d1b164d2e7c61132a572e

    • SHA1

      0fb696d51f76345fdc14878ed275d2fae82d8883

    • SHA256

      ae2c9f1bf54bdb91f637e97ab55ebdb351db90bfe8a1dd562d306fd8f2b64829

    • SHA512

      0188371806960da89d96606358817a5e03b4360b1906a309de501517ad0f73fc1b63381c4c50ecd6cfcaeccbbd65f92c6af4eb2f0fbb39e9a84308050e7ca162

    • SSDEEP

      98304:vJXolE4qHSm50lf4BRvOHGq+IDTNIZjKD+tIvxR3W:q8Sq6f4BRvOHbCjnIvxg

    • Hydra

      Android banker and info stealer.

    • Hydra family

    • Hydra payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Reads the contacts stored on the device.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about active data network

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks