hydra | d41725d0d60a7586443234c6dd447f154cac159f455e37dea7dbd0e07da23c69

Analysis

max time kernel
149s
max time network
156s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
10-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41725d0d60a7586443234c6dd447f154cac159f455e37dea7dbd0e07da23c69.apk
Size

1.4MB
MD5

658d3b933f26ef854e62691a95c6a3b7
SHA1

ec0ec609cc057e663acb7c73858f26da7bc6d516
SHA256

d41725d0d60a7586443234c6dd447f154cac159f455e37dea7dbd0e07da23c69
SHA512

6e0e0d413ea80c23673aa82218bab78d4056e39d9cbccd0a608cc3f6c80f51ee36f67349cbc3e1ec3f9d34e221260b7c198d92d6d3e6a6bcc7b6508fb30d8ad5
SSDEEP

24576:5BgVnPhZcFqSyKkOo3258BBjDg6jJOLX6ZB9CHUI+CfLUYf0RqzmSwlq9LJA7cBS:7gVn3kqS8P3ZHng6ErxHvF0RqzmSwlSY

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

hydra

http://154.216.17.4

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra
Hydra family
hydra

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.legend.pull
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.legend.pull

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.legend.pull

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.legend.pull

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.legend.pull

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.legend.pull

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.legend.pull

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.legend.pull
1⤵
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4480