Overview

overview

10

Static

static

6

3bd89198a4...82.apk

android-9-x86

10

3bd89198a4...82.apk

android-10-x64

10

3bd89198a4...82.apk

android-11-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    144s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    15-11-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bd89198a415abc6de842e82a422a3819dc26ed84e570c98910dc6705efba682.apk

  • Size

    2.9MB

  • MD5

    fb1d3d89bfa11dfd4017f28fca3a26e3

  • SHA1

    a17278137e64b9b376a52d8ef9f42c2990364a7c

  • SHA256

    3bd89198a415abc6de842e82a422a3819dc26ed84e570c98910dc6705efba682

  • SHA512

    b0b5a02f5381ab4ea2d0f2fe8997b05c41fc97a11fa585f41f78ab01cc790140365998bb3571c2ab3d62c187abb910b8a8f46dbba3a75f52bb94baee5359704b

  • SSDEEP

    49152:Ey7JQ6guM1JGiurriuDxkHd1jdMfgwcILqp5+fL7NCOmOLVfSmQ40LDeqVOpN2:37JQ6gf1JGiuBDxkvizdIMBCYLxQ40/f

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://cioroapapoldoapolawe.org

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 25 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.test.despair
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4240
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.test.despair/app_DynamicOptDex/XM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.test.despair/app_DynamicOptDex/oat/x86/XM.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4269

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.test.despair/app_DynamicOptDex/XM.json
    Filesize

    1.6MB

    MD5

    2be958ccef8fb2a7082075fe10c76c20

    SHA1

    0c12a61d32d4f9b5ea996b08dc790875683d3e37

    SHA256

    fe589a7ed53d6f0befefda2bc439409789ebd8b67d7208d6eb8cb433955bd870

    SHA512

    9f211e1affd37dcbdba59d6da7b5745207c230aca099cce12cc288a8585eb9fa1c80e2d98cf3da6330ac33747c7c35dc4f5fda96f95af9a156a95c3b885e47cc

    Download Submit

  • /data/data/com.test.despair/app_DynamicOptDex/XM.json
    Filesize

    1.6MB

    MD5

    f94417b1a5c34abcfca9edb4bb7cf2d2

    SHA1

    6abf11e0e8771bd1cdaa2c90f2adab7817e391a3

    SHA256

    05335a6c6ddb8289adac9661d9f5848fb737de1231cc4f6ce32f0d39fbca408c

    SHA512

    3c094a0aacf62d85fee2bac8c25eb933f334c60e4f16ff86ffb7cb42399b62a8c0cb358d60b6209b5902495db58474a16501c995e9ee73c594cce759484b789c

    Download Submit

  • /data/data/com.test.despair/app_DynamicOptDex/oat/XM.json.cur.prof
    Filesize

    622B

    MD5

    47a6bd1955191ddd379cb76c162b523f

    SHA1

    ac403b4bf5960f4131a3664f9b11abd574954294

    SHA256

    ff97c3561d81b899f81d5ab923039b35d4414e4bc1dd117b924ca23d6b0d4081

    SHA512

    beb73796bd93a2f2ab5c23c44a34c3b5b2343dd3c2684c326a9de6d79b956988360df9444c1e9f6930e2d6dd1642eee1db5197622d5da4f82a504c43f6f95383

    Download Submit

  • /data/user/0/com.test.despair/app_DynamicOptDex/XM.json
    Filesize

    4.4MB

    MD5

    7d17fd87df8e20433d20e8c729c8ae26

    SHA1

    4829160f31f4d6110a2330cf80efbbe977d0fe3d

    SHA256

    500d8d67ea02955fab9fe4b0cdbbcb31e5f8059e10744d419f611d9dae0de190

    SHA512

    e67a5da7fba2a07949fbe54235191cf671182b480cf0425dbfc8e62a29e9b76929e6d443faf3d2e3eb69ca1f50314d7bdbebdc02fae30d390157a4d091c194e4

    Download Submit

  • /data/user/0/com.test.despair/app_DynamicOptDex/XM.json
    Filesize

    4.4MB

    MD5

    d3d49b07b35aaf5daf2c9ee5624604f7

    SHA1

    8aeecfc8e17dfb725de8eae50ec6f8fe2d9b32e6

    SHA256

    2bdb4588932674b78f9ccf5d4540cc04a71524dc7061f4ff5a37e11097ee0e76

    SHA512

    99bd23a52249f35b38c18aad5b9f4f9a3b924c4d66bbdc00409831943917b77910d253b6447a054ff89b901b719cd3c561f72ac16e3c4cc970ef872acf08cb89

    Download Submit