Overview

overview

10

Static

static

6

Play_Store.apk

android-13-x64

10

Resubmissions

27-11-2024 14:27

241127-rshstaxkbv 10

27-11-2024 14:25

241127-rrrz4atlbr 10

27-11-2024 14:24

241127-rqptcaxjdt 10

27-11-2024 14:07

241127-rfaaxasqgk 10

31-12-2023 17:07

231231-vmy5dsbbar 1

Analysis

  • max time kernel
    599s
  • max time network
    608s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-fr
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-frlocale:fr-fros:android-13-x64system
  • submitted
    27-11-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Play_Store.apk

  • Size

    4.2MB

  • MD5

    6966dead3e5307bee1ba7a5ead34a63c

  • SHA1

    49117815e82f8e8f5ee979e2db0924ebbb5699b8

  • SHA256

    7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d

  • SHA512

    693b02d938d2b5bdf7b6085ad87a5eaa3c2134528739a1aab127bc533f4bda3659ef56e7a5261d5d2517b8586ecb3f52668f56ce2d55e8b7d8fbd1ab5c0a8daa

  • SSDEEP

    98304:E0VWaHzRXEjLWQo+KuHQPyYYGsMvCuSjgxekJbeBVv:E0VWkzRUfMJkYyYYN+CpKekwVv

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://boynezborisalez.net

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.bhizakhmr.ryectjpkr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4256

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.bhizakhmr.ryectjpkr/app_app_dex/uhhdcjq.wgs
    Filesize

    2.7MB

    MD5

    9b3f4defbb592ded624d45a4d67fc9b6

    SHA1

    48ed59bd09f3ee857fd0acac8e34e491b655ce94

    SHA256

    ce596473e7e4946863c571563eae0d2f0ca8339584d1d8b4b07c59c7fb4681cf

    SHA512

    7cd3086606b595f58495b933351ae77f24aa8c32f1a29f11fa08a2d5b7e43ec3bf25a21b7c22f70e5e0ee3bcbd25eba93c40273186680e6bc8c8b59c17f73fdd

    Download Submit

  • /data/user/0/com.bhizakhmr.ryectjpkr/files/mgjtgw.feq
    Filesize

    22B

    MD5

    76cdb2bad9582d23c1f6f4d868218d6c

    SHA1

    b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

    SHA256

    8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

    SHA512

    5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

    Download Submit