Overview

overview

10

Static

static

6

Play_Store.apk

android-10-x64

10

Play_Store.apk

android-11-x64

10

Resubmissions

27-11-2024 14:27

241127-rshstaxkbv 10

27-11-2024 14:25

241127-rrrz4atlbr 10

27-11-2024 14:24

241127-rqptcaxjdt 10

27-11-2024 14:07

241127-rfaaxasqgk 10

31-12-2023 17:07

231231-vmy5dsbbar 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Play_Store.apk

  • Size

    4.2MB

  • Sample

    241127-rshstaxkbv

  • MD5

    6966dead3e5307bee1ba7a5ead34a63c

  • SHA1

    49117815e82f8e8f5ee979e2db0924ebbb5699b8

  • SHA256

    7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d

  • SHA512

    693b02d938d2b5bdf7b6085ad87a5eaa3c2134528739a1aab127bc533f4bda3659ef56e7a5261d5d2517b8586ecb3f52668f56ce2d55e8b7d8fbd1ab5c0a8daa

  • SSDEEP

    98304:E0VWaHzRXEjLWQo+KuHQPyYYGsMvCuSjgxekJbeBVv:E0VWkzRUfMJkYyYYN+CpKekwVv

Score
10/10
hydraandroidbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://boynezborisalez.net

Targets

    • Target

      Play_Store.apk

    • Size

      4.2MB

    • MD5

      6966dead3e5307bee1ba7a5ead34a63c

    • SHA1

      49117815e82f8e8f5ee979e2db0924ebbb5699b8

    • SHA256

      7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d

    • SHA512

      693b02d938d2b5bdf7b6085ad87a5eaa3c2134528739a1aab127bc533f4bda3659ef56e7a5261d5d2517b8586ecb3f52668f56ce2d55e8b7d8fbd1ab5c0a8daa

    • SSDEEP

      98304:E0VWaHzRXEjLWQo+KuHQPyYYGsMvCuSjgxekJbeBVv:E0VWkzRUfMJkYyYYN+CpKekwVv

    Score
    10/10
    hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

    • Hydra

      Android banker and info stealer.

      bankertrojaninfostealerhydra

    • Hydra family

      hydra

    • Hydra payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Reads the contacts stored on the device.

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery

    • Requests accessing notifications (often used to intercept notifications before users become aware).

      collectioncredential_access

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Requests modifying system settings.

      evasion
    behavioral1behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Tasks