Overview

overview

10

Static

static

6

bfc7f0f356...ef.apk

android-9-x86

10

bfc7f0f356...ef.apk

android-10-x64

10

bfc7f0f356...ef.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    28-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef.apk

  • Size

    2.6MB

  • MD5

    22b072ddcdfed676a88f6e1c265ef367

  • SHA1

    7db43ad4ea7d19e4c2a813e61647f2890a467633

  • SHA256

    bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef

  • SHA512

    9b8d04bc9c4afd5bfd7b0098d96886ab01807f062276511afb01fb8e9c3348fda9e707d1584c8df87b661c591c709229ebff42f693176575444d78f4fb45cda3

  • SSDEEP

    49152:onwY+WAG9JOReya25PyhrfDX9WJvh7XiiYVE4RC/14BHFumweEjH:objGReX5tWph7Xdb14BImweEjH

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://fhuiooedjefjheeffemensb.info

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.first.barely
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.first.barely/app_DynamicOptDex/oat/x86/LLQZrc.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4289

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json
    Filesize

    973KB

    MD5

    481fd83bff6e5d72cf771469aa4348dd

    SHA1

    77b076c4e957d2f56aa7b74629631b00a2c55cc8

    SHA256

    2958f6e5648528884fd42e45e3c90acffbe7878c685ea5ad6c32797f57b28090

    SHA512

    c6fb0024f7a5a10e3432184147829e1c9b1e592063222767925156705f95d199aff309d7cda144c7716a62a759518b413280e88561aaf8d294c19df69e07605a

    Download Submit

  • /data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json
    Filesize

    973KB

    MD5

    50e7d274ea242629d1ca2c956063c3e1

    SHA1

    2d9b1a97eaf1cf6c6ff72a56636ebf7e0a2cb7c3

    SHA256

    fbbb106db51794104ce19a79ac2c3456cf8c3be1e347d05bc308ac7d5f7aa46f

    SHA512

    9b1f78a1641912d195c1d958dfd12684f0742d6b9d72a901e73715313023760be5a13cc463798739218311d7c33cb6565b0b433f927c8c8db984f5ec36853c7f

    Download Submit

  • /data/data/com.first.barely/app_DynamicOptDex/oat/LLQZrc.json.cur.prof
    Filesize

    1KB

    MD5

    ed61c522866094273b0b8ac9ac7d8683

    SHA1

    441549772a9231f52139566805962a09cf4ef3ed

    SHA256

    c6fb9b708becec094a4494c3db19afbf164fed00b5dc41cc084dcaacc5f1b3b4

    SHA512

    12407a7a1c2f418e8aa663456749c24a1ebbbe27be2e23e83ef25a64d6515eca7fd0e3c4fadb51823d4aa3d9522c7abcada5c3d103034beb37ba15db9ac064c7

    Download Submit

  • /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json
    Filesize

    2.2MB

    MD5

    0070ad440b5bd5024d5d9fd25bcd867e

    SHA1

    14ff21d82082e662280746dc8c88832ffb82e5ee

    SHA256

    79644e13e824bc1ee4d6828100b7df0a33f9119fc363f7f6c7428e4d56630022

    SHA512

    aee40b0be60f71a168e51d161be6fbfbe0ae331800983da6ea2f182735d57d68c7b0cdebc2e61c2df0c1420d3e9f36ad0eba75a6a7cc9531a18527014a3c8b5b

    Download Submit

  • /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json
    Filesize

    2.2MB

    MD5

    9511d3bcdabe0e7138fd9dc8185881b4

    SHA1

    d3290356217ca41edcda30b01e79d9a6b490ec65

    SHA256

    1c0d9620b48ed806d48230d4431400f24e46c0d29cb8df700d120dc06ab24fc4

    SHA512

    189215be0e5d6a0652c8dc8802a957419210a39c43b9664404c73dbb8f6c0009a3904eaf28982bab744e12c7a9aa9d363e20fc14521e257c3fa240dd94e37dd8

    Download Submit