Malware Analysis Report

2025-01-19 05:26

Sample ID 241128-1xwd5sslgt
Target bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef.bin
SHA256 bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef

Threat Level: Known bad

The file bfc7f0f356ba9424c853dbbf07ad74afba77661b611214282e51796ff4e1e7ef.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Hydra family

Makes use of the framework's Accessibility service

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Looks up external IP address via web service

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries information about active data network

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 22:02

Reported

2024-11-28 22:04

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

130s

Command Line

com.first.barely

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json N/A N/A
N/A /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.first.barely

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.first.barely/app_DynamicOptDex/oat/x86/LLQZrc.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 fhuiooedjefjheeffemensb.info udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

/data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 481fd83bff6e5d72cf771469aa4348dd
SHA1 77b076c4e957d2f56aa7b74629631b00a2c55cc8
SHA256 2958f6e5648528884fd42e45e3c90acffbe7878c685ea5ad6c32797f57b28090
SHA512 c6fb0024f7a5a10e3432184147829e1c9b1e592063222767925156705f95d199aff309d7cda144c7716a62a759518b413280e88561aaf8d294c19df69e07605a

/data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 50e7d274ea242629d1ca2c956063c3e1
SHA1 2d9b1a97eaf1cf6c6ff72a56636ebf7e0a2cb7c3
SHA256 fbbb106db51794104ce19a79ac2c3456cf8c3be1e347d05bc308ac7d5f7aa46f
SHA512 9b1f78a1641912d195c1d958dfd12684f0742d6b9d72a901e73715313023760be5a13cc463798739218311d7c33cb6565b0b433f927c8c8db984f5ec36853c7f

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 9511d3bcdabe0e7138fd9dc8185881b4
SHA1 d3290356217ca41edcda30b01e79d9a6b490ec65
SHA256 1c0d9620b48ed806d48230d4431400f24e46c0d29cb8df700d120dc06ab24fc4
SHA512 189215be0e5d6a0652c8dc8802a957419210a39c43b9664404c73dbb8f6c0009a3904eaf28982bab744e12c7a9aa9d363e20fc14521e257c3fa240dd94e37dd8

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 0070ad440b5bd5024d5d9fd25bcd867e
SHA1 14ff21d82082e662280746dc8c88832ffb82e5ee
SHA256 79644e13e824bc1ee4d6828100b7df0a33f9119fc363f7f6c7428e4d56630022
SHA512 aee40b0be60f71a168e51d161be6fbfbe0ae331800983da6ea2f182735d57d68c7b0cdebc2e61c2df0c1420d3e9f36ad0eba75a6a7cc9531a18527014a3c8b5b

/data/data/com.first.barely/app_DynamicOptDex/oat/LLQZrc.json.cur.prof

MD5 ed61c522866094273b0b8ac9ac7d8683
SHA1 441549772a9231f52139566805962a09cf4ef3ed
SHA256 c6fb9b708becec094a4494c3db19afbf164fed00b5dc41cc084dcaacc5f1b3b4
SHA512 12407a7a1c2f418e8aa663456749c24a1ebbbe27be2e23e83ef25a64d6515eca7fd0e3c4fadb51823d4aa3d9522c7abcada5c3d103034beb37ba15db9ac064c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 22:02

Reported

2024-11-28 22:04

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.first.barely

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.first.barely

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 fhuiooedjefjheeffemensb.info udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 481fd83bff6e5d72cf771469aa4348dd
SHA1 77b076c4e957d2f56aa7b74629631b00a2c55cc8
SHA256 2958f6e5648528884fd42e45e3c90acffbe7878c685ea5ad6c32797f57b28090
SHA512 c6fb0024f7a5a10e3432184147829e1c9b1e592063222767925156705f95d199aff309d7cda144c7716a62a759518b413280e88561aaf8d294c19df69e07605a

/data/data/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 50e7d274ea242629d1ca2c956063c3e1
SHA1 2d9b1a97eaf1cf6c6ff72a56636ebf7e0a2cb7c3
SHA256 fbbb106db51794104ce19a79ac2c3456cf8c3be1e347d05bc308ac7d5f7aa46f
SHA512 9b1f78a1641912d195c1d958dfd12684f0742d6b9d72a901e73715313023760be5a13cc463798739218311d7c33cb6565b0b433f927c8c8db984f5ec36853c7f

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 9511d3bcdabe0e7138fd9dc8185881b4
SHA1 d3290356217ca41edcda30b01e79d9a6b490ec65
SHA256 1c0d9620b48ed806d48230d4431400f24e46c0d29cb8df700d120dc06ab24fc4
SHA512 189215be0e5d6a0652c8dc8802a957419210a39c43b9664404c73dbb8f6c0009a3904eaf28982bab744e12c7a9aa9d363e20fc14521e257c3fa240dd94e37dd8

/data/data/com.first.barely/app_DynamicOptDex/oat/LLQZrc.json.cur.prof

MD5 8fec3c85ac8e29303cb5988db653e1c3
SHA1 ba914783d509b2368bba00619957a99ef7c1c21a
SHA256 f46b8e6bede8f55275a66ba4d50e82d87bb562dc03975c54a52c3675d5c1c215
SHA512 38388233e0244e3d60cfbd3d62efbdbe368256f801e6da607dede2705626fe95e180c70857622db2b2a89ae8f4440a228100e12064d224771a097cb57d727f58

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 22:02

Reported

2024-11-28 22:04

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

131s

Command Line

com.first.barely

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.first.barely

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 fhuiooedjefjheeffemensb.info udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 481fd83bff6e5d72cf771469aa4348dd
SHA1 77b076c4e957d2f56aa7b74629631b00a2c55cc8
SHA256 2958f6e5648528884fd42e45e3c90acffbe7878c685ea5ad6c32797f57b28090
SHA512 c6fb0024f7a5a10e3432184147829e1c9b1e592063222767925156705f95d199aff309d7cda144c7716a62a759518b413280e88561aaf8d294c19df69e07605a

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 50e7d274ea242629d1ca2c956063c3e1
SHA1 2d9b1a97eaf1cf6c6ff72a56636ebf7e0a2cb7c3
SHA256 fbbb106db51794104ce19a79ac2c3456cf8c3be1e347d05bc308ac7d5f7aa46f
SHA512 9b1f78a1641912d195c1d958dfd12684f0742d6b9d72a901e73715313023760be5a13cc463798739218311d7c33cb6565b0b433f927c8c8db984f5ec36853c7f

/data/user/0/com.first.barely/app_DynamicOptDex/LLQZrc.json

MD5 9511d3bcdabe0e7138fd9dc8185881b4
SHA1 d3290356217ca41edcda30b01e79d9a6b490ec65
SHA256 1c0d9620b48ed806d48230d4431400f24e46c0d29cb8df700d120dc06ab24fc4
SHA512 189215be0e5d6a0652c8dc8802a957419210a39c43b9664404c73dbb8f6c0009a3904eaf28982bab744e12c7a9aa9d363e20fc14521e257c3fa240dd94e37dd8