Malware Analysis Report

2025-01-19 05:24

Sample ID 241130-14gvbs1ngp
Target e8c880d8cf95aa40d1b32411e81a58c603b728d390ea0c61abb8384604a777e2.bin
SHA256 e8c880d8cf95aa40d1b32411e81a58c603b728d390ea0c61abb8384604a777e2
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8c880d8cf95aa40d1b32411e81a58c603b728d390ea0c61abb8384604a777e2

Threat Level: Known bad

The file e8c880d8cf95aa40d1b32411e81a58c603b728d390ea0c61abb8384604a777e2.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Hydra family

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Makes use of the framework's Accessibility service

Queries information about active data network

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Looks up external IP address via web service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 22:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 22:12

Reported

2024-11-30 22:14

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.album.sorry

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.album.sorry/app_surround/nJUHP.json N/A N/A
N/A /data/user/0/com.album.sorry/app_surround/nJUHP.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.album.sorry

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.album.sorry/app_surround/nJUHP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.album.sorry/app_surround/oat/x86/nJUHP.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 samsamcevir.cfd udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:80 tcp

Files

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 8b400fd76e2e7841b7260c7c28a0f388
SHA1 52e62fa39cc7de7058ab497b5e54329b52d87ffc
SHA256 0e5f426e9f799c7e62b474a952e1f4e8f99a5f6eee0b389cb76e11a43cd93b13
SHA512 eb23e1283f7fab6c023306ee9e44f8ba4a0ef6b91c803305589c55f5c4d3396172bf2495195e74f40236d4bd73426954210a2b078f0a83e07b8c26b3a6222fa4

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 90d8ad1c466871e872c0f03cdd1233e2
SHA1 6cc6361f68a959cd21112bb5f88496daf0bde236
SHA256 371346743188536d4a74e5d82d1b44f285ba7790e76533923d499961f755e68b
SHA512 181c38600f7f240b119b2c903ee100741bbea0e293230009a479d218df3bf79570e1d860e0ff65f0f8e7f813e45175c054ce5ec43efed58a2e291ef2dc9d3d73

/data/user/0/com.album.sorry/app_surround/nJUHP.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d

/data/user/0/com.album.sorry/app_surround/nJUHP.json

MD5 38b2d7697be2169c9bc8de9a31e31811
SHA1 7266af283a7f582370f4ad1131618ca0e45a0dbf
SHA256 4b91a9e2af8f8922409c2981eddc5b3f019aa7a200e7647641e7a1ec3fade136
SHA512 a3a97a529a605364d452a6abfd14d45c434694f853ca89bd2220a6584f9505736e70d1b4ac5a8c6744c2d4babd9567d91199dba0ed36fa345a01aad34483eeaf

/data/data/com.album.sorry/app_surround/oat/nJUHP.json.cur.prof

MD5 ca7fc0a2307470c64cac027e746eae35
SHA1 2c98a05d729794276d9520ad0cb89a2b931558c9
SHA256 6806e1e0a87cf17123dc0c6f5d4a4e22e2a394265fb830f7bfef5e5e26d6b715
SHA512 1dda1276d437f4809be22006c6333d8bc84c8e82e50323718d5b09b778b202866b6068a48ba39643c505643d918dc7407bb13575f9f8a24f4c3994cafc83112d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 22:12

Reported

2024-11-30 22:14

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

155s

Command Line

com.album.sorry

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.album.sorry/app_surround/nJUHP.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.album.sorry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 samsamcevir.cfd udp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 8b400fd76e2e7841b7260c7c28a0f388
SHA1 52e62fa39cc7de7058ab497b5e54329b52d87ffc
SHA256 0e5f426e9f799c7e62b474a952e1f4e8f99a5f6eee0b389cb76e11a43cd93b13
SHA512 eb23e1283f7fab6c023306ee9e44f8ba4a0ef6b91c803305589c55f5c4d3396172bf2495195e74f40236d4bd73426954210a2b078f0a83e07b8c26b3a6222fa4

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 90d8ad1c466871e872c0f03cdd1233e2
SHA1 6cc6361f68a959cd21112bb5f88496daf0bde236
SHA256 371346743188536d4a74e5d82d1b44f285ba7790e76533923d499961f755e68b
SHA512 181c38600f7f240b119b2c903ee100741bbea0e293230009a479d218df3bf79570e1d860e0ff65f0f8e7f813e45175c054ce5ec43efed58a2e291ef2dc9d3d73

/data/user/0/com.album.sorry/app_surround/nJUHP.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d

/data/data/com.album.sorry/app_surround/oat/nJUHP.json.cur.prof

MD5 0e353711cd3b5649d407165c91059938
SHA1 71470be6d0be5706874fd06b5a8e1a3d3088ce67
SHA256 1622f4e6cc0463f68ea9c2e0ee03fb0ad6fa671d606e355a9e2e666252d49c17
SHA512 bba4e95bbae6c5c1e28332c55fdc688a15e28b400071d504416ee4195a25d67ee0d2fb0b972b1ac32b2e53701287f4e43bd8172f054ef2dac9c1b27f0135fe08

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-30 22:12

Reported

2024-11-30 22:14

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

149s

Command Line

com.album.sorry

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.album.sorry/app_surround/nJUHP.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.album.sorry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 samsamcevir.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 8b400fd76e2e7841b7260c7c28a0f388
SHA1 52e62fa39cc7de7058ab497b5e54329b52d87ffc
SHA256 0e5f426e9f799c7e62b474a952e1f4e8f99a5f6eee0b389cb76e11a43cd93b13
SHA512 eb23e1283f7fab6c023306ee9e44f8ba4a0ef6b91c803305589c55f5c4d3396172bf2495195e74f40236d4bd73426954210a2b078f0a83e07b8c26b3a6222fa4

/data/data/com.album.sorry/app_surround/nJUHP.json

MD5 90d8ad1c466871e872c0f03cdd1233e2
SHA1 6cc6361f68a959cd21112bb5f88496daf0bde236
SHA256 371346743188536d4a74e5d82d1b44f285ba7790e76533923d499961f755e68b
SHA512 181c38600f7f240b119b2c903ee100741bbea0e293230009a479d218df3bf79570e1d860e0ff65f0f8e7f813e45175c054ce5ec43efed58a2e291ef2dc9d3d73

/data/user/0/com.album.sorry/app_surround/nJUHP.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d