Malware Analysis Report

2025-01-19 05:24

Sample ID 241202-1wqr9s1khk
Target 4dc1e7c87737a450336cf283417766eacaeaee8bc1dedb1f2524d4191483c911.bin
SHA256 4dc1e7c87737a450336cf283417766eacaeaee8bc1dedb1f2524d4191483c911
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dc1e7c87737a450336cf283417766eacaeaee8bc1dedb1f2524d4191483c911

Threat Level: Known bad

The file 4dc1e7c87737a450336cf283417766eacaeaee8bc1dedb1f2524d4191483c911.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Hydra family

Reads the contacts stored on the device.

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Looks up external IP address via web service

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Queries information about active data network

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 22:00

Reported

2024-12-02 22:02

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

98s

Command Line

com.sunset.movie

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sunset.movie/app_announce/cktMpE.json N/A N/A
N/A /data/user/0/com.sunset.movie/app_announce/cktMpE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sunset.movie

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sunset.movie/app_announce/cktMpE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sunset.movie/app_announce/oat/x86/cktMpE.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 yinedegelde.cfd udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 a2e35aeeea660fdf39e79de84755c81c
SHA1 3e8250e67f1f4a2c58dbcd11681af8c5215057b6
SHA256 1dde7a63f58f786d397a4edea6252b1989c331072036ad96fb70a5b6b8b0a25f
SHA512 94d6cb9355a22715d3d0caaf018b70258fdd4b67fe82d10cbe7387e92596d58f1c172aa57f73d60d3c7d31cd6cd6e0b323c2366e414c135e0e716769eaad569c

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 30f6063a5f0125dadd9e03677f9565b4
SHA1 814635cf45e090e36bce5916207f2661b0628509
SHA256 539201232f063dd0e22a010ba5b478b30e2159aeb8bab0b7dad6307e2490c338
SHA512 0cf812ea9871fae429fbc3839d8725689c5e83bd5c78e3575fa4a4e3c9bbb6770b3f0066aa0cb3d921cd1ba10beab184f2ce862893f3d4b63a1cc5de45b692b5

/data/user/0/com.sunset.movie/app_announce/cktMpE.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2

/data/user/0/com.sunset.movie/app_announce/cktMpE.json

MD5 d62c8da2e6f01f002a1974841f619cd3
SHA1 e9d27a01e1e0c9b025c59b2b58b10bbf477d5b89
SHA256 8a4cb5724b2ad55bc6772063a9580bd10f1d9fe5c02a250c2c0cfbb6aa368132
SHA512 1892b0d97d20811b0d323391d147fbe6dd239fd4d9d93d70deaf5c024d5d8515fcb5a69270bd31aa669b880c374a9450ff9d37e9b60a947a955bad97cd2e13cf

/data/data/com.sunset.movie/app_announce/oat/cktMpE.json.cur.prof

MD5 10302e8f4a706a03f5d77cc1b38950cd
SHA1 32d3136ac5794201fba7df97c078a781793f3af6
SHA256 940f5be48679d0488f5f0639d123477cde3210da28743eead0f258b3a91574b4
SHA512 2ec4441e9251b161b3c36efac65f266dca457f5fc59331dd285b4d1b243fc3ab08b1dbe4de72a07a0f10f93694dcbc87a56d6c4b03243d1188cec2756b3e9f22

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 22:00

Reported

2024-12-02 22:02

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

135s

Command Line

com.sunset.movie

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sunset.movie/app_announce/cktMpE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sunset.movie

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 yinedegelde.cfd udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 a2e35aeeea660fdf39e79de84755c81c
SHA1 3e8250e67f1f4a2c58dbcd11681af8c5215057b6
SHA256 1dde7a63f58f786d397a4edea6252b1989c331072036ad96fb70a5b6b8b0a25f
SHA512 94d6cb9355a22715d3d0caaf018b70258fdd4b67fe82d10cbe7387e92596d58f1c172aa57f73d60d3c7d31cd6cd6e0b323c2366e414c135e0e716769eaad569c

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 30f6063a5f0125dadd9e03677f9565b4
SHA1 814635cf45e090e36bce5916207f2661b0628509
SHA256 539201232f063dd0e22a010ba5b478b30e2159aeb8bab0b7dad6307e2490c338
SHA512 0cf812ea9871fae429fbc3839d8725689c5e83bd5c78e3575fa4a4e3c9bbb6770b3f0066aa0cb3d921cd1ba10beab184f2ce862893f3d4b63a1cc5de45b692b5

/data/user/0/com.sunset.movie/app_announce/cktMpE.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2

/data/data/com.sunset.movie/app_announce/oat/cktMpE.json.cur.prof

MD5 92dc213a3dae2e5b166fdac886bd6f9f
SHA1 629cd074f5278d7ffd0018994d9493a90187ec22
SHA256 25f400b4cfb56dde6f453ff18637c47c3bb85c0d006cb4907f05069028f2e01c
SHA512 dcf391cdea8fa23a54afba712e4eb9592b740d14431285d5a46d71f638e4bc07bdb96d3a0ffe9ddd48e30945da6cd506403940660d31bd61685adc24d56fc645

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 22:00

Reported

2024-12-02 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

137s

Command Line

com.sunset.movie

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sunset.movie/app_announce/cktMpE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.sunset.movie

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 yinedegelde.cfd udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 a2e35aeeea660fdf39e79de84755c81c
SHA1 3e8250e67f1f4a2c58dbcd11681af8c5215057b6
SHA256 1dde7a63f58f786d397a4edea6252b1989c331072036ad96fb70a5b6b8b0a25f
SHA512 94d6cb9355a22715d3d0caaf018b70258fdd4b67fe82d10cbe7387e92596d58f1c172aa57f73d60d3c7d31cd6cd6e0b323c2366e414c135e0e716769eaad569c

/data/data/com.sunset.movie/app_announce/cktMpE.json

MD5 30f6063a5f0125dadd9e03677f9565b4
SHA1 814635cf45e090e36bce5916207f2661b0628509
SHA256 539201232f063dd0e22a010ba5b478b30e2159aeb8bab0b7dad6307e2490c338
SHA512 0cf812ea9871fae429fbc3839d8725689c5e83bd5c78e3575fa4a4e3c9bbb6770b3f0066aa0cb3d921cd1ba10beab184f2ce862893f3d4b63a1cc5de45b692b5

/data/user/0/com.sunset.movie/app_announce/cktMpE.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2