Malware Analysis Report

2025-01-19 05:26

Sample ID 241203-147ezssncr
Target a84e1906cf9a783499546a02765d8f845767baec80c9e30e26c11555f37f4805.bin
SHA256 a84e1906cf9a783499546a02765d8f845767baec80c9e30e26c11555f37f4805
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a84e1906cf9a783499546a02765d8f845767baec80c9e30e26c11555f37f4805

Threat Level: Known bad

The file a84e1906cf9a783499546a02765d8f845767baec80c9e30e26c11555f37f4805.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra family

Hydra

Hydra payload

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Looks up external IP address via web service

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 22:13

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:15

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.bymzyvpyk.ycbrlihyy

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bymzyvpyk.ycbrlihyy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 216.239.36.223:443 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
GB 142.250.187.206:443 tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.zip

MD5 09a3c2a34f2c93e7c8b326a0f8252e34
SHA1 456b4f403bebbd272ce770c293aa8a46c9f30952
SHA256 52083d7012a591eeda77d491f01037967ed3346f9ade9619d2271bc03260a2f9
SHA512 a5b18e4c5d4f36caf404cd1690a89ca22746eb7b2bb9fd2bb20d32d9974f24fa4cf7b5b7a47b403800cb8c4eb024a504056ceedd1b8644ece74ffb168d2058e5

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.dex

MD5 161d95a7c1808fc78a2d8fc1a2583fef
SHA1 a1a3e2c2a750058c66880cadbfb7834cc4a7886a
SHA256 fa43e346a2d6162fce74cda745ae66df6510183cdcb149b2c462cf7c903ed39d
SHA512 e207b8771d4e2209c7bced9ea1ba90ef06ba950448565e8ac90418797220dc85b38c19bd93002f28fe4d2ed31f7da6a9dcaeb777f3b76933abcb73fdc37f5f5b

/data/data/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex

MD5 c788c00ddd7a19989c4236da34083e6d
SHA1 2dbcea6d6cf3d2907f2806d3efe0ae70cf59aa19
SHA256 87737d91d4de269e57f85a61b3d98f6732c330ef56d2bda617b2a4cff1fad41d
SHA512 74f6621b70f9ba9d4d3aecb5c32272bd01f8734d1485be98636656ba963737d658dcbed6c0ad45038c2956b69c0efb9133176a95b59fb105b97881ebb682b5f9

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:16

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

141s

Command Line

com.bymzyvpyk.ycbrlihyy

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.bymzyvpyk.ycbrlihyy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp

Files

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.zip

MD5 09a3c2a34f2c93e7c8b326a0f8252e34
SHA1 456b4f403bebbd272ce770c293aa8a46c9f30952
SHA256 52083d7012a591eeda77d491f01037967ed3346f9ade9619d2271bc03260a2f9
SHA512 a5b18e4c5d4f36caf404cd1690a89ca22746eb7b2bb9fd2bb20d32d9974f24fa4cf7b5b7a47b403800cb8c4eb024a504056ceedd1b8644ece74ffb168d2058e5

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.dex

MD5 161d95a7c1808fc78a2d8fc1a2583fef
SHA1 a1a3e2c2a750058c66880cadbfb7834cc4a7886a
SHA256 fa43e346a2d6162fce74cda745ae66df6510183cdcb149b2c462cf7c903ed39d
SHA512 e207b8771d4e2209c7bced9ea1ba90ef06ba950448565e8ac90418797220dc85b38c19bd93002f28fe4d2ed31f7da6a9dcaeb777f3b76933abcb73fdc37f5f5b

/data/data/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex

MD5 c788c00ddd7a19989c4236da34083e6d
SHA1 2dbcea6d6cf3d2907f2806d3efe0ae70cf59aa19
SHA256 87737d91d4de269e57f85a61b3d98f6732c330ef56d2bda617b2a4cff1fad41d
SHA512 74f6621b70f9ba9d4d3aecb5c32272bd01f8734d1485be98636656ba963737d658dcbed6c0ad45038c2956b69c0efb9133176a95b59fb105b97881ebb682b5f9

/data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex

MD5 0a54c7cd05a969edaa5045d1a8d26e71
SHA1 3fa8390b6b9fbd22eaaa6c62b5462b6b17cba2b5
SHA256 d409523a8347f3408b45cfb2a1e5b4d8a9a2d48dca53f3b37c51b36156dfb604
SHA512 f454f93544e1f7172ccbd784fbb9eddbdf38f322d4893208bc3e771183121247977be485422dd226d7af6df41e4a8eb498a02cd499d003cc861d210b6ab86436

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:16

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

160s

Command Line

com.bymzyvpyk.ycbrlihyy

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.bymzyvpyk.ycbrlihyy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp
NL 45.200.149.27:80 tcp

Files

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.zip

MD5 09a3c2a34f2c93e7c8b326a0f8252e34
SHA1 456b4f403bebbd272ce770c293aa8a46c9f30952
SHA256 52083d7012a591eeda77d491f01037967ed3346f9ade9619d2271bc03260a2f9
SHA512 a5b18e4c5d4f36caf404cd1690a89ca22746eb7b2bb9fd2bb20d32d9974f24fa4cf7b5b7a47b403800cb8c4eb024a504056ceedd1b8644ece74ffb168d2058e5

/data/data/com.bymzyvpyk.ycbrlihyy/cache/classes.dex

MD5 161d95a7c1808fc78a2d8fc1a2583fef
SHA1 a1a3e2c2a750058c66880cadbfb7834cc4a7886a
SHA256 fa43e346a2d6162fce74cda745ae66df6510183cdcb149b2c462cf7c903ed39d
SHA512 e207b8771d4e2209c7bced9ea1ba90ef06ba950448565e8ac90418797220dc85b38c19bd93002f28fe4d2ed31f7da6a9dcaeb777f3b76933abcb73fdc37f5f5b

/data/data/com.bymzyvpyk.ycbrlihyy/app_dex/classes.dex

MD5 c788c00ddd7a19989c4236da34083e6d
SHA1 2dbcea6d6cf3d2907f2806d3efe0ae70cf59aa19
SHA256 87737d91d4de269e57f85a61b3d98f6732c330ef56d2bda617b2a4cff1fad41d
SHA512 74f6621b70f9ba9d4d3aecb5c32272bd01f8734d1485be98636656ba963737d658dcbed6c0ad45038c2956b69c0efb9133176a95b59fb105b97881ebb682b5f9