Overview

overview

10

Static

static

6

1bd5a87911...08.apk

android-9-x86

10

1bd5a87911...08.apk

android-10-x64

10

1bd5a87911...08.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    04-12-2024 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408.apk

  • Size

    1.9MB

  • MD5

    dcb49e8b437261ca4368711333229f58

  • SHA1

    edc8daf2c111c80fdd5bfbe422b0a2a000b7ce47

  • SHA256

    1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408

  • SHA512

    bedf7c71e614c381a6728840da9cfc7c566799779bfc05cfc676cb6878d2f39d0a7e9c8a73729800e00d28cf6c256e4941a09e1e622ded774f556b1d763d7700

  • SSDEEP

    49152:D5kx/5EwkgqvkPKHTwXov51RXJWUe0Ej6H:VG/5EwkvvkyHT2e5TXoUe0Ej6H

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ihfwiohefwhiwririhererf.store

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.visa.know
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4249
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.visa.know/app_DynamicOptDex/edji.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.visa.know/app_DynamicOptDex/oat/x86/edji.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4276

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    973KB

    MD5

    6e93804ab1b0aa1fe58f309c3b95b58e

    SHA1

    f2f028bed4fc2a65f39508850795df56b47d83ab

    SHA256

    0a4322c703157cf603abf3fabb534968b0199b3302a0342dd129f726c2005597

    SHA512

    5ee6494ef865d949bd3df0df504a1968cef01dfc53723ecf44304e5afe727dc526572fbf4664f32a9244507dbcfac4f2544d66c631aa71888f6ec612d66ff932

    Download Submit

  • /data/data/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    973KB

    MD5

    7b70b2c6bb0da8648410f507e467454b

    SHA1

    d58486c8d491d652e07c89a362041e144e45bbbc

    SHA256

    b17eae8e4c5fc91db2aef5afc0f2c55a061a5c9785efe3ceb422c8c985e71d47

    SHA512

    ab4cc90caa652ee5752748a6d25e19af929432f5e6257b9e61a9e4cc05d6dbc58f33cbe1eab0df27ca9cd1a2fecd005306c95d4af7eabfe9ef651698c7b18fa5

    Download Submit

  • /data/data/com.visa.know/app_DynamicOptDex/oat/edji.json.cur.prof
    Filesize

    1KB

    MD5

    f672bb0b672b8fa494bf546c42637fdf

    SHA1

    575372ea68f87072d5fbf87bda65b080686eafab

    SHA256

    4f524d696b50b04622aa649062ddb9b0da290d7607994e1067f809c5c1e0907d

    SHA512

    893bfbc0506b7d17ac45661396cf0e716a3539cb9eb1d901e4ca77e980e9135200f8fd09aa68507602be8a75f5956f6cd526dec36859c51f423680117d59268e

    Download Submit

  • /data/user/0/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    2.2MB

    MD5

    5a5c78f274b65ed5646ce0376a98e92c

    SHA1

    b407175d65f96a62208d49631d68c2f115842dd3

    SHA256

    3e6f7efc6bc3fcc07423a995cca6f762a781ba34533e23cd0a4ef906730517fb

    SHA512

    7e163c7ff4613e2e46d19d1bc87d1f6766da5c08059a078fe2d2dbd45a1fe27e470e0377cb5c1360cf66f9acc946762bbb5c4e7c75c15ad2743186c68280c033

    Download Submit

  • /data/user/0/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    2.2MB

    MD5

    937feac0d8f8dc1f87479c0c4b276bf2

    SHA1

    79a1b8b582f2f4d0dcfea5514a9a35f72cb2268f

    SHA256

    1aa3f15395e87d4c2a8403e5364372c967b27a39108697fda08b39855ee06981

    SHA512

    b9b65947e045f0b92c6832b838682d0c996712bc23d629f2212e696f2774d6d924976225adbc59169f1dfbc542674d92c9add611b0d97cc91ed82d803a69bb53

    Download Submit