Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

1bd5a87911...08.apk

android-9-x86

10

1bd5a87911...08.apk

android-10-x64

10

1bd5a87911...08.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    04/12/2024, 22:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408.apk

  • Size

    1.9MB

  • MD5

    dcb49e8b437261ca4368711333229f58

  • SHA1

    edc8daf2c111c80fdd5bfbe422b0a2a000b7ce47

  • SHA256

    1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408

  • SHA512

    bedf7c71e614c381a6728840da9cfc7c566799779bfc05cfc676cb6878d2f39d0a7e9c8a73729800e00d28cf6c256e4941a09e1e622ded774f556b1d763d7700

  • SSDEEP

    49152:D5kx/5EwkgqvkPKHTwXov51RXJWUe0Ej6H:VG/5EwkvvkyHT2e5TXoUe0Ej6H

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ihfwiohefwhiwririhererf.store

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.visa.know
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4992

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.169.72
  • flag-us
    DNS
    ihfwiohefwhiwririhererf.store
    Remote address:
    1.1.1.1:53
    Request
    ihfwiohefwhiwririhererf.store
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.46
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 17946b7c48f86afb
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 22:13:04 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 172.217.169.72:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     8
    9
  • 142.250.179.238:443
    tls, https
    857 B
     40 B
     1
    1
  • 142.250.200.46:443
    android.apis.google.com
    tls
    7.1kB
     10.5kB
     29
    29
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
     600 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.180.4:443
    tls, https
    454 B
     40 B
     2
    1
  • 142.250.180.4:443
    www.google.com
    tls
    8.5kB
     10.6kB
     28
    37
  • 216.58.201.98:443
    520 B
     10
  • 172.217.169.46:443
    520 B
     10
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.169.72

  • 1.1.1.1:53
    ihfwiohefwhiwririhererf.store
    dns
    75 B
     140 B
     1
    1

    DNS Request

    ihfwiohefwhiwririhererf.store

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.46

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    973KB

    MD5

    6e93804ab1b0aa1fe58f309c3b95b58e

    SHA1

    f2f028bed4fc2a65f39508850795df56b47d83ab

    SHA256

    0a4322c703157cf603abf3fabb534968b0199b3302a0342dd129f726c2005597

    SHA512

    5ee6494ef865d949bd3df0df504a1968cef01dfc53723ecf44304e5afe727dc526572fbf4664f32a9244507dbcfac4f2544d66c631aa71888f6ec612d66ff932

    Download Submit

  • /data/data/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    973KB

    MD5

    7b70b2c6bb0da8648410f507e467454b

    SHA1

    d58486c8d491d652e07c89a362041e144e45bbbc

    SHA256

    b17eae8e4c5fc91db2aef5afc0f2c55a061a5c9785efe3ceb422c8c985e71d47

    SHA512

    ab4cc90caa652ee5752748a6d25e19af929432f5e6257b9e61a9e4cc05d6dbc58f33cbe1eab0df27ca9cd1a2fecd005306c95d4af7eabfe9ef651698c7b18fa5

    Download Submit

  • /data/data/com.visa.know/app_DynamicOptDex/oat/edji.json.cur.prof
    Filesize

    1KB

    MD5

    f7ea23fbe1bd0c6203e1d6dadd24d61a

    SHA1

    dc76a2fa1a06cc3bcf29b0e4750ec6862153dba8

    SHA256

    7dee173ea6e5daea487429ce6f72218dede39420374aa04913b0d1699960d4e3

    SHA512

    2fadc48b3c2aa8f3d290986e8211d17cdd06c71161d3fb44ae0cc0003aa7bb65165415e927b573edfcc0e124c38d8086b72db019cba2c3c79be98cd15e9895d9

    Download Submit

  • /data/user/0/com.visa.know/app_DynamicOptDex/edji.json
    Filesize

    2.2MB

    MD5

    937feac0d8f8dc1f87479c0c4b276bf2

    SHA1

    79a1b8b582f2f4d0dcfea5514a9a35f72cb2268f

    SHA256

    1aa3f15395e87d4c2a8403e5364372c967b27a39108697fda08b39855ee06981

    SHA512

    b9b65947e045f0b92c6832b838682d0c996712bc23d629f2212e696f2774d6d924976225adbc59169f1dfbc542674d92c9add611b0d97cc91ed82d803a69bb53

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.