Malware Analysis Report

2025-01-19 05:25

Sample ID 241204-14s8cstnhx
Target 1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408.bin
SHA256 1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408

Threat Level: Known bad

The file 1bd5a87911ce556674bf76de66c323d8a912e119c0f50c545fdc4c11c906c408.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Hydra family

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Looks up external IP address via web service

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 22:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 22:12

Reported

2024-12-04 22:15

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.visa.know

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.visa.know/app_DynamicOptDex/edji.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.visa.know

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 ihfwiohefwhiwririhererf.store udp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 6e93804ab1b0aa1fe58f309c3b95b58e
SHA1 f2f028bed4fc2a65f39508850795df56b47d83ab
SHA256 0a4322c703157cf603abf3fabb534968b0199b3302a0342dd129f726c2005597
SHA512 5ee6494ef865d949bd3df0df504a1968cef01dfc53723ecf44304e5afe727dc526572fbf4664f32a9244507dbcfac4f2544d66c631aa71888f6ec612d66ff932

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 7b70b2c6bb0da8648410f507e467454b
SHA1 d58486c8d491d652e07c89a362041e144e45bbbc
SHA256 b17eae8e4c5fc91db2aef5afc0f2c55a061a5c9785efe3ceb422c8c985e71d47
SHA512 ab4cc90caa652ee5752748a6d25e19af929432f5e6257b9e61a9e4cc05d6dbc58f33cbe1eab0df27ca9cd1a2fecd005306c95d4af7eabfe9ef651698c7b18fa5

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 937feac0d8f8dc1f87479c0c4b276bf2
SHA1 79a1b8b582f2f4d0dcfea5514a9a35f72cb2268f
SHA256 1aa3f15395e87d4c2a8403e5364372c967b27a39108697fda08b39855ee06981
SHA512 b9b65947e045f0b92c6832b838682d0c996712bc23d629f2212e696f2774d6d924976225adbc59169f1dfbc542674d92c9add611b0d97cc91ed82d803a69bb53

/data/user/0/com.visa.know/app_DynamicOptDex/oat/edji.json.cur.prof

MD5 e29e34a15a07db46d7e2e0eafd0e68b5
SHA1 676b9d5d2351fb47a8d89f5491c050ce00337223
SHA256 a9e284ea7125493b9313bf58b216b985d715c4db524fa367a2a47620f6341923
SHA512 0283bfcfb02ab3d6b62cfe54a740e69fd42bd0f0ac39b5f9e0036717c049816ab09e219c78a0f45d46a635da76fbdeac4fc038b4c8bfe3cf72f2c5a042d0c647

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 22:12

Reported

2024-12-04 22:15

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

147s

Command Line

com.visa.know

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.visa.know/app_DynamicOptDex/edji.json N/A N/A
N/A /data/user/0/com.visa.know/app_DynamicOptDex/edji.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.visa.know

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.visa.know/app_DynamicOptDex/edji.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.visa.know/app_DynamicOptDex/oat/x86/edji.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ihfwiohefwhiwririhererf.store udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

/data/data/com.visa.know/app_DynamicOptDex/edji.json

MD5 6e93804ab1b0aa1fe58f309c3b95b58e
SHA1 f2f028bed4fc2a65f39508850795df56b47d83ab
SHA256 0a4322c703157cf603abf3fabb534968b0199b3302a0342dd129f726c2005597
SHA512 5ee6494ef865d949bd3df0df504a1968cef01dfc53723ecf44304e5afe727dc526572fbf4664f32a9244507dbcfac4f2544d66c631aa71888f6ec612d66ff932

/data/data/com.visa.know/app_DynamicOptDex/edji.json

MD5 7b70b2c6bb0da8648410f507e467454b
SHA1 d58486c8d491d652e07c89a362041e144e45bbbc
SHA256 b17eae8e4c5fc91db2aef5afc0f2c55a061a5c9785efe3ceb422c8c985e71d47
SHA512 ab4cc90caa652ee5752748a6d25e19af929432f5e6257b9e61a9e4cc05d6dbc58f33cbe1eab0df27ca9cd1a2fecd005306c95d4af7eabfe9ef651698c7b18fa5

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 937feac0d8f8dc1f87479c0c4b276bf2
SHA1 79a1b8b582f2f4d0dcfea5514a9a35f72cb2268f
SHA256 1aa3f15395e87d4c2a8403e5364372c967b27a39108697fda08b39855ee06981
SHA512 b9b65947e045f0b92c6832b838682d0c996712bc23d629f2212e696f2774d6d924976225adbc59169f1dfbc542674d92c9add611b0d97cc91ed82d803a69bb53

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 5a5c78f274b65ed5646ce0376a98e92c
SHA1 b407175d65f96a62208d49631d68c2f115842dd3
SHA256 3e6f7efc6bc3fcc07423a995cca6f762a781ba34533e23cd0a4ef906730517fb
SHA512 7e163c7ff4613e2e46d19d1bc87d1f6766da5c08059a078fe2d2dbd45a1fe27e470e0377cb5c1360cf66f9acc946762bbb5c4e7c75c15ad2743186c68280c033

/data/data/com.visa.know/app_DynamicOptDex/oat/edji.json.cur.prof

MD5 f672bb0b672b8fa494bf546c42637fdf
SHA1 575372ea68f87072d5fbf87bda65b080686eafab
SHA256 4f524d696b50b04622aa649062ddb9b0da290d7607994e1067f809c5c1e0907d
SHA512 893bfbc0506b7d17ac45661396cf0e716a3539cb9eb1d901e4ca77e980e9135200f8fd09aa68507602be8a75f5956f6cd526dec36859c51f423680117d59268e

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 22:12

Reported

2024-12-04 22:15

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.visa.know

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.visa.know/app_DynamicOptDex/edji.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.visa.know

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ihfwiohefwhiwririhererf.store udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.visa.know/app_DynamicOptDex/edji.json

MD5 6e93804ab1b0aa1fe58f309c3b95b58e
SHA1 f2f028bed4fc2a65f39508850795df56b47d83ab
SHA256 0a4322c703157cf603abf3fabb534968b0199b3302a0342dd129f726c2005597
SHA512 5ee6494ef865d949bd3df0df504a1968cef01dfc53723ecf44304e5afe727dc526572fbf4664f32a9244507dbcfac4f2544d66c631aa71888f6ec612d66ff932

/data/data/com.visa.know/app_DynamicOptDex/edji.json

MD5 7b70b2c6bb0da8648410f507e467454b
SHA1 d58486c8d491d652e07c89a362041e144e45bbbc
SHA256 b17eae8e4c5fc91db2aef5afc0f2c55a061a5c9785efe3ceb422c8c985e71d47
SHA512 ab4cc90caa652ee5752748a6d25e19af929432f5e6257b9e61a9e4cc05d6dbc58f33cbe1eab0df27ca9cd1a2fecd005306c95d4af7eabfe9ef651698c7b18fa5

/data/user/0/com.visa.know/app_DynamicOptDex/edji.json

MD5 937feac0d8f8dc1f87479c0c4b276bf2
SHA1 79a1b8b582f2f4d0dcfea5514a9a35f72cb2268f
SHA256 1aa3f15395e87d4c2a8403e5364372c967b27a39108697fda08b39855ee06981
SHA512 b9b65947e045f0b92c6832b838682d0c996712bc23d629f2212e696f2774d6d924976225adbc59169f1dfbc542674d92c9add611b0d97cc91ed82d803a69bb53

/data/data/com.visa.know/app_DynamicOptDex/oat/edji.json.cur.prof

MD5 f7ea23fbe1bd0c6203e1d6dadd24d61a
SHA1 dc76a2fa1a06cc3bcf29b0e4750ec6862153dba8
SHA256 7dee173ea6e5daea487429ce6f72218dede39420374aa04913b0d1699960d4e3
SHA512 2fadc48b3c2aa8f3d290986e8211d17cdd06c71161d3fb44ae0cc0003aa7bb65165415e927b573edfcc0e124c38d8086b72db019cba2c3c79be98cd15e9895d9