Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

fecb475ee5...2c.apk

android-9-x86

fecb475ee5...2c.apk

android-10-x64

10

fecb475ee5...2c.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    04/12/2024, 22:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fecb475ee5eb96787c8ef35b6f45cc09277660a2526d896bcca8fdd2c43ffb2c.apk

  • Size

    4.9MB

  • MD5

    6d2e8f5f1cd09826f12f887c0c7fec96

  • SHA1

    06248c5e8598c9a7d0eb451f29384d48254ea75b

  • SHA256

    fecb475ee5eb96787c8ef35b6f45cc09277660a2526d896bcca8fdd2c43ffb2c

  • SHA512

    190eb0b576d25eca2a1b083813de23ad8b061aa2170cd4a37560a4cf1b960c1ca098baff93f075401621fd32678d9f7959323822a2036a79e51a0513c6e3acd5

  • SSDEEP

    98304:tmdc0voeC9TXeembgKHSC77uHHEXPBKiKWdvuzpg8hDI/qEVs:4KWqrxmbBHm+5hHCpgOIVs

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://taglhosdlesdoseasdlaseasesdasd.com

DES_key
1
79666f6970676e7a

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.eyeuflceq.kmqzrjwvf
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5104

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-us
    DNS
    taglhosdlesdoseasdlaseasesdasd.com
    Remote address:
    1.1.1.1:53
    Request
    taglhosdlesdoseasdlaseasesdasd.com
    IN A
    Response
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 3b6469b88e5c21c2
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 22:03:09 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 142.250.200.10:443
    tls, https
    1.2kB
     40 B
     1
    1
  • 216.58.212.206:443
    tls, https
    914 B
     40 B
     1
    1
  • 216.58.212.206:443
    tls, https
    914 B
     40 B
     1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    4.6kB
     8.8kB
     21
    23
  • 142.250.179.234:443
    tls, https
    2.3kB
     40 B
     1
    1
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.4kB
     6.3kB
     10
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
     640 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.187.194:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    taglhosdlesdoseasdlaseasesdasd.com
    dns
    80 B
     153 B
     1
    1

    DNS Request

    taglhosdlesdoseasdlaseasesdasd.com

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.eyeuflceq.kmqzrjwvf/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    3a9c88be59c0b995078af79ec3b3fa35

    SHA1

    7e0279a62fb8df19852886d2cbe75b6a9066859c

    SHA256

    015d160b99b755a44c94608bd478f7201eee306cd3bec616e9a81fc33232de8e

    SHA512

    5be5315f08c91d5a80a43617959bdc3e8fd3c61faa2f5ad226b4b9c77487f3442acb393dbf4f64aeeb46644809698f8fb893840317b135a438c5a622ce9d078e

    Download Submit

  • /data/data/com.eyeuflceq.kmqzrjwvf/cache/classes.dex
    Filesize

    1.3MB

    MD5

    982f65057d0205cd44ec8424a72f31c3

    SHA1

    5156977e373bbce36b6326bb26def7ad4e9108c6

    SHA256

    3756f7aab79521759210f22d98c2b22aeec58c7920f22ab949a52911c816da46

    SHA512

    db32f77ab59a566efcde8d2950c6a7635d5aef6692ba4c414c7417586684e98cd9b6b6a5dba3a1aae5d68c84aa5da01bb09707f323507ca2825a375c366d315d

    Download Submit

  • /data/data/com.eyeuflceq.kmqzrjwvf/cache/classes.zip
    Filesize

    1.3MB

    MD5

    f387110a5cd6d17afe1412c647c014cb

    SHA1

    d227617a2a7cc914e1d79690ec023d8d1e31c696

    SHA256

    c71183aa5d56ffc5ac81ef7792f19964e5e99f6283d7a54cf9674bad1a145389

    SHA512

    c57072f85eba08f74cb75da704868bf84414b0899a6b92e814061308a0e9072132792c7ea55f88cc6c2a62eadb4b3deafad2d3459b362339f8d57639c07a0375

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.