Malware Analysis Report

2025-01-19 05:26

Sample ID 241205-1yvh8szrcj
Target 83fe65fe0364b51e440e84d2ce4ecff8fefb7ff6f923e187e296da7b2f3674da.bin
SHA256 83fe65fe0364b51e440e84d2ce4ecff8fefb7ff6f923e187e296da7b2f3674da
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83fe65fe0364b51e440e84d2ce4ecff8fefb7ff6f923e187e296da7b2f3674da

Threat Level: Known bad

The file 83fe65fe0364b51e440e84d2ce4ecff8fefb7ff6f923e187e296da7b2f3674da.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra family

Hydra payload

Hydra

Reads the contacts stored on the device.

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Looks up external IP address via web service

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 22:03

Reported

2024-12-05 22:06

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.version.injury

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.version.injury/app_tenant/iD.json N/A N/A
N/A /data/user/0/com.version.injury/app_tenant/iD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.version.injury

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.version.injury/app_tenant/iD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.version.injury/app_tenant/oat/x86/iD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 yinedegelde.cfd udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:80 tcp

Files

/data/data/com.version.injury/app_tenant/iD.json

MD5 20e89fffd6e59b46c37ed6445be18e7b
SHA1 fd2235cf49aa56ec93e4a830511f1b5e3e3f3f44
SHA256 f666d771ba87bec2d19fe2e9e6f5c291cdb892d1fcb3da326b66ec58f299aa46
SHA512 1b4f244a0bf1a45a10f0c2044b92bcdb36ff63c0e9f806dc68db7f1812034da6db50df428c382e1c9366b68fd4f61f6629e5ef15af64d66f5221f873c5975fee

/data/data/com.version.injury/app_tenant/iD.json

MD5 cb6e8b93ee089be8b86efff7311bdbed
SHA1 c2949d8bc9d3900d9f9daae303b96b2d630148eb
SHA256 33d78d802a0915f32dd0a0e709cdff7e901f34e0bbe6e674d78850e3429192bb
SHA512 de1a95d68936f1239e9a35ba424446799f37a32cd6a5bd6654f1e94235fcd065d066d0330790c894e9c32b043e29b1f66feb0c3af260d77726fef8d41e2df633

/data/user/0/com.version.injury/app_tenant/iD.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2

/data/user/0/com.version.injury/app_tenant/iD.json

MD5 d62c8da2e6f01f002a1974841f619cd3
SHA1 e9d27a01e1e0c9b025c59b2b58b10bbf477d5b89
SHA256 8a4cb5724b2ad55bc6772063a9580bd10f1d9fe5c02a250c2c0cfbb6aa368132
SHA512 1892b0d97d20811b0d323391d147fbe6dd239fd4d9d93d70deaf5c024d5d8515fcb5a69270bd31aa669b880c374a9450ff9d37e9b60a947a955bad97cd2e13cf

/data/data/com.version.injury/app_tenant/oat/iD.json.cur.prof

MD5 514753a1a86ca3b4e803ad786edd68a5
SHA1 f3a762cc5d4145382d3e81ec7562168e809f78d6
SHA256 601d793d880ca8af9496b54f6aa20502913a3359123dacde852d79bbc9ff69a6
SHA512 379b495bedf05281f7bf7bd6f0be7500f4faf43a5118892b1fad0edd6f4fb2a2a318caaa6ce39868592c79909bd2e46349e6baff0da728d35fd96b030ff5073b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 22:03

Reported

2024-12-05 22:06

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

142s

Command Line

com.version.injury

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.version.injury/app_tenant/iD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.version.injury

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 yinedegelde.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.version.injury/app_tenant/iD.json

MD5 20e89fffd6e59b46c37ed6445be18e7b
SHA1 fd2235cf49aa56ec93e4a830511f1b5e3e3f3f44
SHA256 f666d771ba87bec2d19fe2e9e6f5c291cdb892d1fcb3da326b66ec58f299aa46
SHA512 1b4f244a0bf1a45a10f0c2044b92bcdb36ff63c0e9f806dc68db7f1812034da6db50df428c382e1c9366b68fd4f61f6629e5ef15af64d66f5221f873c5975fee

/data/data/com.version.injury/app_tenant/iD.json

MD5 cb6e8b93ee089be8b86efff7311bdbed
SHA1 c2949d8bc9d3900d9f9daae303b96b2d630148eb
SHA256 33d78d802a0915f32dd0a0e709cdff7e901f34e0bbe6e674d78850e3429192bb
SHA512 de1a95d68936f1239e9a35ba424446799f37a32cd6a5bd6654f1e94235fcd065d066d0330790c894e9c32b043e29b1f66feb0c3af260d77726fef8d41e2df633

/data/user/0/com.version.injury/app_tenant/iD.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2

/data/data/com.version.injury/app_tenant/oat/iD.json.cur.prof

MD5 49621babc21632ed97dc76fb6f2ee507
SHA1 25b91c342a8ad6c39950ba88b3b7846a145f9410
SHA256 48b144e0577521b0a4a9d0e9e828785d7c4ae95b0e0ead798db7525a230c915a
SHA512 fc9221884f61d12353757f898b72976ff74d64ed15e7c5c1c342974f04f7ce628bfb9d8c4b05a7b2c5dcdaf514690af14d528516df49fd1e66fd7736da6826bd

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-05 22:03

Reported

2024-12-05 22:07

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.version.injury

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.version.injury/app_tenant/iD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.version.injury

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 1.1.1.1:53 yinedegelde.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.version.injury/app_tenant/iD.json

MD5 20e89fffd6e59b46c37ed6445be18e7b
SHA1 fd2235cf49aa56ec93e4a830511f1b5e3e3f3f44
SHA256 f666d771ba87bec2d19fe2e9e6f5c291cdb892d1fcb3da326b66ec58f299aa46
SHA512 1b4f244a0bf1a45a10f0c2044b92bcdb36ff63c0e9f806dc68db7f1812034da6db50df428c382e1c9366b68fd4f61f6629e5ef15af64d66f5221f873c5975fee

/data/data/com.version.injury/app_tenant/iD.json

MD5 cb6e8b93ee089be8b86efff7311bdbed
SHA1 c2949d8bc9d3900d9f9daae303b96b2d630148eb
SHA256 33d78d802a0915f32dd0a0e709cdff7e901f34e0bbe6e674d78850e3429192bb
SHA512 de1a95d68936f1239e9a35ba424446799f37a32cd6a5bd6654f1e94235fcd065d066d0330790c894e9c32b043e29b1f66feb0c3af260d77726fef8d41e2df633

/data/user/0/com.version.injury/app_tenant/iD.json

MD5 4034e1f8aa89126b0c0e6cfc12404484
SHA1 e0367e78f3845bf73937059965a7660a6bd25355
SHA256 1bafaecde9d220ef902aa4459eda70446896a596c0d5e597161de090ec81b461
SHA512 a9ac2481dc9d11a7506c6267b62b3aaaf13a80bb3a78da976bf0c24683492caea1a94d5f27ce323bdd0f6ec3898b5050ced99d1f17d8f055eb69039b7ef1c7a2

/data/data/com.version.injury/app_tenant/oat/iD.json.cur.prof

MD5 61492bfc32c2aa4aeeecbbc344f16c98
SHA1 97a734fb95b4443b4b4b54dd737c750e147a1a93
SHA256 e427c740adaebe852f3c02bce5d5bce649d79d947eae1d44e230d647a839b6f5
SHA512 c9ad75603c033de95a26454804e00e0c423ac31a7df1708041743b2f65a7173f3178c847330e6b9f00c4018c4657cc2d47625040f074afe2cb1bbb758f6b21bf