Malware Analysis Report

2025-01-19 05:26

Sample ID 241206-1zfrgawmhq
Target aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd.bin
SHA256 aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd

Threat Level: Known bad

The file aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Hydra family

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Looks up external IP address via web service

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:05

Reported

2024-12-06 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.celery.vanish

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json N/A N/A
N/A /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.celery.vanish

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.celery.vanish/app_anxiety/oat/x86/HReTXMy.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 phoneyuklakerd.cfd udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp

Files

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 bb8d474d9635a4ca515063215f7f3567
SHA1 685ee82360384324b08ca0bd4f4d4626ad69bbd3
SHA256 48f7a3561018bd010787f981087505bc0a451b97050e395a7ceb3527bb95616a
SHA512 53a36ff2079adb7b21be6a119a3d42f68f243e3faedfb408dd9e1d79e9f4d3e27e9bca444f6c4f081dc691e91425166cac5aba3b784be13e0d568f6fe4cad48b

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 521f1bc44531bd633d2d24943b29a316
SHA1 84333eb49b551102137d70a721c092fb4f010e05
SHA256 966b37de92212ef1ec7980040e95fd39f86cadcfe81f995bf4ed3cd5250cc3b9
SHA512 16a32eabf47f57479409939316efe2c8b7d5bcc265fa711d01e14b540fb778f1dcc5a7db4c4df66eac373bb785df587fc24b1aca51b630aa3b8252db58232e89

/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 6e559249a77b664e5ef3f463f9047df0
SHA1 ac827840ffb40b9d7245f8bf3d3f9559f87ddc74
SHA256 d2097306981d565fcafa4cd41ccec8f06c84863fcaf5c0b75eb819a072fd646a
SHA512 438fc8e28f168373a844f7c01105573a9eda4537a76a91aaf9d8105c6e28212bf0e909a0d54f958d1d27f186cd9b051be799172190c75f373c3fc172f621ff36

/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 6ea9d5e91ff91f6c34637f0171d41952
SHA1 6b7ea9542d5aadd2a4486859e538ef05b312019c
SHA256 46ddd9a3610b025a53b4720972acdd10277c29d17a3fef4af51ba84d1641e257
SHA512 8cf0ce23c6b1eb4633a05cc01cc1bc837ba7894d152cba27d0bf3fcb6f6e55e594a8c4e7da1d70951c9b69a8beb869abc6e4cc9a6e0f4729050ac1dae0025c07

/data/data/com.celery.vanish/app_anxiety/oat/HReTXMy.json.cur.prof

MD5 7e89e5841f7008409deed719e7415148
SHA1 07a0fe8edb62f6ecbeb112b6fce004943f89bd59
SHA256 353acc4de3a07c81e3e0d6d59374af78aae5d2f34146b92c3afe43e11227e048
SHA512 5ac82c14446fd07334fa4d7f519d5ce40f8b0244f6aff0b3b3e2d507c2b591a276c0145128bdaea914be3ef7cf632dcd3ab5243c0038189b721f724678da6a89

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:05

Reported

2024-12-06 22:07

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.celery.vanish

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.celery.vanish

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 phoneyuklakerd.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 bb8d474d9635a4ca515063215f7f3567
SHA1 685ee82360384324b08ca0bd4f4d4626ad69bbd3
SHA256 48f7a3561018bd010787f981087505bc0a451b97050e395a7ceb3527bb95616a
SHA512 53a36ff2079adb7b21be6a119a3d42f68f243e3faedfb408dd9e1d79e9f4d3e27e9bca444f6c4f081dc691e91425166cac5aba3b784be13e0d568f6fe4cad48b

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 521f1bc44531bd633d2d24943b29a316
SHA1 84333eb49b551102137d70a721c092fb4f010e05
SHA256 966b37de92212ef1ec7980040e95fd39f86cadcfe81f995bf4ed3cd5250cc3b9
SHA512 16a32eabf47f57479409939316efe2c8b7d5bcc265fa711d01e14b540fb778f1dcc5a7db4c4df66eac373bb785df587fc24b1aca51b630aa3b8252db58232e89

/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 6e559249a77b664e5ef3f463f9047df0
SHA1 ac827840ffb40b9d7245f8bf3d3f9559f87ddc74
SHA256 d2097306981d565fcafa4cd41ccec8f06c84863fcaf5c0b75eb819a072fd646a
SHA512 438fc8e28f168373a844f7c01105573a9eda4537a76a91aaf9d8105c6e28212bf0e909a0d54f958d1d27f186cd9b051be799172190c75f373c3fc172f621ff36

/data/data/com.celery.vanish/app_anxiety/oat/HReTXMy.json.cur.prof

MD5 64c448e7bc5357aa8320144d7b8093f1
SHA1 9239d825123cbcc5f62d639f7123bd67c766d90b
SHA256 33d51cf58578b48b2dfe628886d50e14c6e658999aa6a812946089683949e933
SHA512 4427ec4f3c35a4a1a0481a9392f6982e0debbc3d66700231cd2620cc9f0fc693adc15b0dfbdbde74eda0bc4cac9b60c2ad0fe4b12b10c632da450a8f66c05fb1

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:05

Reported

2024-12-06 22:07

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

131s

Command Line

com.celery.vanish

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.celery.vanish

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 phoneyuklakerd.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 bb8d474d9635a4ca515063215f7f3567
SHA1 685ee82360384324b08ca0bd4f4d4626ad69bbd3
SHA256 48f7a3561018bd010787f981087505bc0a451b97050e395a7ceb3527bb95616a
SHA512 53a36ff2079adb7b21be6a119a3d42f68f243e3faedfb408dd9e1d79e9f4d3e27e9bca444f6c4f081dc691e91425166cac5aba3b784be13e0d568f6fe4cad48b

/data/data/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 521f1bc44531bd633d2d24943b29a316
SHA1 84333eb49b551102137d70a721c092fb4f010e05
SHA256 966b37de92212ef1ec7980040e95fd39f86cadcfe81f995bf4ed3cd5250cc3b9
SHA512 16a32eabf47f57479409939316efe2c8b7d5bcc265fa711d01e14b540fb778f1dcc5a7db4c4df66eac373bb785df587fc24b1aca51b630aa3b8252db58232e89

/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json

MD5 6e559249a77b664e5ef3f463f9047df0
SHA1 ac827840ffb40b9d7245f8bf3d3f9559f87ddc74
SHA256 d2097306981d565fcafa4cd41ccec8f06c84863fcaf5c0b75eb819a072fd646a
SHA512 438fc8e28f168373a844f7c01105573a9eda4537a76a91aaf9d8105c6e28212bf0e909a0d54f958d1d27f186cd9b051be799172190c75f373c3fc172f621ff36