Overview

overview

10

Static

static

6

a8e7c5ada0...u].apk

android-9-x86

10

a8e7c5ada0...u].apk

android-10-x64

10

a8e7c5ada0...u].apk

android-11-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    85s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    11/12/2024, 15:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990.bin [MConverter.eu].apk

  • Size

    4.9MB

  • MD5

    c9db7b7c68e3f4b3ea7bc6d2db7e6c67

  • SHA1

    21f29a3bdafe66b9d9a4a0900f87ae0378c2af4e

  • SHA256

    a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990

  • SHA512

    d1b4e39dc0b7d39465d64f3fb774fbfe8442ff66d52f2380cf550d2e82838cda33e5dbd6d4a443db964746da309ce3add0d9db884adb2848028f641cd65cbe11

  • SSDEEP

    98304:Ftpb68BpwSSih42NbdUGDIJ9wWATD6V7sq/2wsA2OC6OKQv:75TBgih4IbDIXwWk6VYi2dP

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://cabmeldtpgabrilokez.com

DES_key
1
7872786578617a7a

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.vpdmkbfdr.hclrvjtqr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4623

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.179.238
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.16.232
  • flag-us
    DNS
    cabmeldtpgabrilokez.com
    Remote address:
    1.1.1.1:53
    Request
    cabmeldtpgabrilokez.com
    IN A
    Response
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 5978055b1f5c9221
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 11 Dec 2024 15:33:56 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 39
    X-Rl: 43
  • 142.250.187.206:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.187.206:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.179.238:443
    android.apis.google.com
    tls
    4.5kB
     8.0kB
     19
    19
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     8
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
     640 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.179.228:443
    tls, https
    846 B
     40 B
     2
    1
  • 142.250.179.228:443
    www.google.com
    tls
    11.0kB
     9.7kB
     29
    35
  • 224.0.0.251:5353
    3.3kB
     10
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.179.238

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.16.232

  • 1.1.1.1:53
    cabmeldtpgabrilokez.com
    dns
    69 B
     142 B
     1
    1

    DNS Request

    cabmeldtpgabrilokez.com

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    9fcebe6ac01f9abcb9358ef3e1be01f8

    SHA1

    0c99f46ce1bfa1cfa76a0e30d27c822029db1659

    SHA256

    ab056d7cd8db1977da982d9a2dd8258015120e3cb3ced1abf105ca6e36d724b9

    SHA512

    192c075908f5c18acec27d8b7dd62220727213309764eca391c2d4b558b34cb76eae09ad8aacefe9d9ac46603fe220e685d55e587260881c0247fe6def6ef8c3

    Download Submit

  • /data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.dex
    Filesize

    1.3MB

    MD5

    198e249fc4cb7eebfb3aa41c9bca936b

    SHA1

    62739a33b597f5f817868c31d76189c34f2a8ce9

    SHA256

    8ff952de0092bbdbd15695e7c6f9b5137015c71f0762edc89417f4cc9d67108a

    SHA512

    cc1b1d9fc44daacb892900b2b17b93db8cb4880e705530d3aeb444b3c7fcda6a4a59266a4c5d56266942b0568bc09ae08f7572c74f8272a3030d210c4b36b6f8

    Download Submit

  • /data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.zip
    Filesize

    1.3MB

    MD5

    fdae72c7dd1658f5582bb244648dcc72

    SHA1

    56eb6eb1252e0dc7eda9784c49b81e0a00f6d920

    SHA256

    831d26600070e587aca3567bae1a092e77808aecdb6c3ada2d6e3a00d2dd04a1

    SHA512

    5cef1ab17b14497b6a7f4beb1cd8fb424c7962b845597bc833395c49bc79b32d4fd49b862767dab29efdc660ae39e1a99f5b8e1157e1430ae5d312ebb20ca95e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.