Malware Analysis Report

2025-01-19 05:24

Sample ID 241211-szaw8aymbs
Target a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990.bin [MConverter.eu].apk
SHA256 a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990
Tags
hydra banker collection credential_access discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990

Threat Level: Known bad

The file a8e7c5ada0ad61b47187241ff1be82212a3f1260087d4276f22658ed66a07990.bin [MConverter.eu].apk was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence stealth trojan

Hydra

Hydra payload

Hydra family

Removes its main activity from the application launcher

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Looks up external IP address via web service

Queries information about active data network

Reads information about phone network operator.

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 15:33

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 15:33

Reported

2024-12-11 15:34

Platform

android-x86-arm-20240624-en

Max time kernel

65s

Max time network

75s

Command Line

com.vpdmkbfdr.hclrvjtqr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.vpdmkbfdr.hclrvjtqr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 cabmeldtpgabrilokez.com udp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.zip

MD5 fdae72c7dd1658f5582bb244648dcc72
SHA1 56eb6eb1252e0dc7eda9784c49b81e0a00f6d920
SHA256 831d26600070e587aca3567bae1a092e77808aecdb6c3ada2d6e3a00d2dd04a1
SHA512 5cef1ab17b14497b6a7f4beb1cd8fb424c7962b845597bc833395c49bc79b32d4fd49b862767dab29efdc660ae39e1a99f5b8e1157e1430ae5d312ebb20ca95e

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.dex

MD5 198e249fc4cb7eebfb3aa41c9bca936b
SHA1 62739a33b597f5f817868c31d76189c34f2a8ce9
SHA256 8ff952de0092bbdbd15695e7c6f9b5137015c71f0762edc89417f4cc9d67108a
SHA512 cc1b1d9fc44daacb892900b2b17b93db8cb4880e705530d3aeb444b3c7fcda6a4a59266a4c5d56266942b0568bc09ae08f7572c74f8272a3030d210c4b36b6f8

/data/data/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex

MD5 9fcebe6ac01f9abcb9358ef3e1be01f8
SHA1 0c99f46ce1bfa1cfa76a0e30d27c822029db1659
SHA256 ab056d7cd8db1977da982d9a2dd8258015120e3cb3ced1abf105ca6e36d724b9
SHA512 192c075908f5c18acec27d8b7dd62220727213309764eca391c2d4b558b34cb76eae09ad8aacefe9d9ac46603fe220e685d55e587260881c0247fe6def6ef8c3

/data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex

MD5 8d90b856e648ae046910a729444c6cd9
SHA1 593447bc893698a35223865bf9268249a2d91494
SHA256 c1fe39803df5d3d049fa284e81391cd3e6439f796da7d1d7528b54889e8eb5b5
SHA512 cbf78421424c442a88726be1a5691ed482ad5f4841156d6b2986399c709d3d7e35a252662273b239db3d7940c4dbe479a29e02c2c3d6af127b98e556759ab963

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 15:33

Reported

2024-12-11 15:35

Platform

android-x64-20240624-en

Max time kernel

77s

Max time network

85s

Command Line

com.vpdmkbfdr.hclrvjtqr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.vpdmkbfdr.hclrvjtqr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cabmeldtpgabrilokez.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.zip

MD5 fdae72c7dd1658f5582bb244648dcc72
SHA1 56eb6eb1252e0dc7eda9784c49b81e0a00f6d920
SHA256 831d26600070e587aca3567bae1a092e77808aecdb6c3ada2d6e3a00d2dd04a1
SHA512 5cef1ab17b14497b6a7f4beb1cd8fb424c7962b845597bc833395c49bc79b32d4fd49b862767dab29efdc660ae39e1a99f5b8e1157e1430ae5d312ebb20ca95e

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.dex

MD5 198e249fc4cb7eebfb3aa41c9bca936b
SHA1 62739a33b597f5f817868c31d76189c34f2a8ce9
SHA256 8ff952de0092bbdbd15695e7c6f9b5137015c71f0762edc89417f4cc9d67108a
SHA512 cc1b1d9fc44daacb892900b2b17b93db8cb4880e705530d3aeb444b3c7fcda6a4a59266a4c5d56266942b0568bc09ae08f7572c74f8272a3030d210c4b36b6f8

/data/data/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex

MD5 9fcebe6ac01f9abcb9358ef3e1be01f8
SHA1 0c99f46ce1bfa1cfa76a0e30d27c822029db1659
SHA256 ab056d7cd8db1977da982d9a2dd8258015120e3cb3ced1abf105ca6e36d724b9
SHA512 192c075908f5c18acec27d8b7dd62220727213309764eca391c2d4b558b34cb76eae09ad8aacefe9d9ac46603fe220e685d55e587260881c0247fe6def6ef8c3

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-11 15:33

Reported

2024-12-11 15:35

Platform

android-x64-arm64-20240624-en

Max time kernel

85s

Max time network

85s

Command Line

com.vpdmkbfdr.hclrvjtqr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.vpdmkbfdr.hclrvjtqr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cabmeldtpgabrilokez.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.zip

MD5 fdae72c7dd1658f5582bb244648dcc72
SHA1 56eb6eb1252e0dc7eda9784c49b81e0a00f6d920
SHA256 831d26600070e587aca3567bae1a092e77808aecdb6c3ada2d6e3a00d2dd04a1
SHA512 5cef1ab17b14497b6a7f4beb1cd8fb424c7962b845597bc833395c49bc79b32d4fd49b862767dab29efdc660ae39e1a99f5b8e1157e1430ae5d312ebb20ca95e

/data/data/com.vpdmkbfdr.hclrvjtqr/cache/classes.dex

MD5 198e249fc4cb7eebfb3aa41c9bca936b
SHA1 62739a33b597f5f817868c31d76189c34f2a8ce9
SHA256 8ff952de0092bbdbd15695e7c6f9b5137015c71f0762edc89417f4cc9d67108a
SHA512 cc1b1d9fc44daacb892900b2b17b93db8cb4880e705530d3aeb444b3c7fcda6a4a59266a4c5d56266942b0568bc09ae08f7572c74f8272a3030d210c4b36b6f8

/data/data/com.vpdmkbfdr.hclrvjtqr/app_dex/classes.dex

MD5 9fcebe6ac01f9abcb9358ef3e1be01f8
SHA1 0c99f46ce1bfa1cfa76a0e30d27c822029db1659
SHA256 ab056d7cd8db1977da982d9a2dd8258015120e3cb3ced1abf105ca6e36d724b9
SHA512 192c075908f5c18acec27d8b7dd62220727213309764eca391c2d4b558b34cb76eae09ad8aacefe9d9ac46603fe220e685d55e587260881c0247fe6def6ef8c3