hydra | 8d06809f05039a050b9635d6fd2a22648dcae4f8c5962a35233cbb1efed437a4

General

Target

292b6e8ff3435540c5c08038a5bdb38b.apk
Size

3.9MB
MD5

292b6e8ff3435540c5c08038a5bdb38b
SHA1

6dbba2151d46e40e53db95e9b13b6909f21d82d9
SHA256

8d06809f05039a050b9635d6fd2a22648dcae4f8c5962a35233cbb1efed437a4
SHA512

bcb971abd0e9f58b8cf38edd4a3e4673d76d82d9162eac4288252c914cccb0bff0c03a4c3071156243a115bd506c615a19a749cbd995820efa940e89135589bc
SSDEEP

98304:pfy+2wcn9R5LIva11W5vBjJbIVekUJCL0wx:lU9oC1kJBDCAwx

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra
Hydra family
hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral2/memory/5051-0.dex	family_hydra1
behavioral2/memory/5051-0.dex	family_hydra2

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json	5051	com.rude.stamp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rude.stamp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rude.stamp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
11	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
18	raw.githubusercontent.com
31	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
17	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.rude.stamp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.rude.stamp

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.rude.stamp

com.rude.stamp
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5051

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

Filesize
1.9MB

MD5
becbf1d1e2ab80bd84d9abc4a1926784

SHA1
499e267e537d1ecc094f60b07e54fca71491c39d

SHA256
f8e55182f9092b24aebc857f21fd0abac829749add655e828e7cfd2d01c29d71

SHA512
cdd25ed40c372bb3d55fc759dcecaf5839d05d784b6d22fb1c0aaa9760c2a00b20f78e11ce7f8af06b0741d1b7e0bacdac9bcadcef195745e6d4830f9f40067f

Download Submit
/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

Filesize
1.9MB

MD5
0f4d94abed91a3e6cf3f59bdb53e446f

SHA1
d3d13ca825171e01f7fad23dfaeb0321eb5a10cf

SHA256
876270bb0879a2d6291f9ef75014d6367d0b959ae36f16088134cf9539284234

SHA512
262eae496c91948fd1c2096a13165f0ad7b7e64570c40ddcbdcf2dedce55a170d5a1a9cc01568471e36857ee15e21469cde9460e9b826661d420fc4da9eec361

Download Submit
/data/data/com.rude.stamp/app_DynamicOptDex/oat/oBERE.json.cur.prof

Filesize
1KB

MD5
55e52e639266c57f736e77c4be1b1f13

SHA1
1d29064756f442e715b2e5aaeb9bbff7b8959ccb

SHA256
d3f6cac154218cd46a07096fc43d1ae9695428067b899033e802963803964abf

SHA512
986fea669090447479fc43eb09024b11ad2b2412788130352a8b88e7298325c3777e6490298a5cfba9806ae6439d24bd2b06e52c31d0d568c003e23287d65966

Download Submit
/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

Filesize
5.0MB

MD5
10c5c7ee79684a25651ed7acd4004183

SHA1
7e9686ffd78e2d112eda3ada566bb09aa439755d

SHA256
335fc3d13f9be5844768a4ce80bfd36dec66dc474ac7c34459a3dc3c59858000

SHA512
807ded0e6e6cc63ac1b851cdbee8b6534c73757a3153d983aa65f640819b65f1cdba851e1bc690118a87ee3c2579351ddf726a0eb0d2d24cefcfd9a005067702

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads