Malware Analysis Report

2025-01-19 05:22

Sample ID 241219-naefws1rhy
Target 292b6e8ff3435540c5c08038a5bdb38b.apk
SHA256 8d06809f05039a050b9635d6fd2a22648dcae4f8c5962a35233cbb1efed437a4
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d06809f05039a050b9635d6fd2a22648dcae4f8c5962a35233cbb1efed437a4

Threat Level: Known bad

The file 292b6e8ff3435540c5c08038a5bdb38b.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra family

Hydra

Hydra payload

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries information about active data network

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 11:11

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 11:11

Reported

2024-12-19 11:14

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

147s

Command Line

com.rude.stamp

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json N/A N/A
N/A /data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.rude.stamp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.rude.stamp/app_DynamicOptDex/oat/x86/oBERE.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 becbf1d1e2ab80bd84d9abc4a1926784
SHA1 499e267e537d1ecc094f60b07e54fca71491c39d
SHA256 f8e55182f9092b24aebc857f21fd0abac829749add655e828e7cfd2d01c29d71
SHA512 cdd25ed40c372bb3d55fc759dcecaf5839d05d784b6d22fb1c0aaa9760c2a00b20f78e11ce7f8af06b0741d1b7e0bacdac9bcadcef195745e6d4830f9f40067f

/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 0f4d94abed91a3e6cf3f59bdb53e446f
SHA1 d3d13ca825171e01f7fad23dfaeb0321eb5a10cf
SHA256 876270bb0879a2d6291f9ef75014d6367d0b959ae36f16088134cf9539284234
SHA512 262eae496c91948fd1c2096a13165f0ad7b7e64570c40ddcbdcf2dedce55a170d5a1a9cc01568471e36857ee15e21469cde9460e9b826661d420fc4da9eec361

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 10c5c7ee79684a25651ed7acd4004183
SHA1 7e9686ffd78e2d112eda3ada566bb09aa439755d
SHA256 335fc3d13f9be5844768a4ce80bfd36dec66dc474ac7c34459a3dc3c59858000
SHA512 807ded0e6e6cc63ac1b851cdbee8b6534c73757a3153d983aa65f640819b65f1cdba851e1bc690118a87ee3c2579351ddf726a0eb0d2d24cefcfd9a005067702

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 22c44cd9c5067a3e6dfc38087ba55a57
SHA1 5678fa9bfc7bc203ab120928f16332f0ee559151
SHA256 e159b2e101ec004d3d334fbece1be2b82a5a5b448eab694c2519e92ebafe3263
SHA512 0ce6a6cb44a01ad69008fb7cf68f3b19ad0d63efaed87d99d8faed00c6264c9713fb1e37e49ea29154ab57db3520e8fff17acebfd4fae7355715a76b98ae4cf8

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-19 11:11

Reported

2024-12-19 11:14

Platform

android-x64-20240624-en

Max time kernel

144s

Max time network

146s

Command Line

com.rude.stamp

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.rude.stamp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 becbf1d1e2ab80bd84d9abc4a1926784
SHA1 499e267e537d1ecc094f60b07e54fca71491c39d
SHA256 f8e55182f9092b24aebc857f21fd0abac829749add655e828e7cfd2d01c29d71
SHA512 cdd25ed40c372bb3d55fc759dcecaf5839d05d784b6d22fb1c0aaa9760c2a00b20f78e11ce7f8af06b0741d1b7e0bacdac9bcadcef195745e6d4830f9f40067f

/data/data/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 0f4d94abed91a3e6cf3f59bdb53e446f
SHA1 d3d13ca825171e01f7fad23dfaeb0321eb5a10cf
SHA256 876270bb0879a2d6291f9ef75014d6367d0b959ae36f16088134cf9539284234
SHA512 262eae496c91948fd1c2096a13165f0ad7b7e64570c40ddcbdcf2dedce55a170d5a1a9cc01568471e36857ee15e21469cde9460e9b826661d420fc4da9eec361

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 10c5c7ee79684a25651ed7acd4004183
SHA1 7e9686ffd78e2d112eda3ada566bb09aa439755d
SHA256 335fc3d13f9be5844768a4ce80bfd36dec66dc474ac7c34459a3dc3c59858000
SHA512 807ded0e6e6cc63ac1b851cdbee8b6534c73757a3153d983aa65f640819b65f1cdba851e1bc690118a87ee3c2579351ddf726a0eb0d2d24cefcfd9a005067702

/data/data/com.rude.stamp/app_DynamicOptDex/oat/oBERE.json.cur.prof

MD5 55e52e639266c57f736e77c4be1b1f13
SHA1 1d29064756f442e715b2e5aaeb9bbff7b8959ccb
SHA256 d3f6cac154218cd46a07096fc43d1ae9695428067b899033e802963803964abf
SHA512 986fea669090447479fc43eb09024b11ad2b2412788130352a8b88e7298325c3777e6490298a5cfba9806ae6439d24bd2b06e52c31d0d568c003e23287d65966

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-19 11:11

Reported

2024-12-19 11:12

Platform

android-x64-arm64-20240624-en

Max time kernel

52s

Max time network

63s

Command Line

com.rude.stamp

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rude.stamp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp

Files

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 becbf1d1e2ab80bd84d9abc4a1926784
SHA1 499e267e537d1ecc094f60b07e54fca71491c39d
SHA256 f8e55182f9092b24aebc857f21fd0abac829749add655e828e7cfd2d01c29d71
SHA512 cdd25ed40c372bb3d55fc759dcecaf5839d05d784b6d22fb1c0aaa9760c2a00b20f78e11ce7f8af06b0741d1b7e0bacdac9bcadcef195745e6d4830f9f40067f

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 0f4d94abed91a3e6cf3f59bdb53e446f
SHA1 d3d13ca825171e01f7fad23dfaeb0321eb5a10cf
SHA256 876270bb0879a2d6291f9ef75014d6367d0b959ae36f16088134cf9539284234
SHA512 262eae496c91948fd1c2096a13165f0ad7b7e64570c40ddcbdcf2dedce55a170d5a1a9cc01568471e36857ee15e21469cde9460e9b826661d420fc4da9eec361

/data/user/0/com.rude.stamp/app_DynamicOptDex/oBERE.json

MD5 10c5c7ee79684a25651ed7acd4004183
SHA1 7e9686ffd78e2d112eda3ada566bb09aa439755d
SHA256 335fc3d13f9be5844768a4ce80bfd36dec66dc474ac7c34459a3dc3c59858000
SHA512 807ded0e6e6cc63ac1b851cdbee8b6534c73757a3153d983aa65f640819b65f1cdba851e1bc690118a87ee3c2579351ddf726a0eb0d2d24cefcfd9a005067702

/data/user/0/com.rude.stamp/app_DynamicOptDex/oat/oBERE.json.cur.prof

MD5 a541f058500ac0b5c09475565190be3c
SHA1 ca70fea27249ebc29a68c4ca0f643df29e7be2a0
SHA256 48fca10a11cfadef90ac14745ca0765e71d1d2e72758068d850d3a7a87928623
SHA512 4812eb9c3fd90523ac98ee36c10d1451c900bb35a3ff6aa3cf9f13ea3622d8b991381ce96d83b047c1945107d145b5c6817baf0d1ff5d043522ea86b04db3169