Overview

overview

10

Static

static

6

80b3f01ac5...09.apk

android-9-x86

1

80b3f01ac5...09.apk

android-10-x64

10

80b3f01ac5...09.apk

android-11-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    160s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    18-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80b3f01ac51a6ec4f2d7e11cd72cb303b5ac9c98308cb3424cc1c9cfd0cc1d09.apk

  • Size

    4.5MB

  • MD5

    a13a0a82932d8b088aaeb396fb0dbff0

  • SHA1

    d2753b59c297536c432a12dbcf59bc9a32ee63dc

  • SHA256

    80b3f01ac51a6ec4f2d7e11cd72cb303b5ac9c98308cb3424cc1c9cfd0cc1d09

  • SHA512

    4bbc1ceb848703238a295576055126c1dede5096040a12edbe8749a0e1a8ad7afe699bf1fe2a214bdf2a7b9d6cdea356593e55215c94fdef2581954135303fc1

  • SSDEEP

    98304:KeYGGBavlNTNEGimhiRon9KqzTe7ifNj6LXBURxytvxVrwBY2Us:KeYGmavllNwkB9Ne7WNj6LXiRxyb1wBf

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://waehwedbosntonz30facezconiboesd12312sergag.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.zqjtgzarm.jqrjbmbsj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5215

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.zqjtgzarm.jqrjbmbsj/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    71e628d8f95c11e143e5b645fc74bce6

    SHA1

    0f100870f00f5684fe4beaaa1a0f128f2d441494

    SHA256

    6e014553faf9c0bb2ebd64633522ca04ea33531a5a4cd1a37b085e0cb3154800

    SHA512

    f991702c3a573843f6370b9e2934f7f0488915da23fe6a6b8e42d45cebf2f3b29c549abbbeed19970940efe85fa1f3fc589f557bbe247a4d25a1f5ec5ce5008a

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Filesize

    72.3MB

    MD5

    475a21af4ef1e6fb489f3689ff7723da

    SHA1

    bbb36976ef7fa231f4170b32c18adf146a8a97cc

    SHA256

    74027f6a318698dcb6d16f4c920b529910410b9aae16b9e0108c8173317539ee

    SHA512

    f4d4c90914460ecd1b54dc901dbabd496856d8ff5b6fd61599748e36043325803d1670ce738d233dbc526437dfc6b8378fbcc13365f6738518e67967186c4631

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/cache/classes.dex
    Filesize

    1.3MB

    MD5

    4cafe8c2c6dd74d036b2dcad6f878c43

    SHA1

    1eda52e9554f2ecb8f43df01521c5f0c0cb0a8fd

    SHA256

    c7d82d75d274536f86bbff879abd898d631127fe391ffcc534834a7ed6817fda

    SHA512

    95e1de73a3a7eb0f56cd2032aa009c92044c84e29ffe5b99395bc809410f9fb07d721061fe8cc3948d8b42eaae162297028a193249c8c0a300a00f52d74cc80a

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/cache/classes.zip
    Filesize

    1.3MB

    MD5

    2cb70b31197da01f8e3add72b19a63a8

    SHA1

    2501038d369eb7fdccfa54b4f118f7ac29b6533e

    SHA256

    3afede23b5fa8faab1dc26d613b14a313fec38346344d92fc9d5b7321b704f5d

    SHA512

    f5988394dd5564b0686f7d30318aa2e8db9a17601a8fa2b0a21b5569e736388af1e6a7995232218d03f8546962903f2f6052c7cf1821c267515e451578116617

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/air.app.scb.breeze.android.main.sg.prod/air.app.scb.breeze.android.main.sg.prod.png
    Filesize

    11KB

    MD5

    3cefb3e302a7ee29c1662a2411da88bf

    SHA1

    c112e2f3f659ab22799ddd9700869caa78923229

    SHA256

    888e6a543ac03335b1faaaab4d4b118d9fb6849c6f9952a27054c7a82ea25650

    SHA512

    43c5d1a6506aa2fc5c49ecc6c0876bfccc92c4276a012dc6b22bd32631d1c15af158596f6b0d8a86045e8f248e888ae77d65559d9db6ece98f1f17713fe42a9c

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/air.app.scb.breeze.android.main.sg.prod/index.html
    Filesize

    68KB

    MD5

    05510e32ce26b7b0b67030181c765c08

    SHA1

    fd9857a023e9f4aa134215f37b0075daba91119c

    SHA256

    58a2f9641aeaf83f135e59fb339118a5d875443505d0cbadcfbffb74492f70c1

    SHA512

    c0a22a291c8f307f498cef2dff0e40a44827785b2011fa33662b2c3609a6f943d4f70a55c08752ea306fb3147ebd8c758ed7eac436128c07b4c2fd52127ef001

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/alior.bankingapp.android/alior.bankingapp.android.png
    Filesize

    29KB

    MD5

    ffef7444a03c7626f338a8496a9da977

    SHA1

    d2d9748d3fd38bfd8d72f9eea1307712c8e3752d

    SHA256

    5013ca90ce41eff519081880f10c2066539373cbde8e6a43053a9e267e3762d5

    SHA512

    c4df75c8114ffd23b071171a5d11c8d2081eb01444fb6ab909fe44128f03fe4cdf7df7d1865813379b258ec08e3a09c6ed097fc43d00f02296fd779e20185c72

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/alior.bankingapp.android/index.html
    Filesize

    20KB

    MD5

    bb031055ee15a0125d4e55ca14d10f32

    SHA1

    4f689615aaf2b18e89827fd54e52250c901664e1

    SHA256

    b535bdcb2f62785bed418a6402d46b8840a101a2acb4b24bcb20911cdf086548

    SHA512

    47ea5781cab2c694e44eb195dcc00eacba19680e5e65f5f0e64cb3958afb7cf40e3c1770c7330dc3bd3be45e2ac54d53999cd9904a7f9f9a51b394d666e85046

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/app.wizink.es/app.wizink.es.png
    Filesize

    9KB

    MD5

    dc48e7685d1d05c78a1aedadd52de631

    SHA1

    ea9df21b3cf144395dc9ec3c9bba6cbd209520ee

    SHA256

    8bb9a0988ef5dcc90ffc2d1b7c3a14229c9985e2b35dc773e4838040080ec9a0

    SHA512

    40f7b9b1b42002ad1c87dab6e6ca325082224067deb7a0ee05b7724c66ecc6f4c66367b113dc2a37001ba9d7cef873fd6ab5a7704d7b969e027d821bb6820273

    Download Submit

  • /data/data/com.zqjtgzarm.jqrjbmbsj/files/injFolder/inj/app.wizink.es/index.html
    Filesize

    27KB

    MD5

    b62296f1355e5cfe13c1bb447556ab93

    SHA1

    3fc58b7163e1364b9fbe7ca4f55c70442629de76

    SHA256

    3dc4cffdf7a2d665cb442746d7e1c27addcad5f18ead2830b3ac27553d543fae

    SHA512

    90a89cc647dad37f54db6e5146602764838b686cce07f2112e17937e408d121529a66e7dd5001c0858c76631089feeffe671b426bf3fecb3668c6428c30e82f8

    Download Submit