hydra | 3262022616c8528d7da521c95032197c5dd40629bf7f5b34747a55eba6d1ba66

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
18-01-2025 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3262022616c8528d7da521c95032197c5dd40629bf7f5b34747a55eba6d1ba66.apk
Size

4.4MB
MD5

b659ca3d941dc073ad0666b0e43b94a4
SHA1

db3bcc9884531e608df9535d0ba881bc3a46aa4f
SHA256

3262022616c8528d7da521c95032197c5dd40629bf7f5b34747a55eba6d1ba66
SHA512

a6a7c3e7683dc34a17b2cfadf94e4cbb26b2353f964d7800e4947e078d7bb2f9fc3742170e0e3015061c43a15f5bb4e86210c4358e7aa74e12981de64c9aa46d
SSDEEP

98304:aAHnKRhDWDUWwuL+UHKyF1hHTuFGLHQ+hm8OVSXnBMA5XJu5FmDqgCF:a0nKRtWIWwm+a9RTuFSHQYmFiB9cftg0

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

hydra

http://waehwedbosntonz30facezconiboesd12312sergag.com

DES_key

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra
Hydra family
hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-3.dat	family_hydra2

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.rflzockyn.xobmuvixt/app_dex/classes.dex	4470	com.rflzockyn.xobmuvixt
/data/user/0/com.rflzockyn.xobmuvixt/app_dex/classes.dex	4470	com.rflzockyn.xobmuvixt

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rflzockyn.xobmuvixt
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rflzockyn.xobmuvixt

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.rflzockyn.xobmuvixt

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.rflzockyn.xobmuvixt

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rflzockyn.xobmuvixt

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.rflzockyn.xobmuvixt

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.rflzockyn.xobmuvixt

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.rflzockyn.xobmuvixt
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4470

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.rflzockyn.xobmuvixt/app_apk/payload.apk

Filesize
974KB

MD5
3baeaa766ea7f31a9147208efd957c75

SHA1
c701de3d0e55425394ccbf8e0967639e86f3c54e

SHA256
75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

SHA512
9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/app_dex/classes.dex

Filesize
2.7MB

MD5
21a66fcc3ec16a0e0fdc5afc12f946b4

SHA1
89efe0598c873cd4e5ccd21e08e0a52126b42103

SHA256
53de908005177a6ea753bb6e273b9c0edb4172f78d587722f95489869bfc3ee8

SHA512
7c12a50a5f237aae2a16f38fdaabdd81f50d8a0e31d8cde710cd2eb2f03f0b48b8861f140dea56dfa3a7d229d0846afdf1f811d038247148ee44b104a0a7e477

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip

Filesize
72.3MB

MD5
475a21af4ef1e6fb489f3689ff7723da

SHA1
bbb36976ef7fa231f4170b32c18adf146a8a97cc

SHA256
74027f6a318698dcb6d16f4c920b529910410b9aae16b9e0108c8173317539ee

SHA512
f4d4c90914460ecd1b54dc901dbabd496856d8ff5b6fd61599748e36043325803d1670ce738d233dbc526437dfc6b8378fbcc13365f6738518e67967186c4631

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/cache/classes.dex

Filesize
1.3MB

MD5
bb65bbc5bd9c999184dc7c93e9d4b4c0

SHA1
9a56d253deb8bcddabae961d7d249517b2e776a6

SHA256
1d0bd1099e15372a50bdbff8c11da0b780f84876c4ebd7554e148ae327861464

SHA512
cb70e27cc054806f9d6007987446d521194057979661e64b78aa971fb874b67a09fe28dd5195ab441deee7f389d6b7d856e0821653268f91a11d209dddf4f066

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/cache/classes.zip

Filesize
1.3MB

MD5
60b1eae663a731a4ed8c7344c05a512a

SHA1
8d4e927b8e014ad52a10a5837e37b36534c4f48c

SHA256
858a00fa03497202faed7b16a241fc3f1baa4eb75c12dfa19a88390303c85276

SHA512
fa0d665fdc638f195e079171e1c850ab6299747afd3223b9aba74338dc2be619a55532113057b76fee517e383c2d5142d6fcd20a602f934f709d3d98efe4fba3

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/air.app.scb.breeze.android.main.sg.prod/air.app.scb.breeze.android.main.sg.prod.png

Filesize
11KB

MD5
3cefb3e302a7ee29c1662a2411da88bf

SHA1
c112e2f3f659ab22799ddd9700869caa78923229

SHA256
888e6a543ac03335b1faaaab4d4b118d9fb6849c6f9952a27054c7a82ea25650

SHA512
43c5d1a6506aa2fc5c49ecc6c0876bfccc92c4276a012dc6b22bd32631d1c15af158596f6b0d8a86045e8f248e888ae77d65559d9db6ece98f1f17713fe42a9c

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/air.app.scb.breeze.android.main.sg.prod/index.html

Filesize
68KB

MD5
05510e32ce26b7b0b67030181c765c08

SHA1
fd9857a023e9f4aa134215f37b0075daba91119c

SHA256
58a2f9641aeaf83f135e59fb339118a5d875443505d0cbadcfbffb74492f70c1

SHA512
c0a22a291c8f307f498cef2dff0e40a44827785b2011fa33662b2c3609a6f943d4f70a55c08752ea306fb3147ebd8c758ed7eac436128c07b4c2fd52127ef001

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/alior.bankingapp.android/alior.bankingapp.android.png

Filesize
29KB

MD5
ffef7444a03c7626f338a8496a9da977

SHA1
d2d9748d3fd38bfd8d72f9eea1307712c8e3752d

SHA256
5013ca90ce41eff519081880f10c2066539373cbde8e6a43053a9e267e3762d5

SHA512
c4df75c8114ffd23b071171a5d11c8d2081eb01444fb6ab909fe44128f03fe4cdf7df7d1865813379b258ec08e3a09c6ed097fc43d00f02296fd779e20185c72

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/alior.bankingapp.android/index.html

Filesize
20KB

MD5
bb031055ee15a0125d4e55ca14d10f32

SHA1
4f689615aaf2b18e89827fd54e52250c901664e1

SHA256
b535bdcb2f62785bed418a6402d46b8840a101a2acb4b24bcb20911cdf086548

SHA512
47ea5781cab2c694e44eb195dcc00eacba19680e5e65f5f0e64cb3958afb7cf40e3c1770c7330dc3bd3be45e2ac54d53999cd9904a7f9f9a51b394d666e85046

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/app.wizink.es/app.wizink.es.png

Filesize
9KB

MD5
dc48e7685d1d05c78a1aedadd52de631

SHA1
ea9df21b3cf144395dc9ec3c9bba6cbd209520ee

SHA256
8bb9a0988ef5dcc90ffc2d1b7c3a14229c9985e2b35dc773e4838040080ec9a0

SHA512
40f7b9b1b42002ad1c87dab6e6ca325082224067deb7a0ee05b7724c66ecc6f4c66367b113dc2a37001ba9d7cef873fd6ab5a7704d7b969e027d821bb6820273

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/app.wizink.es/index.html

Filesize
121KB

MD5
92c40d08890e7a900c03472d58e15993

SHA1
191b1d490f8818fb4026ebbd4fe4594c85e8cec2

SHA256
91880152b504ea16e2a6678e1abb47fcb83ec3437e9485a394798dd4152e82d3

SHA512
67c01c9f0243720ee1ff84b5ea3c3118f1ec500fd3b4db3230d91c9c69f0cc53e176be1964fc02a8b299a25070ba1d1e287230823e8e3e26709e6afa3cdf3194

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.bapro/ar.bapro.png

Filesize
19KB

MD5
2d8f39eeeb9ce8a8c9daf27dafea64ec

SHA1
bba51128eea9024bfca74de76c0d4aed50171055

SHA256
58b99b8324ad70ad809c951b2f63779db8d89eabe43c247c5e0d0e58e3d715ed

SHA512
b495dcf6f6796c28d06314f8ef124725d6460f62e4c0051e8955542b9d9efe1231157667670db60577c2dcafd64f21117bdf8b0d1b0a0534945b7503f027a22c

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.bapro/index.html

Filesize
1.1MB

MD5
797761d2e4a8475d36f72ecfff68174c

SHA1
f99275a397e66f80259eae1bc93df7c02516f424

SHA256
3860d1677ea6c4977a5051816c2170e3efc0bd36f3595df8b7673d39539e7d32

SHA512
46a6ca7256455fe3610c8182b61899d2c64370cee441fbeb76d27aa1e363fb80336b1cf8d054120d8455f5bbfafbb63b45f7c824db88fce56b65a94f0841f133

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.bcopatagonia.android/ar.com.bcopatagonia.android.png

Filesize
52KB

MD5
0ac4a18d69aac96cdb39235ba4068e17

SHA1
75f74317bffc3a1f6571d50906c1f9f860ae6d85

SHA256
5425645f839d0dbbee3f2692f354d84513a0f0ee6aa6ce30fb29a49529e33239

SHA512
4f1ffe7eef6cf36c1ff83882744ec1f401db1f2cbbc5068adc6f797697913fe223c38b662f757a7b6bb5cbde83fa037b9b17ec81ff9457c16c335c6174bbbcb5

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.bcopatagonia.android/index.html

Filesize
230KB

MD5
43822d19d3359b64387ff5e00dadf7ca

SHA1
4741275458cc874c97a141891e93c1d39fb4d029

SHA256
350200ddf36fd69b05875326fc6f27f4db2c6287c38789596bee0108bb7c5162

SHA512
59fa44526c2330c5dd454331e02d9363910e320e337a2e52fc0f3f9dff36004507120e8a5b4edcdf8f47f3048f194ca3e81098d13bea3a2501a26b68209e7285

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.redlink.custom/ar.com.redlink.custom.png

Filesize
31KB

MD5
006d4fa9ffbff4773fef3abbea5645f3

SHA1
9e728efe677ef4193cc2a1af461bef8e9977f214

SHA256
d85afb9198d44d3f7936a41c97a0b6360a05c08477208e6c55ee893e5dce0458

SHA512
88a28e2aba3d8360b3c57a49a7393bcb47be4fc53c3abd2a31330893f1805b895c3ee22287796a31b25826dde8abec4b9220df61b9f45ee6c1af72a6fb581a49

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.redlink.custom/index.html

Filesize
291KB

MD5
b1a1abbccb83a11a4f5a402cbbcfebb4

SHA1
e6d1025f89cd422f2b806e86a2340e078e840eaf

SHA256
6af9b9fadb5e1a50d1ce6732b70eb5e3ccdfc01be175dffe1b6d564fff5af148

SHA512
1ca6019a6e0ae43ee9d6747a65657d07c1d70152d54d914c9542b8d5a2935eff04043461fe569acb361684e2d6765c93e55a270dad8bd16549d9a2557d45f53d

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.santander.rio.mbanking/ar.com.santander.rio.mbanking.png

Filesize
7KB

MD5
59c9cd60b17b1c3b047ac2bc695a183e

SHA1
a1a7f4ae21ac4a6c0961d65359bd4eb9fce27cdd

SHA256
ad65eb024180f6bf222669c5e77da4c376706fc11a557eca0d101de2bf98828e

SHA512
f0bb75f718d63f2686c3df03fb7a4a43719aac4fc7ed4cfc32bc282db2178bc1b7b063afaedb15c7fbf76bad5a3d52bb2f406b7339733e54f1bba792a8ef8975

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.com.santander.rio.mbanking/index.html

Filesize
168KB

MD5
d6ada6ff400a8e5fdb20c4de946b0d87

SHA1
10f91f220a76eb5ffad2f1b1946d1a5d7336c55b

SHA256
be6c4b349dc08e40ba324d5d409a0c2d31010167e97cadc3b00cb9b3c7db5cf0

SHA512
741c69450031468cb4ae84bf01a041dce30d8d0db7fb1100a68a35d214f04c56f29642da8e32d802645b45d0b0817ed5b7f09618f4e739ef394ef79c00f927c5

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.macro/ar.macro.png

Filesize
15KB

MD5
f8d150390c1f09f882723850c522d9df

SHA1
eab75e51cb08dcd7cc2be5376c22dea4338bed7f

SHA256
5b1b2297f1fd4e609dd43ce9f643b3df8ab76e4550667c9255a209e7a087b3cc

SHA512
41a8770820242a44f5c3da813a6776524b360d6fb37b647f1d2c4865cea231ab1c341b6079ebf700dc9c0de8a1b482d1d2f51fe92ad2f074fb6bc7ee05f43945

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/ar.macro/index.html

Filesize
92KB

MD5
d7daa3425c3f3ca7d587a854119ea158

SHA1
e3f7139d09433b50f386e63e8cff23fc1d261b2c

SHA256
c329f556dc09ad252880088e6c8b561f4621e3321449f9a1c5fed3d7a3f7ee6d

SHA512
a17d7d13be5d91c787b2db3fcf8cfa70e2a713774c60de3d712a132624a4d58bd7f33639046568c09b6c53da33e6fb79b99b09033563826087a782527458f89f

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/at.bank99.meine.meine/at.bank99.meine.meine.png

Filesize
10KB

MD5
1744fae781e190b8a594b35cbcb05ee5

SHA1
19f9a1cb4d33d1a62e8e86b509698dd234b549b5

SHA256
9e342763dbbc98c1b813beb2cfccb66303a2684c2be347e7881cdb0f12fa3bb6

SHA512
3bdc4b8f2395d0419a83604bdd440b774d48423dcc1b7df762e404b2f8b03c3370327518342217441306e7ed18b129947c347b2f752c81d2181fe3629bc15c56

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/at.bank99.meine.meine/index.html

Filesize
24KB

MD5
ffdd0aca5c208e616f6d1a4c09b0b1b9

SHA1
7819bade82847641fea284f866f73a7dc8ba9e61

SHA256
2c050cedf2e032fd9efcb59c7f0197b5866a49802cec2663bd3943d7d8e3f31f

SHA512
a54917e1dc6ba1cee74364da5869d44f1be5e048bcc5ac5162d871e500f0f00afbcdca055e9d0f23095ca92a566491ae185c1af4a4984b85b7c75c989accd87a

Download Submit
/data/user/0/com.rflzockyn.xobmuvixt/files/injFolder/inj/at.ing.diba.client.onlinebanking/at.ing.diba.client.onlinebanking.png

Filesize
36KB

MD5
d3468c1b10831a0b4cfd453a3713bf2e

SHA1
e94c472cf99eef34123100fb87d219c28fc454a4

SHA256
bd8b7410fe77af1f4708413dffe0508731d0bc65ef4a76f3377008b7bee08a39

SHA512
09a0d5ad887fb717f7e0b76625cf414b42a43df1e2d413c6753b7cc14959ad56b0d01a45cedd4b095e5269d68a44d1b7aa1404a60916500a9165343e25cf7830

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads