Overview

overview

10

Static

static

6

3b4082e189...f6.apk

android-9-x86

10

3b4082e189...f6.apk

android-10-x64

10

3b4082e189...f6.apk

android-11-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    19-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk

  • Size

    4.5MB

  • MD5

    c5c5bf08d000dc6ef614938d3cbdc6e4

  • SHA1

    11a7b21c473a5ea16ef200d2d4dc50f1d7830afe

  • SHA256

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6

  • SHA512

    c03e8cd0af55a63c282ac8a85504794b15097b00d9234d6c5d8c5232985cc7c59fe207fd8e19bbb607028b5b135d741ff847550d81240a166df2d80f39edf104

  • SSDEEP

    98304:f0vvu9NrefNvGc9IgVRdl8Qd1WTUy4mOf9x:cvvGSNucOgfpdodm9x

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ayfilopconbeydolcaneydozpahped.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.qdmtxkaoo.eqvgngeow
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4376
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4435

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qdmtxkaoo.eqvgngeow/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    8ea53f434f79a9f6124e6bf23dc5e2a2

    SHA1

    247b65154275d6c5fdaf2399ced35fbe21e2ad5d

    SHA256

    89ff8c585f2840438964e8865271d27cec93cf9ff5bd0bd9920986c9fcfabea8

    SHA512

    fa69cd4910e3b3ece9d21f97265b1493e080a5205e6d877b59da707813c5c0b8e3fa19410d2151ec24bb0670328062dd35669c8e4dbc4c81447897e1a6a5fece

    Download Submit

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Filesize

    25.7MB

    MD5

    97a1f527215977f36ae2e49008807dbb

    SHA1

    5e1382519dc363fb3db7f11a63ea93da74d40126

    SHA256

    038271a9973c372971846560fb759a7c2a0a05bd737e3becb6c87e494e871a3a

    SHA512

    a66e895647043bdc562de972ab28da48201864ffa21279c65bf3a80ed98dfbf9bbef33dd33cd9c60a387f1a5b5ef127075fc37e6b29cbfa1893ee11251aa13d8

    Download Submit

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/classes.dex
    Filesize

    1.3MB

    MD5

    9aed2805d4d80f4c0a2ae586d31b4952

    SHA1

    eba117e27037255bcbb69bef485da908d5d52cff

    SHA256

    4b10253a44a4d3b82f00bf516881c6e45aa03d79dcef1f935bd2d89d56876e9d

    SHA512

    bd2358f1f8fdabc38cde6b3fa874b880bbe1e5c7687598f819e70b46fc5ea25a4ede5c2cf1914d68ec680d0f6c7d8d19686d0c035bf7697af3b0d9c2fea2fb57

    Download Submit

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/classes.zip
    Filesize

    1.3MB

    MD5

    3bf5f8bebd90347916d68133a8561863

    SHA1

    6f94d50abc7dec79a73889cf5f5bea2f0a032490

    SHA256

    1f269c049eed87ec947a47620bdc94326b579bc78200ca2c58c22da1f2cd6d6c

    SHA512

    60dfb13ccf8a8855a43b19f99ebc822da36e5c0a81620e8eccf93e712822c524a735d3086d25fb1ac1388d7b56a8fd569ef905f158fd75dbc101c279fad80f5d

    Download Submit

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    453a87dfdd071ad3617ef84f85b412fa

    SHA1

    eded3f4c313355be9f9e66ba493aa0ea9496a0fb

    SHA256

    f2b472dde4bd2f721279866489807fb1b642462982b44aca078518a462b298a8

    SHA512

    9c77ad5332339ebf9a0fb93b002f43049fa3053284f1e3d0ca787d1b639a11d4aefc5b6c4c27ee9a8889c1a7519298eeae442c4324d40bc074b20fa1aa00b7db

    Download Submit