Analysis
-
max time kernel
149s -
max time network
156s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
19-01-2025 22:04
Static task
static1
Behavioral task
behavioral1
Sample
3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk
-
Size
4.5MB
-
MD5
c5c5bf08d000dc6ef614938d3cbdc6e4
-
SHA1
11a7b21c473a5ea16ef200d2d4dc50f1d7830afe
-
SHA256
3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6
-
SHA512
c03e8cd0af55a63c282ac8a85504794b15097b00d9234d6c5d8c5232985cc7c59fe207fd8e19bbb607028b5b135d741ff847550d81240a166df2d80f39edf104
-
SSDEEP
98304:f0vvu9NrefNvGc9IgVRdl8Qd1WTUy4mOf9x:cvvGSNucOgfpdodm9x
Malware Config
Extracted
hydra
http://ayfilopconbeydolcaneydozpahped.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex 5100 com.qdmtxkaoo.eqvgngeow /data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex 5100 com.qdmtxkaoo.eqvgngeow -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qdmtxkaoo.eqvgngeow Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.qdmtxkaoo.eqvgngeow -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.qdmtxkaoo.eqvgngeow -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qdmtxkaoo.eqvgngeow -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.qdmtxkaoo.eqvgngeow -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qdmtxkaoo.eqvgngeow -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.qdmtxkaoo.eqvgngeow -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qdmtxkaoo.eqvgngeow
Processes
-
com.qdmtxkaoo.eqvgngeow1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5100
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
2.7MB
MD58ea53f434f79a9f6124e6bf23dc5e2a2
SHA1247b65154275d6c5fdaf2399ced35fbe21e2ad5d
SHA25689ff8c585f2840438964e8865271d27cec93cf9ff5bd0bd9920986c9fcfabea8
SHA512fa69cd4910e3b3ece9d21f97265b1493e080a5205e6d877b59da707813c5c0b8e3fa19410d2151ec24bb0670328062dd35669c8e4dbc4c81447897e1a6a5fece
-
Filesize
29.8MB
MD5047d5bc3d0cd57e768e490bf47081695
SHA1abdbe55291a1e054562706461589f2954e38c1d8
SHA256c7586d2a190d45df3156a73a66616baa41fba289f398a2d921f91cfff304d630
SHA512f5e8fe2f6dfc4e579b1f80cb6f8d222f542e8331d9dbf2faca49844df18e0c092105d65acf80b4b2e77e11f2e867041f862044eabd0cfb4079ce76e5c3008327
-
Filesize
1.3MB
MD59aed2805d4d80f4c0a2ae586d31b4952
SHA1eba117e27037255bcbb69bef485da908d5d52cff
SHA2564b10253a44a4d3b82f00bf516881c6e45aa03d79dcef1f935bd2d89d56876e9d
SHA512bd2358f1f8fdabc38cde6b3fa874b880bbe1e5c7687598f819e70b46fc5ea25a4ede5c2cf1914d68ec680d0f6c7d8d19686d0c035bf7697af3b0d9c2fea2fb57
-
Filesize
1.3MB
MD53bf5f8bebd90347916d68133a8561863
SHA16f94d50abc7dec79a73889cf5f5bea2f0a032490
SHA2561f269c049eed87ec947a47620bdc94326b579bc78200ca2c58c22da1f2cd6d6c
SHA51260dfb13ccf8a8855a43b19f99ebc822da36e5c0a81620e8eccf93e712822c524a735d3086d25fb1ac1388d7b56a8fd569ef905f158fd75dbc101c279fad80f5d