Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    19-01-2025 22:04

General

  • Target

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk

  • Size

    4.5MB

  • MD5

    c5c5bf08d000dc6ef614938d3cbdc6e4

  • SHA1

    11a7b21c473a5ea16ef200d2d4dc50f1d7830afe

  • SHA256

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6

  • SHA512

    c03e8cd0af55a63c282ac8a85504794b15097b00d9234d6c5d8c5232985cc7c59fe207fd8e19bbb607028b5b135d741ff847550d81240a166df2d80f39edf104

  • SSDEEP

    98304:f0vvu9NrefNvGc9IgVRdl8Qd1WTUy4mOf9x:cvvGSNucOgfpdodm9x

Malware Config

Extracted

Family

hydra

C2

http://ayfilopconbeydolcaneydozpahped.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.qdmtxkaoo.eqvgngeow
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5100

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qdmtxkaoo.eqvgngeow/app_apk/payload.apk

    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

  • /data/data/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex

    Filesize

    2.7MB

    MD5

    8ea53f434f79a9f6124e6bf23dc5e2a2

    SHA1

    247b65154275d6c5fdaf2399ced35fbe21e2ad5d

    SHA256

    89ff8c585f2840438964e8865271d27cec93cf9ff5bd0bd9920986c9fcfabea8

    SHA512

    fa69cd4910e3b3ece9d21f97265b1493e080a5205e6d877b59da707813c5c0b8e3fa19410d2151ec24bb0670328062dd35669c8e4dbc4c81447897e1a6a5fece

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip

    Filesize

    29.8MB

    MD5

    047d5bc3d0cd57e768e490bf47081695

    SHA1

    abdbe55291a1e054562706461589f2954e38c1d8

    SHA256

    c7586d2a190d45df3156a73a66616baa41fba289f398a2d921f91cfff304d630

    SHA512

    f5e8fe2f6dfc4e579b1f80cb6f8d222f542e8331d9dbf2faca49844df18e0c092105d65acf80b4b2e77e11f2e867041f862044eabd0cfb4079ce76e5c3008327

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/classes.dex

    Filesize

    1.3MB

    MD5

    9aed2805d4d80f4c0a2ae586d31b4952

    SHA1

    eba117e27037255bcbb69bef485da908d5d52cff

    SHA256

    4b10253a44a4d3b82f00bf516881c6e45aa03d79dcef1f935bd2d89d56876e9d

    SHA512

    bd2358f1f8fdabc38cde6b3fa874b880bbe1e5c7687598f819e70b46fc5ea25a4ede5c2cf1914d68ec680d0f6c7d8d19686d0c035bf7697af3b0d9c2fea2fb57

  • /data/data/com.qdmtxkaoo.eqvgngeow/cache/classes.zip

    Filesize

    1.3MB

    MD5

    3bf5f8bebd90347916d68133a8561863

    SHA1

    6f94d50abc7dec79a73889cf5f5bea2f0a032490

    SHA256

    1f269c049eed87ec947a47620bdc94326b579bc78200ca2c58c22da1f2cd6d6c

    SHA512

    60dfb13ccf8a8855a43b19f99ebc822da36e5c0a81620e8eccf93e712822c524a735d3086d25fb1ac1388d7b56a8fd569ef905f158fd75dbc101c279fad80f5d