Overview

overview

10

Static

static

6

3b4082e189...f6.apk

android-9-x86

10

3b4082e189...f6.apk

android-10-x64

10

3b4082e189...f6.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6.apk

  • Size

    4.5MB

  • MD5

    c5c5bf08d000dc6ef614938d3cbdc6e4

  • SHA1

    11a7b21c473a5ea16ef200d2d4dc50f1d7830afe

  • SHA256

    3b4082e1896b5db67be37c3e054947297894f475e7a47daa07b019fabe2bbaf6

  • SHA512

    c03e8cd0af55a63c282ac8a85504794b15097b00d9234d6c5d8c5232985cc7c59fe207fd8e19bbb607028b5b135d741ff847550d81240a166df2d80f39edf104

  • SSDEEP

    98304:f0vvu9NrefNvGc9IgVRdl8Qd1WTUy4mOf9x:cvvGSNucOgfpdodm9x

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ayfilopconbeydolcaneydozpahped.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.qdmtxkaoo.eqvgngeow
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4634

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    8ea53f434f79a9f6124e6bf23dc5e2a2

    SHA1

    247b65154275d6c5fdaf2399ced35fbe21e2ad5d

    SHA256

    89ff8c585f2840438964e8865271d27cec93cf9ff5bd0bd9920986c9fcfabea8

    SHA512

    fa69cd4910e3b3ece9d21f97265b1493e080a5205e6d877b59da707813c5c0b8e3fa19410d2151ec24bb0670328062dd35669c8e4dbc4c81447897e1a6a5fece

    Download Submit

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Filesize

    61.6MB

    MD5

    4be53bef077eddfe07c5eec3a0cf1529

    SHA1

    ad5bdb62392218b8f01e94162cc44d67859ceab2

    SHA256

    dedea88643a8a1b559b55e1919b3da87d5adb62a1b962d8cc8714595832a015a

    SHA512

    ebe8c89da957f8786b8cd064567859120111442337540fa3f2992e0bebc4db2e929e39f1eef62adfe08f6a82a320cf3347c36897af6c771731520d284f61ecc8

    Download Submit

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/cache/classes.dex
    Filesize

    1.3MB

    MD5

    9aed2805d4d80f4c0a2ae586d31b4952

    SHA1

    eba117e27037255bcbb69bef485da908d5d52cff

    SHA256

    4b10253a44a4d3b82f00bf516881c6e45aa03d79dcef1f935bd2d89d56876e9d

    SHA512

    bd2358f1f8fdabc38cde6b3fa874b880bbe1e5c7687598f819e70b46fc5ea25a4ede5c2cf1914d68ec680d0f6c7d8d19686d0c035bf7697af3b0d9c2fea2fb57

    Download Submit

  • /data/user/0/com.qdmtxkaoo.eqvgngeow/cache/classes.zip
    Filesize

    1.3MB

    MD5

    3bf5f8bebd90347916d68133a8561863

    SHA1

    6f94d50abc7dec79a73889cf5f5bea2f0a032490

    SHA256

    1f269c049eed87ec947a47620bdc94326b579bc78200ca2c58c22da1f2cd6d6c

    SHA512

    60dfb13ccf8a8855a43b19f99ebc822da36e5c0a81620e8eccf93e712822c524a735d3086d25fb1ac1388d7b56a8fd569ef905f158fd75dbc101c279fad80f5d

    Download Submit