Overview

overview

10

Static

static

6

5487ee6a11...81.apk

android-9-x86

10

5487ee6a11...81.apk

android-10-x64

10

5487ee6a11...81.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    27/01/2025, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981.apk

  • Size

    2.6MB

  • MD5

    b153a2b2637a2344be8aed6e15cc5860

  • SHA1

    4557c7ef5561fc397b0cc7144d640e60d00b49c4

  • SHA256

    5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981

  • SHA512

    cd415034ec193a0b0ccd633c15fa05740e655efeaa2cc48b4bcd2a55d42a211ae6f051d226311a299b3c236191da9e03357cc28948a5d6334882905c3b40abc4

  • SSDEEP

    49152:L5llCCdTUD1SzzfewA+aaf0y5F1voCE8EIK8kq1c0NTg8RbsbHfREj1m3:1JkkzfewrR0y5F1gCdBK89c0Nk85sTRX

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://fhuiooedjefjheeffemensb.info

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.elegant.sun
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4636

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.elegant.sun/app_DynamicOptDex/IIrjgo.json
    Filesize

    973KB

    MD5

    cd2c9ab4a4f8990a544e968baf7e2f78

    SHA1

    1d84fd4aaff60452d80e00020bba561a305be352

    SHA256

    8d62796c2adf0aa398004a24dc9ea3ec09b7dc31146d39fadaaa9da932d6082a

    SHA512

    da612f7a975bf2a45b443544193fa0fa3ec954766f6aea47bcc294d8bdacc7f04434bb9abee152ad0dcf9233f6d38c7e02e096b65ada7dc4815fd167a89fd64f

    Download Submit

  • /data/user/0/com.elegant.sun/app_DynamicOptDex/IIrjgo.json
    Filesize

    973KB

    MD5

    7379b152c196ac52d19c6524c3c9977d

    SHA1

    3b2410490349af6bf913abc1d8ea52dc8540364d

    SHA256

    b7905edd6e3abe8603470bd80d513948b52b3ad47e660429ec9bbaf6a5ed0403

    SHA512

    03c17a5205a7b7c86062c74474f89e758f9f9d2937c6bdf96da250cd88e0fd8686c92d08632efe77311eda81d1da5df9d5c8807a92c8faaf53319cf66d6d7c2f

    Download Submit

  • /data/user/0/com.elegant.sun/app_DynamicOptDex/IIrjgo.json
    Filesize

    2.2MB

    MD5

    79eb4f3b5cb1f3904e1194bbf01dbf35

    SHA1

    7fbaa74fd34ddd46b7dc8720202fdb6a528dfa3d

    SHA256

    48c87efccfa989b06ff911cdb633479399f0bbfb0eea4e2c7e94f0a1785b5a89

    SHA512

    8a829594119eecc5990fafdd1733d1b86c62726b9830049d453813b642d5480163886a5437d71c860afa4a4cfd8f10d7c5c61e6856b4222366f1106bd32fcc69

    Download Submit

  • /data/user/0/com.elegant.sun/app_DynamicOptDex/oat/IIrjgo.json.cur.prof
    Filesize

    1KB

    MD5

    30c659815f55bed4f40419ae3c54f7c4

    SHA1

    0e5ca377210ace3817e11d105e9e6be901382411

    SHA256

    9106199343ea04a310f9eb35359d110ef65cecffc14e8a7767de7bab504f75a8

    SHA512

    03ed4f00f79e257cbbca353765e89e61f9b9a4712aff8f2ad214a2afb83cf2b445c7326fd187f251ff0d653f079910af73d2a56e6b16006734e52270d3eae1f4

    Download Submit