Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

b458c9bf77...5e.apk

android-9-x86

10

b458c9bf77...5e.apk

android-10-x64

10

b458c9bf77...5e.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    14/02/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b458c9bf77acd946498ed188499473355209ed0933e8d4a5f19d7c96651dbd5e.apk

  • Size

    4.7MB

  • MD5

    f04cc2ed9ab07ad51e12a1574b49e5d5

  • SHA1

    7eca6f09c6a2add92f18ebfca0a076bae6196c82

  • SHA256

    b458c9bf77acd946498ed188499473355209ed0933e8d4a5f19d7c96651dbd5e

  • SHA512

    7b14d305e446097898cea430d3f1d1d9b9c4691ffe12301c9353340af3b0e21ad2c29df08f5d56174f9ae6cd6f7d29ca3a4963435a80a18384ef16d1ada256ba

  • SSDEEP

    98304:t5n5fryzzBvv5eFiVoBmiaK7ByNbcCnWlxgE2wwFJNGApqzC:z5TyzNIsuBmihBy9cuwC

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://das123sdvvb-23sd-123asd-123xcvb-asd123-sdad-ae123-e-ee.org

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.hrkdpfkvq.ykwjixvpu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4254
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hrkdpfkvq.ykwjixvpu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hrkdpfkvq.ykwjixvpu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.hrkdpfkvq.ykwjixvpu/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    9589a90372269c261a04f38a87c2a89c

    SHA1

    0a1d5c84db447a8261912b267d6a43d796ba9af5

    SHA256

    eb5ea280076d8ffe149c9d1ddd55f26a3e1dba6ca5c94550fbef6d6610a51cff

    SHA512

    891e35ac035abaec81f2c9405a36073b76f8ef97d0f6143f164129324c03e89e7ec882b225f9ef0cbfce4befbe877c921c6a79406c45710fb2d9e13807326e74

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/classes.dex
    Filesize

    972KB

    MD5

    827431ec70a0202a198d0c2b0ba94e6e

    SHA1

    982df4740110c7232686b8004239744f21ab07bf

    SHA256

    3ac11b193e59f0356b988c9c3fffe1137daef3c820cda0d7d8471b392e8d4847

    SHA512

    c515f08d5824d0f33e3c783c7a8d3a403f30f75c56c270ad5bba3fcad41c02f89731bade2edf31176cf2648a4085e35ad24a823543f7c152de26cc0569861db0

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/classes.zip
    Filesize

    973KB

    MD5

    c287b899a1edb4583234ba1c7c0cc73b

    SHA1

    fe6029420402ad82c7eee6ac512f3ba10886f81c

    SHA256

    0b7e3485c5e7f99315ff5a91d125b7d1621625b55b5ac20260f9b37db4a73b95

    SHA512

    dd5d266098fa122f4dfeda5a5c7be05b9250a114a8994b71365fe5c89ce4408eed1e767fc68fa64f578b581effcc7717c45b3b3f16c5abb496d242967b4943e1

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    1.9MB

    MD5

    43b75e7592a3bde6f881c035bfa9726d

    SHA1

    fccb5f9890f41ae94543b0b4838961abb3221b9b

    SHA256

    48c3d166997b900d4fa1449782d1e86d3637e7d0643c06502ec640e6bd287549

    SHA512

    b89aaec6f2fa7c2fcbfc701ed65fc5b71bccc4375aa1c9b96d033de4fe29719385a202635cd6bc1c6ebbc95365b7e70cf0fc166292816e18bc5a67dfff2e7f17

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    1.2MB

    MD5

    e9ab538699f8311d53e7cca8d2aca1a2

    SHA1

    2f027f9e7ef446bcdf0e81e5f8f0456d9ef971d1

    SHA256

    6df52d7729abf01f75358f741644e772897b25e63fd07bb1af2f64e8e94e9063

    SHA512

    d9163ed00eb5500f24a2cc260c36df25d4659ab81464c791c9b3e9b71cc33313ff11d2c2af60452a409ac919f6bd54408ada90457edd19dfd7836465ea138927

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    3.3MB

    MD5

    82b0f255fb22e2d095974658692c44f7

    SHA1

    20aa029e79d64e05a7b90526f245e5b2e684b98c

    SHA256

    7a724676c4a7072b1872e5dd3979c4c2de8671109547b05910d64b0ccdbbf282

    SHA512

    ec9624903b8a2f05af1f921ba20265ffdc62661c1a71243fc324924da1e7aa1dc0aa138e92d34eef93a316e6e6b03f1fb89a38368d2069512fbfe35b70de7618

    Download Submit

  • /data/data/com.hrkdpfkvq.ykwjixvpu/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    333KB

    MD5

    1f179b1b7d40f81c042277f8cb37eccf

    SHA1

    0c47d7e46866bcbefe8b616849e92a90f84dd170

    SHA256

    c0b0cfb270228a9d52ebce2a21546ced6707ce4e17cdbd3ad61f02741e6b4f6a

    SHA512

    25935340b34456f4627ce2a403771f3be09331884b06c2cca18dac6daf12f8c14f88d8384b09e2fdbb597c0df4e48bef883b3627baa204cf194d70ffa4afbd12

    Download Submit

  • /data/user/0/com.hrkdpfkvq.ykwjixvpu/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    16babd739b48bea99a08a27c7f69c6a1

    SHA1

    b68fe904d00c4ede38d33081870defe42c6b4c40

    SHA256

    8792b0537fdefea78cab7e42898a145b66e0b13f6e281d56df9981f360aa18ea

    SHA512

    d20b8d543eeb9e42ca3ccb4ebf85620f027899abf09a5a08649dd89c1a4613a31d9cbc8993a75a3b664b77ef69a2cee2f5fc0063e9da53c1a0cc22bfd1a3e5d9

    Download Submit