Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

9ea7a3c469...51.apk

android-9-x86

10

9ea7a3c469...51.apk

android-10-x64

10

9ea7a3c469...51.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    15/02/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk

  • Size

    4.7MB

  • MD5

    25fbb322f1a3741120d51148c0d8860a

  • SHA1

    f17a8eb7e6061924ce6e89584ffd833637d3fd92

  • SHA256

    9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851

  • SHA512

    d349c30dd0f80a9c22c47aa12fc8336601d594c10b9c4c35d36b4668e30f658c4af3c548e14e01b23135bc680e2d6c2a30addf227d5daa6e39f6d6988e077c6e

  • SSDEEP

    98304:2Inf/Yu4kOkYyRQQICL58Uw5q+Ys7je3eUIukTTW:9f/eyiQICL5nwc+Y2jSvIukXW

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://12123-123dcvmolded1235asd123sd-123dvas-we12c-21.org

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.okxlqdryc.pxgkfiwph
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4345
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.okxlqdryc.pxgkfiwph/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4371

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.okxlqdryc.pxgkfiwph/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    b08d83e397785ca278e39165065fa192

    SHA1

    1590dfa3a6bf452c238f154770dbb8ba5d82c1f6

    SHA256

    9c826c239e05f8de4a433358a489c2395b2a542f0e66f3935f19f07c61cc9f2d

    SHA512

    eee30f46e77704779e3196213ac7c55fadec0dc0c9f37f07d4d862f52a146edc1b3b3379422ee9588fa3ca0192c91739e6a0d8effc9eaa8471771a9e34e479e0

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/classes.dex
    Filesize

    972KB

    MD5

    32a863157ad736551a4e114247853197

    SHA1

    3b747b452123e7abbfe496fd156d276d8b7564d1

    SHA256

    a66e7ea86993a7fc91167aae224b6a761f4e6d3ad7045fcc9a3ceb36446f31d3

    SHA512

    18c840b6c25baf6ae05e861d06d930b6b34beb496100edfcb9f053232ba7afd0d988981ce47d41eb046491bee1a9cbabc65e9a3328e81ea94e57e0e67250ebf9

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/classes.zip
    Filesize

    973KB

    MD5

    e0e1ebb488ae613b086829ab340bcf07

    SHA1

    b10a38a45ef07f3b93c54d950cb9657a22043ed8

    SHA256

    c1bc7b83d5362ef1886eb365589ae408200edf679413cf48016a3954b4ad6de1

    SHA512

    38e7cdbdc413b2b804af19798aa2463db0ff9ffc4828553409fa01899a003a96b2b177840c83141b259bb68b62cc181ee9710b172ca0a7a5d4c96968bfabb8b2

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    114KB

    MD5

    7bb2c73c2591d36b01cbbaada1f64a18

    SHA1

    d28410c163b51b04892f329a0aaab28ec87b2c14

    SHA256

    538f03b6367a66f3e770c098f69a27679f4453baba2351484e15046952c2a495

    SHA512

    be1ad7a1214427ca7b3ddae71b7eee80c3ae8278e442045670346f1b6276188ab3b2c793d92b6e6ea7bce40e4176ab843f7f6e8ce0ac7cb9806bab5179da8aac

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    91KB

    MD5

    5b906da91fe902ac2873fee0af1469ef

    SHA1

    4e52b8f364245449f6b237a1458599bae0d127bd

    SHA256

    2570d1d2b5a42e23535d3b98ccb6c00f1fec02c5df47ab9f35e8a1b6c7e8af8e

    SHA512

    9e2c128c0fc9a3e0487dd8610482c0e68e6bcc28f5a6360ec113db5a64c838c3e474f3e8940361e41fa9918d493477b0d5b34c0a20e79f6d34a3a8475a1d17a4

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    120KB

    MD5

    71e398300a2144a97814980f1d95f5db

    SHA1

    2653bb3b2367abe2dae61105eee54203725a192c

    SHA256

    5ad63bf1f4c8b73bdbfb4918d72be6f8cbd2b72d6552cfaccf5888df14e32098

    SHA512

    e8c7c0d39a1411ca76bf0b144d1592a48aaf5896733a2f84c75fc977007cbdaf6ced3c9da69add5826c1dbc6648d8acfbaa5d3bb194d721182d2195c9b9122e5

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    559KB

    MD5

    c0fe5387b283981c8dd8b2ec617c5dcf

    SHA1

    a72ae380b9724d006abcfbbc6a3c835229af6585

    SHA256

    2839c8e32c541482f9eda1a3a8d0118d8a0c45a03f2de91d262d692532b31cb0

    SHA512

    cd23145fd4e4461f4d1d510f486d6a2c411df4726e2f58229a46e79bcd584c1db7de52168b06a39beaef46668b8835ec730d0bbe773a17857209f811d28359e4

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    190KB

    MD5

    52b7bace722a42a2b8e83743df9b1be6

    SHA1

    d061dc6fc2af7442bb5d38242233218325be4bb5

    SHA256

    104f9419f9f57f75bdfbcd59f0dd448e217f007695caed8d596ed160380ce54c

    SHA512

    1ebecc4667e30515c68d71a67466c1a9336c4ff60f32cd98c66143a1897a39d81da95114dbf4865d68d7718fa0336489707e9064a4af3eea103f30c80a5d85de

    Download Submit

  • /data/user/0/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    4f88fbbf024363e89b759ca7dd924891

    SHA1

    83921775f18832bb9038102fb64b6ceaca83a8fd

    SHA256

    cfdebec705b760fe94f49129d63aeda0791ce127aa3ac2db02ff1a829e3337ad

    SHA512

    1b2fa5738b8c6fc3ce6423c0b4a35f1ce7d29c582a605a66c874c7321d9223e4a560deb867fd215fffd43ec15bf1d1a41f2d2dcec7be171e56600cf188028795

    Download Submit