Overview

overview

10

Static

static

6

9ea7a3c469...51.apk

android-9-x86

10

9ea7a3c469...51.apk

android-10-x64

10

9ea7a3c469...51.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    15/02/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk

  • Size

    4.7MB

  • MD5

    25fbb322f1a3741120d51148c0d8860a

  • SHA1

    f17a8eb7e6061924ce6e89584ffd833637d3fd92

  • SHA256

    9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851

  • SHA512

    d349c30dd0f80a9c22c47aa12fc8336601d594c10b9c4c35d36b4668e30f658c4af3c548e14e01b23135bc680e2d6c2a30addf227d5daa6e39f6d6988e077c6e

  • SSDEEP

    98304:2Inf/Yu4kOkYyRQQICL58Uw5q+Ys7je3eUIukTTW:9f/eyiQICL5nwc+Y2jSvIukXW

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://12123-123dcvmolded1235asd123sd-123dvas-we12c-21.org

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.okxlqdryc.pxgkfiwph
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5062

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.okxlqdryc.pxgkfiwph/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    b08d83e397785ca278e39165065fa192

    SHA1

    1590dfa3a6bf452c238f154770dbb8ba5d82c1f6

    SHA256

    9c826c239e05f8de4a433358a489c2395b2a542f0e66f3935f19f07c61cc9f2d

    SHA512

    eee30f46e77704779e3196213ac7c55fadec0dc0c9f37f07d4d862f52a146edc1b3b3379422ee9588fa3ca0192c91739e6a0d8effc9eaa8471771a9e34e479e0

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/classes.dex
    Filesize

    972KB

    MD5

    32a863157ad736551a4e114247853197

    SHA1

    3b747b452123e7abbfe496fd156d276d8b7564d1

    SHA256

    a66e7ea86993a7fc91167aae224b6a761f4e6d3ad7045fcc9a3ceb36446f31d3

    SHA512

    18c840b6c25baf6ae05e861d06d930b6b34beb496100edfcb9f053232ba7afd0d988981ce47d41eb046491bee1a9cbabc65e9a3328e81ea94e57e0e67250ebf9

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/classes.zip
    Filesize

    973KB

    MD5

    e0e1ebb488ae613b086829ab340bcf07

    SHA1

    b10a38a45ef07f3b93c54d950cb9657a22043ed8

    SHA256

    c1bc7b83d5362ef1886eb365589ae408200edf679413cf48016a3954b4ad6de1

    SHA512

    38e7cdbdc413b2b804af19798aa2463db0ff9ffc4828553409fa01899a003a96b2b177840c83141b259bb68b62cc181ee9710b172ca0a7a5d4c96968bfabb8b2

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    798KB

    MD5

    d98591f727d90d5fcb6041edcc5bd000

    SHA1

    ab22787c6396e7b9e89dd823c8ec4b6b56df707a

    SHA256

    11bcf95d44e85aa89d5523061ee959f9f6f979de687d615eee4126468cd19247

    SHA512

    364663b3b248ab1856f422f4fa42fb21f58caa45d8e6756dab6fa46aaf04e979f5581f7561d223c04b89f2468a685c7478668f8466226cff94926e34269d4390

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    54KB

    MD5

    71365a4a4241c1b1cc5dcb548f731c57

    SHA1

    3ba93fa1ee733274c4d2c438057f2dd50c36201e

    SHA256

    b3b0cc73b755da20f3dc99ddf0b4bfe3aab520252a06b53901f88fd4605beb56

    SHA512

    b48195367158730ea14c52fa1530ea5f9db2257b05ca5ffa90011f244d1978d3ff95ddfe41267b32d1187fce29ba487a5ab783762e73b1918e12236bce51efe1

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    77KB

    MD5

    45987daf8c89d7bd547a954ecebe2197

    SHA1

    c85d431f33dfcf3a39373eb3ffe5706c6d58f6fe

    SHA256

    188b54ee21c2f6bb860b4c5f3897653256febe74f720e0e05a699ce955407472

    SHA512

    b48d5a39bb0778e0bd56f70d2dfa6d0e5d79c98c42c657ad8dd3a46aa1a3808de693282016d7ade353a358a70403cf338c51c725e68ea6dd49057cd10b320b1e

    Download Submit

  • /data/data/com.okxlqdryc.pxgkfiwph/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    507KB

    MD5

    40b27ecfa0bc4588406b574cf15857e6

    SHA1

    b7ac174aed7c5a61d9f06056fef470ed459c2d35

    SHA256

    d76eae25954262ad153bceffd462ad3980d1295ba24abd7b32fa85f0dd78a591

    SHA512

    6fb5ff00154e885a0588886cb6977b9a2351d590b9c32e10106f27b0c98acaa3474cab2e00ef8a5700399db19e3ef9528e2f5d067ae382fc177bc32fc6813dd8

    Download Submit