Overview

overview

10

Static

static

6

2578dc5149...c0.apk

android-9-x86

10

2578dc5149...c0.apk

android-10-x64

10

2578dc5149...c0.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    16/02/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2578dc51496376b92fefcda8030621b1287d2347a82148438542a4ebdb9657c0.apk

  • Size

    4.6MB

  • MD5

    0d7bb33151d9a98973e47fe54a885eb1

  • SHA1

    0a6a1644ba3e459d1ccd949e4c55736a92c04206

  • SHA256

    2578dc51496376b92fefcda8030621b1287d2347a82148438542a4ebdb9657c0

  • SHA512

    99172dfbf2c7dbf8da541b154b5f29c1c489d5d324fcf491b3f5916a8b7602de1418e86b453aed455bdcc5f02dcc69fb371e7835f8b7e2951f14760df75524cc

  • SSDEEP

    98304:VffTfxT5uY19NmMy0dL5jTS4ovGniG3ElCGYlq9VvdravEXjvC:xfxT57bzV3r60i/lhiMvPq

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests uninstalling the application. 1 TTPs 1 IoCs
    defense_evasion

Processes

  • com.dfzmabwby.wbpjhioxj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests uninstalling the application.
    PID:4796

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Indicator Removal on Host

1
T1630

Uninstall Malicious Application

1
T1630.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.dfzmabwby.wbpjhioxj/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    60af84a82afae12ff7052f9ed9cce45b

    SHA1

    1be6ba4a975b25e3ebef93be009d6536c67541d1

    SHA256

    1491cc9fd0391b238fbaacc492791dbb45be3f78536c008f55f8dd40fa80bccf

    SHA512

    042a86513b26c08ed60d7395bcc65f6c2eda778951c5b6d20916704613b5fc414ccfd327f5583f15e67526b73636e8b6ccfa3e1ffe573577c1637f0ff719ca06

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/classes.dex
    Filesize

    972KB

    MD5

    c5a37df3cf85474050e8306c056b9cf7

    SHA1

    fdc72e443f1ecbd63890c8cc532dbcd7421196c8

    SHA256

    ae0c7db4a2be86772c697bd9859c50965e8dd14c478db1691e7ba4c9d7c83976

    SHA512

    073e97fe065b956f84f8cf9ad054052b41238a802f97fcc66ee5f0eae3ce3c9115d0ac33c4e5ee98f4d8ae88d29955e90c55c4903e7838f7a636b4153fecd865

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/classes.zip
    Filesize

    973KB

    MD5

    f5f722a77c3b6a8d6d08f2cd27bf4fd6

    SHA1

    2bd365abf3d3066ba40a3019084fe864a9cd21d8

    SHA256

    30977adf0b70feea783ef1e4b791a99647ab5628f8fdc841813ac8e441bbf5e9

    SHA512

    019b20daf5c5279f06d2a26345355827a1de4617277e719583e8367a0bfed925b35c51ddb7c0e4e9b1d1495956ad317f0af82c8b6473acccc6df219d3e12873b

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    1.7MB

    MD5

    ac4f110b696709f3bd0202a01a21d0ea

    SHA1

    ae6b3b8329cb41f550c9da0012d10770c026b8a1

    SHA256

    59a18522b5e99d722c2bceae6138e38f97e7fa604c6265a5a674c706cc0c2994

    SHA512

    dd589122c16f152dfb8d7d85536452687343548d5860f87abec9159a129c41218e62ba4fdbac94ffa4c35fca6f26411e424a9c793a61d518787b717ac2d59810

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    77KB

    MD5

    4370f4b4a7d14cc48096f3be668cbf08

    SHA1

    2e8454ff6ba99db3b4e99d68ebccff202114f72a

    SHA256

    a94c527e99ab085534a834206aa11fa015db24c960d48d7323aa7fa37fc5c9fd

    SHA512

    ecd86a1c8b101632a287eba7047f82308a30d6fdbd16629f542bf9447c71853cd70e30410583eadb10cd6d3bfc78de8c5fa1ff9c13c3a239af34b2b7e634c6ae

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    5.6MB

    MD5

    bb22abfc91a948df02e9884cb1de0cff

    SHA1

    2b1396d627a95fab52ad23a1bfc1dab6451e6008

    SHA256

    7ecce06f5ea0391b0387c70f2ee739d6921ee1804d09763ed92952485f6dfcaf

    SHA512

    1d48e86a0d5499ebdb85b0f8bd1b5d856fc083d83394cae9e58ce399210c5f4eca713e33ad83bf53e48223af1fad7f89afa94bd08ec37a7560fca46bbce93667

    Download Submit