Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

9ec93f30a4...4d.apk

android-10-x64

10

9ec93f30a4...4d.apk

android-11-x64

10

9ec93f30a4...4d.apk

android-13-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    307s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19/02/2025, 12:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d.apk

  • Size

    2.4MB

  • MD5

    b11e72c94d810958df65d8716d853bc3

  • SHA1

    606a5eaf439586fc316a3befc85431091bfa786e

  • SHA256

    9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d

  • SHA512

    c18853c87af0198a0d19d097e1f83e0044d32b3d676a23dd0cd132499d098a951d31777153e6c6e9f9710b3fc28e74129173fc90b6c7ab2711a34a84ff5b98c5

  • SSDEEP

    49152:ZxkyYHERA1iUZXObVbVIrobX57/prbB5Wk4HMIyzNZ60/KrYvTD0iXXYMZ04YKx:ZxkyYke1iiYbe0L57/ZjWJHMIyxwQKs3

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealertrojan

Malware Config

Extracted

Family

hydra

C2

https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion

Processes

  • com.scare.obscure
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4491

Network

  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-au
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 26a1b1020753576f
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 19 Feb 2025 12:44:19 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 288
    Access-Control-Allow-Origin: *
    X-Ttl: 59
    X-Rl: 42
  • flag-au
    DNS
    gist.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    gist.githubusercontent.com
    IN A
    Response
    gist.githubusercontent.com
    IN A
    185.199.109.133
    gist.githubusercontent.com
    IN A
    185.199.111.133
    gist.githubusercontent.com
    IN A
    185.199.110.133
    gist.githubusercontent.com
    IN A
    185.199.108.133
  • flag-us
    GET
    https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json
    Remote address:
    185.199.109.133:443
    Request
    GET /ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json HTTP/1.1
    Authorization: 26a1b1020753576f
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: gist.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 3018:4E67A:65B075:8948FD:67B5D224
    Accept-Ranges: bytes
    Date: Wed, 19 Feb 2025 12:44:20 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lon420115-LON
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1739969060.326945,VS0,VE127
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: e6e3fbe649c89f268ec22b0e51d6720ec802bd95
    Expires: Wed, 19 Feb 2025 12:49:20 GMT
    Source-Age: 0
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.179.232
  • 142.250.180.14:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.180.14:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    1.1kB
     4.5kB
     9
    7
  • 216.58.204.78:443
    android.apis.google.com
    tls
    8.6kB
     9.9kB
     30
    27
  • 216.58.204.78:443
    android.apis.google.com
    tls
    1.9kB
     6.1kB
     13
    13
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
     637 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 185.199.109.133:443
    https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json
    tls, http
    1.5kB
     5.8kB
     12
    11

    HTTP Request

    GET https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json

    HTTP Response

    404
  • 142.250.200.36:443
    tls, https
    850 B
     40 B
     2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    11.4kB
     10.2kB
     35
    40
  • 142.250.187.226:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.3:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.9kB
     12
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    gist.githubusercontent.com
    dns
    72 B
     136 B
     1
    1

    DNS Request

    gist.githubusercontent.com

    DNS Response

    185.199.109.133
    185.199.111.133
    185.199.110.133
    185.199.108.133

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.179.232

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.scare.obscure/app_DynamicOptDex/Yy.json
    Filesize

    573KB

    MD5

    dbdafc6c18b0b6f9a9c0252ed395c740

    SHA1

    d48bf669f240932e78fdb5f5d5696327af7dff72

    SHA256

    598ac88704fe5dc9707c34228de82bf1ea7805cfc4ca81427958694835cbb19a

    SHA512

    96fdec46f2c5cfae40fc636dbf0ae4ccf4b289d5b6aaaa194df287b9c52685dc56478bf9f3f7274873e06a6ee3e4ff6a67aaaef920f0f0d1f7f05010b7bf5ea9

    Download Submit

  • /data/user/0/com.scare.obscure/app_DynamicOptDex/Yy.json
    Filesize

    573KB

    MD5

    1e11861994b5b31e4c58c224eef13532

    SHA1

    1f283ac3c312401df111388d1c295a975adc37f8

    SHA256

    75491e51cbe3aff4632b5ade80f77ce14b0ccdff422ff3c457dd5552e9693697

    SHA512

    3543ab0858bc0ab478c35c28d419866d556c1e5cc081416ed03ceb8f601bc99f65a97c6c537cb501b26fa3bd09a3e3d813f926df46a3f886616e40d8683717c0

    Download Submit

  • /data/user/0/com.scare.obscure/app_DynamicOptDex/oat/Yy.json.cur.prof
    Filesize

    1KB

    MD5

    e9aea0942a729f9184b0509905f855f8

    SHA1

    927226a46abcbda562ca88b1b411fd8af3a7787b

    SHA256

    d9e2291c37b8aa08992fdf6cf08cf829b539829fc2e4ae546457ee05116ed489

    SHA512

    969b11a7ab2082eb87bbd79ff703079d7c0fe9c41b0731b9882808025e4baee94532aca15166ded5b24d59b8494ce2b64231bf2563d80f0a41c86c650cf61288

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.