Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

d4c7328826...9c.apk

android-9-x86

10

d4c7328826...9c.apk

android-10-x64

10

d4c7328826...9c.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    165s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    18/03/2025, 22:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk

  • Size

    3.5MB

  • MD5

    fb952210ad402fc0ebf5742ba8309d33

  • SHA1

    e7fcafc16c9ba50f0caf8aede2f9ac47ce5a8949

  • SHA256

    d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c

  • SHA512

    6ce7fbda5794a3beae578729b0cf0c6a271705c0f728d7b15bc09534cd6b30b14a74cbd11b86200c10a29e583dfa5c0e2fa63c32471dcf079c92f310385d57b2

  • SSDEEP

    98304:BN2e5I5Y6zseVcQlsvWVyNteAoNZDQ1u0tjbr7cG:Bd5w9VVsvZNxoNBAN/AG

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.unaware.tissue
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5210

Network

  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-au
    DNS
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    Remote address:
    1.1.1.1:53
    Request
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    IN A
    Response
  • flag-au
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 5308642ae78425df
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 18 Mar 2025 22:01:38 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 288
    Access-Control-Allow-Origin: *
    X-Ttl: 58
    X-Rl: 43
  • 216.58.212.234:443
    tls, https
    1.2kB
     40 B
     1
    1
  • 216.58.212.206:443
    tls, https
    914 B
     40 B
     1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    3.4kB
     7.9kB
     13
    18
  • 142.250.178.10:443
    tls, https
    2.3kB
     40 B
     1
    1
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     8
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
     637 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.180.14:443
    android.apis.google.com
    52 B
     1
  • 142.250.180.14:443
    android.apis.google.com
    416 B
     8
  • 142.250.200.2:443
    416 B
     8
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    dns
    99 B
     164 B
     1
    1

    DNS Request

    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.unaware.tissue/app_fitness/hg.json
    Filesize

    969KB

    MD5

    a60fc1bd35302214b9dbbb9da21adb33

    SHA1

    0e3aae5b7146933ea127262daf2ef67b81cbb01b

    SHA256

    03071c938dcd1f0b608f826abe05bccd425d45fbc52bcadfd7a1ecf40e3484cf

    SHA512

    6a61b7eb2b5e9a0e4443bffe6eb87f9a0954c2fa18c448649a271fae5795230b34fd5c26902d63d04dfd7f5731350f8039f4a853dfdcfd0a767ebc5cc3a3a5b4

    Download Submit

  • /data/data/com.unaware.tissue/app_fitness/hg.json
    Filesize

    969KB

    MD5

    14d430fae8584b962a06998be4ab0e62

    SHA1

    a1b6486adabdee5cdfbb5ed4da8e64ced381f0ea

    SHA256

    955dfa0778d7cc972396cd4e8bccfcd94cf9676c927e9978829d739519c0d4b1

    SHA512

    880dd195272bbdcffb913c2dc91830a42c7e588ae6cc1ac26433e2342c365278cfe0216eefe7b4ec530a281fcc4c92b067e392796d810b66062ad2ab02c0410d

    Download Submit

  • /data/data/com.unaware.tissue/app_fitness/oat/hg.json.cur.prof
    Filesize

    1KB

    MD5

    c3831bc7d3750499c2b11e478ffab5da

    SHA1

    7cf8377705325aaacc19849621f4a55ea679a804

    SHA256

    a2c6e8dacdaad8930c0735d5299086e2d8cb41bbc4f8b12e56da12c9d8fe0002

    SHA512

    d1a8613deb7caa07d59b7a9f8a220c56432d2a8db18bb847cea1b0ab010c1e241d1e79caec24ed08d5a0402892ec83a0b437cfadb2fb8a086ac16f675a7c9413

    Download Submit

  • /data/user/0/com.unaware.tissue/app_fitness/hg.json
    Filesize

    2.2MB

    MD5

    b86222b8b0c7cffc60dc06c443434bec

    SHA1

    e91ccbe2573f198318236cf3845a355d529767bc

    SHA256

    777c111d75b5c69dc915cf9d07401f96fce8997f37fe49773dfdda2e79521424

    SHA512

    704412e2282f57142294741ec1dbfe26667e460029d34220ebfa2f3f795d46231501cc62813db6da1fcf9b1a45ed706ffccad8890b54aa1d9fca53e344239797

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.