Overview

overview

10

Static

static

6

5e6ee98bda...e9.apk

android-9-x86

10

5e6ee98bda...e9.apk

android-10-x64

10

5e6ee98bda...e9.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    18/03/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e6ee98bdad3c9879ef56575c41c4b53e297fcad3a715995f71c9dab950d5ee9.apk

  • Size

    4.1MB

  • MD5

    029afcf139402cb4e439691ed204cb3a

  • SHA1

    a53a8d4b6ee0db0012a3daccfa7f4fb68a69f325

  • SHA256

    5e6ee98bdad3c9879ef56575c41c4b53e297fcad3a715995f71c9dab950d5ee9

  • SHA512

    f6434e125504cbf077d9ee215c064d1eb49d445ee096dcfa2d1d6d0a766881a7a11acd9bcf01e6e7b956fec3e0ebdb21876ec8eff24ba9358e215ca868ea99b9

  • SSDEEP

    98304:WCSqVBWfnWMy3KiALMXGv5d6gGVbpz6vyFb8bLdR90voZulQaz9E:WCSq7WPWMy3TALM2ociN19E

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.sort.minute
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4225
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sort.minute/app_satisfy/MOA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sort.minute/app_satisfy/oat/x86/MOA.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4295

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sort.minute/app_satisfy/MOA.json
    Filesize

    969KB

    MD5

    e0f1f86fb0587b18f168d7f40cf51e0a

    SHA1

    138ea71dc78928a2443006c8e64b9900c07b593b

    SHA256

    77437ad3c1b1d48a66be3b53ec89b5bd924ab34384224bd0da72f959967462b2

    SHA512

    9169761d6b05d3feef9fc85288652ea836aa9ebe6150ad963bfc36ca24bdc8c8f14679e5c9b9f672c5d683420eb28d355828d2e73077e22baafb79c2b8d09d83

    Download Submit

  • /data/data/com.sort.minute/app_satisfy/MOA.json
    Filesize

    969KB

    MD5

    22f4c699bca5efa737506af5b348055b

    SHA1

    9d0b1e6257583a3bf3dafcce5722a10fdb7fd4eb

    SHA256

    6cc6a8a9ebdd8719b95e3f9fda9a7c26867bf0a7fe3241ec719e04f6a060af19

    SHA512

    d5a370b70410305a31184205cbaa3d2ff3e549b31eb4065b3257fe4c56da903a3f31064675a57ec7fcb2d36d17c44cdfe3124e6f56ba5279d67267e5b799a16e

    Download Submit

  • /data/data/com.sort.minute/app_satisfy/oat/MOA.json.cur.prof
    Filesize

    1KB

    MD5

    01f2171c80728928763a74b1539f930c

    SHA1

    0e0c78596a328f7d3e36e3dbc157215c048c3b07

    SHA256

    44fa786971c6b37d8fc058a1ddc19cc47e643127562a4888f8460cc1f3bb0c88

    SHA512

    0902e18eebec8d3b5fc552ee1c138a94815375b361b627b6733622c0309123c63524b299ffc039eff4ff4d0369ca5dba0c9876a7253c48cf8f200aa5edf407a4

    Download Submit

  • /data/user/0/com.sort.minute/app_satisfy/MOA.json
    Filesize

    2.2MB

    MD5

    89337b20b0e1399b49e6ec02fa4dd1b7

    SHA1

    986e4a20bf5f1398e6fbfad82dc13498d9b1d95b

    SHA256

    f45b8052ebccbaa33e33ad20d616683cf8a512960d1941f23c0346f9635e614b

    SHA512

    621331f59cbde44ea5e510c664a3c5843fe9773c9cf22861dba125f84291cd89ca1568846908f267cfac8969a8fa9d74e4c0644579619674c361e5c6dfa89aff

    Download Submit

  • /data/user/0/com.sort.minute/app_satisfy/MOA.json
    Filesize

    2.2MB

    MD5

    596ece6d89b6e800cb108ff3bb2138bf

    SHA1

    7594af048fa5bb0b5385cb953e79c3fe46773114

    SHA256

    e5aa076fd71a1784ff54191a8ca2b8a58335601ac825936782650242221870ac

    SHA512

    aabb9b49cf442ba84aabff249b6022195a2a7ab3157cd1562ea20e19dd89bb3adb7e84faf078ab9fb96d9dbf6b4ce0ff5c7d92ef071d5a2cff3ff9c96249e931

    Download Submit