Overview

overview

10

Static

static

6

1fc6c7f55a...02.apk

android-13-x64

10

1fc6c7f55a...02.apk

android-9-x86

10

base.apk

android-13-x64

10

base.apk

android-9-x86

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1fc6c7f55ac3ccee96713dcc3cbd38760a3a6ccfa692d5e6effcf0bc567c8602

  • Size

    9.3MB

  • Sample

    250321-vx6bfsxpz3

  • MD5

    13067d771e306d0918894e3e1aeb32b6

  • SHA1

    7c923df60cbe659d6d3c9ef02cf6a76abe731c3e

  • SHA256

    1fc6c7f55ac3ccee96713dcc3cbd38760a3a6ccfa692d5e6effcf0bc567c8602

  • SHA512

    07659b9d3ce91f318c38f68d102e29b7cec7fc8b2c402dc9b2dde626a09640b50788f7bbe24bbb47ff6e2e9e05166e71f5bd79628559e9d1a17beb9dbc4fa6e0

  • SSDEEP

    196608:2uKK5F7JTUKRzHBmH4AGK+8ZWFNp8hJHVuW:D5JFRLBmH9GqcFsjVj

Score
10/10
hydratanglebotandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

hydra

C2

http://chililiki0101.com

Targets

    • Target

      1fc6c7f55ac3ccee96713dcc3cbd38760a3a6ccfa692d5e6effcf0bc567c8602

    • Size

      9.3MB

    • MD5

      13067d771e306d0918894e3e1aeb32b6

    • SHA1

      7c923df60cbe659d6d3c9ef02cf6a76abe731c3e

    • SHA256

      1fc6c7f55ac3ccee96713dcc3cbd38760a3a6ccfa692d5e6effcf0bc567c8602

    • SHA512

      07659b9d3ce91f318c38f68d102e29b7cec7fc8b2c402dc9b2dde626a09640b50788f7bbe24bbb47ff6e2e9e05166e71f5bd79628559e9d1a17beb9dbc4fa6e0

    • SSDEEP

      196608:2uKK5F7JTUKRzHBmH4AGK+8ZWFNp8hJHVuW:D5JFRLBmH9GqcFsjVj

    Score
    10/10
    tanglebotevasioninfostealerspywaretrojan
    behavioral1behavioral2

    • Target

      base.apk

    • Size

      4.7MB

    • MD5

      97582d8e33578e7dd5f7667bde68f6c3

    • SHA1

      71356471f1fc8cccd4288deb577d63041e1faea1

    • SHA256

      f190b0887265d7e7fbef7ce328180aa11925295e0fe335efe526747acb64449e

    • SHA512

      e624188eeb55dc230a9bc32b60965331a3f60cf8a05eb5cadc25147ca672ea3a863617dc0dcc1fba0cb57c06b1fbadd1ebb6b87ece49cc57ad1982e2bbde9ab1

    • SSDEEP

      98304:/H7JYwx4LmDPN5WWs5s5GShHjq35Uf6X9HsgIFrBCbg+jccUr6Abk03LbUg+:/exw5WWsjH8Mg+k+

    Score
    10/10
    hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

    • Hydra

      Android banker and info stealer.

      bankertrojaninfostealerhydra

    • Hydra family

      hydra

    • Hydra payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Reads the contacts stored on the device.

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral3behavioral4

MITRE ATT&CK Mobile v15

Tasks