MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hydra

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430
SHA3-384 hash:	511df1e5a7034843f531be8099d8dd0272e7086d00f21d772705debad5dae7980cf5b1444fdea3b485b9f9e168b4ff76
SHA1 hash:	8ea0706e77e57810ff1bc9073f3701772f032557
MD5 hash:	d1a68785559ae6b0049a2bd1798277a1
humanhash:	comet-fifteen-edward-utah
File name:	eBayMobile.apk
Download:	download sample
Signature	Hydra Create hunting rule
File size:	2'980'584 bytes
First seen:	2022-09-21 09:22:46 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	49152:Ucz4N3omNn0M+CGN3SPXLD8S/obeUQGkfC1T3Eb0KizuNAGq6BXk2M:LrmR0vCSC/robeZGkfk0xA1XX
TLSH	T152D53384E121454CC4E9B73297674292B53CCB148613FB2F07A6B4B96AF2FD9630ADDC
TrID	67.5% (.APK) Android Package (38500/1/9) 23.6% (.JAR) Java Archive (13500/1/2) 7.0% (.ZIP) ZIP compressed archive (4000/1) 1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	JAMESWT_WT
Tags:	android apk BankBot Hydra malware signed

Code Signing Certificate

Organisation:	Android
Issuer:	Android
Algorithm:	sha1WithRSAEncryption
Valid from:	2008-02-29T01:33:46Z
Valid to:	2035-07-17T01:33:46Z
Serial number:	936eacbe07f201df
Intelligence:	1692 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Android.SMS-10.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

android bankbot fingerprint hydra

Link:

https://www.filescan.io/uploads/632ad80b6aa625318dcc4f19/reports/b3125889-cf01-4d35-9cf6-cf331d96f931/overview

Result

Link:

https://incinerator.cloud/#/public/report/d1a68785559ae6b0049a2bd1798277a1/detail

Application Permissions

Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)

directly call phone numbers (CALL_PHONE)

edit SMS or MMS (WRITE_SMS)

read phone state and identity (READ_PHONE_STATE)

send SMS messages (SEND_SMS)

fine (GPS) location (ACCESS_FINE_LOCATION)

coarse (network-based) location (ACCESS_COARSE_LOCATION)

read SMS or MMS (READ_SMS)

receive SMS (RECEIVE_SMS)

retrieve running applications (GET_TASKS)

allow application to recognize physical activity (ACTIVITY_RECOGNITION)

access location in background (ACCESS_BACKGROUND_LOCATION)

read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)

read external storage contents (READ_EXTERNAL_STORAGE)

read contact data (READ_CONTACTS)

display system-level alerts (SYSTEM_ALERT_WINDOW)

full Internet access (INTERNET)

reorder applications running (REORDER_TASKS)

control vibrator (VIBRATE)

allow use of fingerprint (USE_FINGERPRINT)

view network status (ACCESS_NETWORK_STATE)

change Wi-Fi status (CHANGE_WIFI_STATE)

view Wi-Fi status (ACCESS_WIFI_STATE)

change your audio settings (MODIFY_AUDIO_SETTINGS)

create Bluetooth connections (BLUETOOTH)

automatically start at boot (RECEIVE_BOOT_COMPLETED)

prevent phone from sleeping (WAKE_LOCK)

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430

Result

Threat name:

Hydra

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1074491

Signature

Access the class loader (often done to load a new code)

Accesses FileOutputStream via Reflection

Contains a screen recorder (to take screenshot)

Deletes other packages

Detected Hydra

Found potential keylogger

Loads new DEX files via dynamic constructor

Multi AV Scanner detection for submitted file

Removes its application launcher (likely to stay hidden)

Requests to ignore battery optimizations

Starts/registers a service/receiver on screen off

Tries to detect Android x86

Tries to detect the analysis device (e.g. the Android emulator)

Uses accessibility services (likely to control other applications)

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430/

Threat name:

Android.Infostealer.Bian

Status:

Malicious

First seen:

2022-09-20 15:43:21 UTC

File Type:

Binary (Archive)

Extracted files:

233

AV detection:

13 of 25 (52.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rmzbku7ruju64s3iuaqwfornctdrveuqpnqad7z5wd7fxltlgqya._file

Result

Malware family:

hydra

Score:

10/10

Tags:

family:hydra android banker infostealer trojan

Link:

https://tria.ge/reports/220921-lcfqmabedr/

Behaviour

Looks up external IP address via web service

Reads information about phone network operator.

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Makes use of the framework's Accessibility service.

Hydra

Hydra payload

Malware Config

C2 Extraction:

http://lalabanda.com

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample