xloader_apk | 5c3126752ea0c6d395b2c73ddb75e20c7719feb685b8082cbc00ff41665013f3

General

Target

iJjTgLzYsFgDrRy.apk
Size

218KB
MD5

bfa8485aba16ecca0ad2504f27ff46b5
SHA1

a7e7a0d42d7e5635e803c0f913565fc93e714ebc
SHA256

5c3126752ea0c6d395b2c73ddb75e20c7719feb685b8082cbc00ff41665013f3
SHA512

6672533bd45e578000cbbbfbe97027e33990f09446a67e9960bd4c2788862aa8af810d54270d617508a8fcb09f32694524818fa60524492abb96271b29b5fd1e

Score

10^/10

xloader_apk banker infostealer obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

exmr.rczlk.yigkg

pid process

4099 exmr.rczlk.yigkg
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

exmr.rczlk.yigkg

ioc pid process

/data/user/0/exmr.rczlk.yigkg/files/dex 4099 exmr.rczlk.yigkg
/data/user/0/exmr.rczlk.yigkg/files/dex 4099 exmr.rczlk.yigkg
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

exmr.rczlk.yigkg

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName exmr.rczlk.yigkg
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

exmr.rczlk.yigkg

description ioc process

Framework API call javax.crypto.Cipher.doFinal exmr.rczlk.yigkg
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

exmr.rczlk.yigkg

pid process

4099 exmr.rczlk.yigkg
4099 exmr.rczlk.yigkg

ioc	pid	process
/data/user/0/exmr.rczlk.yigkg/files/dex	4099	exmr.rczlk.yigkg
/data/user/0/exmr.rczlk.yigkg/files/dex	4099	exmr.rczlk.yigkg

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	exmr.rczlk.yigkg

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	exmr.rczlk.yigkg

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 13 IoCs

Processes:

exmr.rczlk.yigkg

pid	process
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

exmr.rczlk.yigkg

pid process

4099 exmr.rczlk.yigkg

Suspicious use of android.telephony.TelephonyManager.getLine1Number 58 IoCs

Processes:

exmr.rczlk.yigkg

pid	process
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg
4099	exmr.rczlk.yigkg

Uses reflection 64 IoCs

obfuscation

Processes:

exmr.rczlk.yigkg

description	pid	process
Invokes method com.Loader.create	4099	exmr.rczlk.yigkg
Invokes method android.content.ContextWrapper.getPackageManager	4099	exmr.rczlk.yigkg
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4099	exmr.rczlk.yigkg
Invokes method com.Loader.start	4099	exmr.rczlk.yigkg
Invokes method android.telephony.SignalStrength.getLevel	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4099	exmr.rczlk.yigkg

exmr.rczlk.yigkg
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:4099

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads