xloader_apk | 4b2ecd484e8e025839b08d9841d552084db602dc12fb91c7e7470f3352531278

General

Target

wWqZwMmEcRmQyKlD.apk
Size

218KB
MD5

09224eddb4ad4ee2fc1e152a46fb18fa
SHA1

6b49da56b437861766ab79370620b54d2e7343f1
SHA256

4b2ecd484e8e025839b08d9841d552084db602dc12fb91c7e7470f3352531278
SHA512

b653d471fd01fda661d3c2e97e4001a3366742ba498281191889f32542cd11c89cad853510a9ee7e8830a81b3d1c8479aa6ed73685f785508586cfab9176050c

Score

10^/10

xloader_apk banker infostealer obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

rjtx.pnhmj.fwszw

pid process

3551 rjtx.pnhmj.fwszw
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

rjtx.pnhmj.fwszw

ioc pid process

/data/user/0/rjtx.pnhmj.fwszw/files/dex 3551 rjtx.pnhmj.fwszw
/data/user/0/rjtx.pnhmj.fwszw/files/dex 3551 rjtx.pnhmj.fwszw
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

rjtx.pnhmj.fwszw

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName rjtx.pnhmj.fwszw
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

rjtx.pnhmj.fwszw

description ioc process

Framework API call javax.crypto.Cipher.doFinal rjtx.pnhmj.fwszw
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

rjtx.pnhmj.fwszw

pid process

3551 rjtx.pnhmj.fwszw
3551 rjtx.pnhmj.fwszw

ioc	pid	process
/data/user/0/rjtx.pnhmj.fwszw/files/dex	3551	rjtx.pnhmj.fwszw
/data/user/0/rjtx.pnhmj.fwszw/files/dex	3551	rjtx.pnhmj.fwszw

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	rjtx.pnhmj.fwszw

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	rjtx.pnhmj.fwszw

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 21 IoCs

Processes:

rjtx.pnhmj.fwszw

pid	process
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

rjtx.pnhmj.fwszw

pid process

3551 rjtx.pnhmj.fwszw

Suspicious use of android.telephony.TelephonyManager.getLine1Number 58 IoCs

Processes:

rjtx.pnhmj.fwszw

pid	process
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw
3551	rjtx.pnhmj.fwszw

Uses reflection 62 IoCs

obfuscation

Processes:

rjtx.pnhmj.fwszw

description	pid	process
Invokes method com.Loader.create	3551	rjtx.pnhmj.fwszw
Invokes method android.content.ContextWrapper.getPackageManager	3551	rjtx.pnhmj.fwszw
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3551	rjtx.pnhmj.fwszw
Invokes method com.Loader.start	3551	rjtx.pnhmj.fwszw
Invokes method android.telephony.SignalStrength.getLevel	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3551	rjtx.pnhmj.fwszw

rjtx.pnhmj.fwszw
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3551

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads