xloader_apk | 4a81fc9f327245252f3ac0ca61143ec8038a61494d78384592af2c8e899719f8

General

Target

uYtBwZuWpNbLfRy.apk
Size

217KB
MD5

730422686f97a0d2683f8ada6e115f44
SHA1

2df5a30151fd26b7643579717c2b38f7dcfe7457
SHA256

4a81fc9f327245252f3ac0ca61143ec8038a61494d78384592af2c8e899719f8
SHA512

48d079e297e542d6eb203622ea893533740f24943ee6dafe04d1c24eea542adfffe8e5c0b2ca5510daafc5bb696fa035ff4f5cc9dff73c3c0c4c3cd0b6a58a67

Score

10^/10

xloader_apk banker infostealer obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

sehw.nosps.qsvnz

pid process

3542 sehw.nosps.qsvnz
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

sehw.nosps.qsvnz

ioc pid process

/data/user/0/sehw.nosps.qsvnz/files/dex 3542 sehw.nosps.qsvnz
/data/user/0/sehw.nosps.qsvnz/files/dex 3542 sehw.nosps.qsvnz
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

sehw.nosps.qsvnz

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName sehw.nosps.qsvnz
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

sehw.nosps.qsvnz

description ioc process

Framework API call javax.crypto.Cipher.doFinal sehw.nosps.qsvnz
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

sehw.nosps.qsvnz

pid process

3542 sehw.nosps.qsvnz
3542 sehw.nosps.qsvnz

ioc	pid	process
/data/user/0/sehw.nosps.qsvnz/files/dex	3542	sehw.nosps.qsvnz
/data/user/0/sehw.nosps.qsvnz/files/dex	3542	sehw.nosps.qsvnz

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	sehw.nosps.qsvnz

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	sehw.nosps.qsvnz

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 21 IoCs

Processes:

sehw.nosps.qsvnz

pid	process
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

sehw.nosps.qsvnz

pid process

3542 sehw.nosps.qsvnz

Suspicious use of android.telephony.TelephonyManager.getLine1Number 58 IoCs

Processes:

sehw.nosps.qsvnz

pid	process
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz
3542	sehw.nosps.qsvnz

Uses reflection 64 IoCs

obfuscation

Processes:

sehw.nosps.qsvnz

description	pid	process
Invokes method com.Loader.create	3542	sehw.nosps.qsvnz
Invokes method android.content.ContextWrapper.getPackageManager	3542	sehw.nosps.qsvnz
Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting	3542	sehw.nosps.qsvnz
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3542	sehw.nosps.qsvnz
Invokes method com.Loader.start	3542	sehw.nosps.qsvnz
Invokes method android.telephony.SignalStrength.getLevel	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	sehw.nosps.qsvnz

sehw.nosps.qsvnz
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3542

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads