Malware Analysis Report

2025-01-19 04:56

Sample ID 220207-q3yfkscdhn
Target 3a12faa17974d04606c3479854d8df95261dfffa46e5262c8e8e275ca11b514f
SHA256 3a12faa17974d04606c3479854d8df95261dfffa46e5262c8e8e275ca11b514f
Tags
xloader_apk banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a12faa17974d04606c3479854d8df95261dfffa46e5262c8e8e275ca11b514f

Threat Level: Known bad

The file 3a12faa17974d04606c3479854d8df95261dfffa46e5262c8e8e275ca11b514f was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker infostealer ransomware trojan

XLoader Payload

XLoader, MoqHao

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-07 13:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-07 13:47

Reported

2022-02-07 13:50

Platform

android-x86-arm

Max time kernel

3564334s

Max time network

159s

Command Line

wtg.kmu.hzg.ktmkbg

Signatures

XLoader Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/wtg.kmu.hzg.ktmkbg/files/d N/A N/A
N/A /data/user/0/wtg.kmu.hzg.ktmkbg/files/d N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

wtg.kmu.hzg.ktmkbg

Network

Country Destination Domain Proto
NL 142.250.179.202:443 tcp
NL 142.250.179.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.39.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 alt3-mtalk.google.com udp
SG 74.125.200.188:443 alt3-mtalk.google.com tcp
US 1.1.1.1:53 m.vk.com udp
RU 87.240.139.194:443 m.vk.com tcp
FR 92.204.255.170:28843 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
US 1.1.1.1:853 tcp
FR 92.204.255.170:28843 tcp
US 1.1.1.1:853 tcp
FR 92.204.255.170:28843 tcp
US 1.1.1.1:853 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp
FR 92.204.255.170:28843 tcp

Files

/data/user/0/wtg.kmu.hzg.ktmkbg/files/d

MD5 b233ddd09c3556d1af9a3baaae696b55
SHA1 bdaba22bcebcbad064c2870c94a34a697012c85d
SHA256 04e3bb017f779447e7e3cc86f89d5bbb842027cacd6452ebdba5b26d308220f7
SHA512 7417d15f7d6780dd22bce47e3bcb709486f0c1d51d3baa42267c3fbf50fd0806730ab13748980ae0c9a060521afb2acdcf6f25fa64c35fd6625d16c4fa6452b2

/data/user/0/wtg.kmu.hzg.ktmkbg/files/d

MD5 b233ddd09c3556d1af9a3baaae696b55
SHA1 bdaba22bcebcbad064c2870c94a34a697012c85d
SHA256 04e3bb017f779447e7e3cc86f89d5bbb842027cacd6452ebdba5b26d308220f7
SHA512 7417d15f7d6780dd22bce47e3bcb709486f0c1d51d3baa42267c3fbf50fd0806730ab13748980ae0c9a060521afb2acdcf6f25fa64c35fd6625d16c4fa6452b2