Analysis
-
max time kernel
3548696s -
max time network
599s -
platform
android_x86 -
resource
android-x86-arm-20220621-en -
submitted
06-07-2022 12:27
Static task
static1
Behavioral task
behavioral1
Sample
vlenqvvcpm.apk
Resource
android-x86-arm-20220621-en
General
-
Target
vlenqvvcpm.apk
-
Size
510KB
-
MD5
2e7acc13e9a9911cb5dd4057c5f0c343
-
SHA1
293165e4734e4a7dfcac8887034526a0733eeefd
-
SHA256
83ba2b1c0352ea9988edeb608abf2c037b1f30482bbc05c3ae79265bab7a44c9
-
SHA512
7888e1f72d718683fb41221e1345e582def560e307dcc2354bedef420d20ecbc0ba40b147e6452c8ef39426b053b7232bd381d40866757ad16f99e65f82fd3ef
Malware Config
Signatures
-
XLoader Payload 3 IoCs
Processes:
resource yara_rule /data/user/0/zfi.kkvwej.cby.hpyz/files/b family_xloader_apk /data/user/0/zfi.kkvwej.cby.hpyz/files/b family_xloader_apk /data/user/0/zfi.kkvwej.cby.hpyz/files/b family_xloader_apk -
XLoader, MoqHao
An Android banker and info stealer.
-
Acquires the wake lock. 1 IoCs
Processes:
zfi.kkvwej.cby.hpyzdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock zfi.kkvwej.cby.hpyz -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
zfi.kkvwej.cby.hpyzioc pid process /data/user/0/zfi.kkvwej.cby.hpyz/files/b 4045 zfi.kkvwej.cby.hpyz /data/user/0/zfi.kkvwej.cby.hpyz/files/b 4045 zfi.kkvwej.cby.hpyz -
Reads information about phone network operator.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
zfi.kkvwej.cby.hpyzdescription ioc process Framework API call javax.crypto.Cipher.doFinal zfi.kkvwej.cby.hpyz
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/zfi.kkvwej.cby.hpyz/files/bFilesize
508KB
MD5c630f2f2e68b7780adb917cb1ecc9943
SHA1cc1fbf1d6f9ffe19136f35f6e1437e9de02a9380
SHA2560c7b7b25177b785cdef73fe2c2df9782d8c1e6e4988045115e4689a33a06432e
SHA512b253e517b640d0f2d355d70402404e291e1e6f8154a635fc0eb0b2e797c11a237e525a4957555b5ba13af120576286ec6b0cac183609fe4e61d38882e4fefa93
-
/data/user/0/zfi.kkvwej.cby.hpyz/files/bFilesize
508KB
MD5c630f2f2e68b7780adb917cb1ecc9943
SHA1cc1fbf1d6f9ffe19136f35f6e1437e9de02a9380
SHA2560c7b7b25177b785cdef73fe2c2df9782d8c1e6e4988045115e4689a33a06432e
SHA512b253e517b640d0f2d355d70402404e291e1e6f8154a635fc0eb0b2e797c11a237e525a4957555b5ba13af120576286ec6b0cac183609fe4e61d38882e4fefa93
-
/data/user/0/zfi.kkvwej.cby.hpyz/files/bFilesize
508KB
MD5c630f2f2e68b7780adb917cb1ecc9943
SHA1cc1fbf1d6f9ffe19136f35f6e1437e9de02a9380
SHA2560c7b7b25177b785cdef73fe2c2df9782d8c1e6e4988045115e4689a33a06432e
SHA512b253e517b640d0f2d355d70402404e291e1e6f8154a635fc0eb0b2e797c11a237e525a4957555b5ba13af120576286ec6b0cac183609fe4e61d38882e4fefa93
-
/data/user/0/zfi.kkvwej.cby.hpyz/files/b.x86.flockMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/zfi.kkvwej.cby.hpyz/files/oat/b.cur.profMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD52ace02eea4a6211ccacee049116814cd
SHA15389b05282b9e2b70754e3c45d77782ab1cdcddb
SHA2567b25656fd853fd2573d1a14b7fe647bc34e36e5b3082220ba674e62c6394f187
SHA512d54d447179dc23edf79e91bd9298202bdbfc1e1f48aefd9d184d8db625f831bfd36ca86e175ccc37bb1676d59f4f231199d5d1712b89f0767e98b070656e5aa5