xloader_apk | 1588c522940c98aa229e88470b9dbd58d85e79d6a235e7fcc54313a61887650b

Analysis

max time kernel
6252s
max time network
163s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
16-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1588c522940c98aa229e88470b9dbd58d85e79d6a235e7fcc54313a61887650b.apk
Size

283KB
MD5

f9d1fabb4ba2b34fd45e6744c3322d80
SHA1

77f296ea6ac76f42c274aeaa3092cc9ce3c7574b
SHA256

1588c522940c98aa229e88470b9dbd58d85e79d6a235e7fcc54313a61887650b
SHA512

89d7bcef0356c347406f90f7181478b82d8af3d38b269fa3764e3859b58bc2261e0c72b7f121ee452649d12f17769f35ebe2ff9c41200e18230102e1f1eb1398
SSDEEP

6144:ZcpjPKkl4ojRW+eL2GbtK/TgS8R8vVpydyEZGd17o5jnqLAm:8jik9js+eL2ys/Tv8R8vO9aposEm

Score

10^/10

xloader_apk banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.227.39:28844

DES_key

Signatures

XLoader payload 2 IoCs

resource	yara_rule
behavioral1/memory/4357-0.dex	family_xloader_apk2
behavioral1/memory/4357-1.dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	wra.gjjvzl.jsn.lepoc

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/wra.gjjvzl.jsn.lepoc/files/b	4357	wra.gjjvzl.jsn.lepoc
/data/user/0/wra.gjjvzl.jsn.lepoc/files/b	4357	wra.gjjvzl.jsn.lepoc

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	wra.gjjvzl.jsn.lepoc

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	wra.gjjvzl.jsn.lepoc

wra.gjjvzl.jsn.lepoc
1⤵
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4357

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/wra.gjjvzl.jsn.lepoc/files/b

Filesize
505KB

MD5
1948f47b3ea40b56b95c2afea1715414

SHA1
5c690f45283971be674c6d8a2e54175b0ecf55eb

SHA256
55e4054d9045b3a34d808883c387d64cbae6a402ba7551f1c7a19d6b2bcc5ae7

SHA512
8f3e40ff08f864901147cd60dd88191b9f792a746f0d923e3fea3a30f1ce951ec984013641b32ce1130b764f3d27974ac1a4a9d281090c8bbbff02808ffeb436

Download Submit
/data/user/0/wra.gjjvzl.jsn.lepoc/files/b

Filesize
505KB

MD5
1948f47b3ea40b56b95c2afea1715414

SHA1
5c690f45283971be674c6d8a2e54175b0ecf55eb

SHA256
55e4054d9045b3a34d808883c387d64cbae6a402ba7551f1c7a19d6b2bcc5ae7

SHA512
8f3e40ff08f864901147cd60dd88191b9f792a746f0d923e3fea3a30f1ce951ec984013641b32ce1130b764f3d27974ac1a4a9d281090c8bbbff02808ffeb436

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
80e7c443c4247630dbf1d7213051f066

SHA1
f9cd0da80f39357f194748ca2a9e8a5b1d96a0aa

SHA256
8b48c9a1519862c3e33455fedb2d0c0dc6b1bfd24bfef1a440a3d915823c7ded

SHA512
ed883a05fc9e3f5290e42eb74f990072878227afa01e63d98375ceb7beb4f08b021ca5320c9459f7aee1093658f38e7f8da4d830d0254749980bbc8c5689c3e2

Download Submit