Malware Analysis Report

2024-10-19 11:52

Sample ID 240319-htchrach83
Target d57dea71951a50c509b5ac98b3296f0c
SHA256 7c2ce095afd68f2a6c4ac11b495f3e6c648d10d0af1379392b1e07a8c2e5bbcd
Tags
xloader_apk banker collection evasion infostealer stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c2ce095afd68f2a6c4ac11b495f3e6c648d10d0af1379392b1e07a8c2e5bbcd

Threat Level: Known bad

The file d57dea71951a50c509b5ac98b3296f0c was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection evasion infostealer stealth trojan

XLoader payload

XLoader, MoqHao

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Reads the content of the MMS message.

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-19 07:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 07:01

Reported

2024-03-19 07:03

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

144s

Command Line

c.ao.wynwv

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/c.ao.wynwv/files/d N/A N/A
N/A /data/user/0/c.ao.wynwv/files/d N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

c.ao.wynwv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.blogger.com udp
GB 142.250.187.233:443 www.blogger.com tcp
GB 142.250.187.233:443 www.blogger.com tcp
US 1.1.1.1:53 www.blogger.com udp
GB 142.250.200.41:443 www.blogger.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.41:443 www.blogger.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.41:443 www.blogger.com tcp
GB 142.250.200.41:443 www.blogger.com tcp
GB 142.250.200.41:443 www.blogger.com tcp

Files

/data/data/c.ao.wynwv/files/d

MD5 6428e12b85d6a8b13047c03b638af740
SHA1 a6c785d42dcf46457421a066e5dfbe77becc1130
SHA256 45a16f45f7ecbe02bdfe4ae246a52b4b2252335fdfc71bbde069023cd014cbe1
SHA512 f9f9d09d201ce6c2095dbc8f6b51945a5f0e364d8bcaad1499028d2ef9aaef356121913014f53ecff2ac2ef2c91ad73eb01e9643019a9316ff6b2d58d9f2b6c1

/data/data/c.ao.wynwv/files/oat/d.cur.prof

MD5 36a1389a9e4b6c5614fe8aa3d4316ab4
SHA1 a5ba5ea7a45aae6c6910f7a2ca250fcc52dd77a0
SHA256 f5421c980cf2e92a987bba5e0946c787050ebfc697afd54cfcf20ca18d835bfc
SHA512 7a4d2c6e11b3ff02175503c6a9537f96f147713a87247c99c6826f8043ca38ee348b7c2abaf52b6c2c3f4c3d5d37c4d5ff18e82ab7d3610c03537a337baec9dd