xloader_apk | 072110215583ae6521fbb7c5891308df67ce1beac7c9768bfbe550b920474529

General

Target

072110215583ae6521fbb7c5891308df67ce1beac7c9768bfbe550b920474529.bin
Size

205KB
Sample

240416-1y283sfd3x
MD5

7f1219fde6ee76717ef037d9a4525242
SHA1

bf4f7cf7f740b4d90925f37ade1a3244f5aea77b
SHA256

072110215583ae6521fbb7c5891308df67ce1beac7c9768bfbe550b920474529
SHA512

7496b8f7064929d8beaeb1c8ff9be44f92172496013d6c51300264f6f380e66f3c94491b73e1cc70899eda02ea8f339c13828058cf6b99134959033ea6e1964a
SSDEEP

3072:qSCExwnHRMqFkM6NkgVuWXfcse2zsLiaCLCfTgpi/kmL6cOAbYdq8tZAFiuVz6:rCuqB6NnmskiaCL9i/kW6b1tKFLVz6

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  072110215583ae6521fbb7c5891308df67ce1beac7c9768bfbe550b920474529.bin
- Size
  
  205KB
- MD5
  
  7f1219fde6ee76717ef037d9a4525242
- SHA1
  
  bf4f7cf7f740b4d90925f37ade1a3244f5aea77b
- SHA256
  
  072110215583ae6521fbb7c5891308df67ce1beac7c9768bfbe550b920474529
- SHA512
  
  7496b8f7064929d8beaeb1c8ff9be44f92172496013d6c51300264f6f380e66f3c94491b73e1cc70899eda02ea8f339c13828058cf6b99134959033ea6e1964a
- SSDEEP
  
  3072:qSCExwnHRMqFkM6NkgVuWXfcse2zsLiaCLCfTgpi/kmL6cOAbYdq8tZAFiuVz6:rCuqB6NnmskiaCL9i/kW6b1tKFLVz6
Score

10^/10

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries account information for other applications stored on the device.
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries information about the current Wi-Fi connection.
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

XLoader payload

XLoader, MoqHao

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries account information for other applications stored on the device.

Queries information about the current Wi-Fi connection.

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3