Malware Analysis Report

2024-10-19 11:52

Sample ID 240425-1yd69afg5t
Target 51dc5a1433ef001a0dcc1ee07a872bebbf1f8d2fd7cb7513cdf67d9ed39a25c3.bin
SHA256 51dc5a1433ef001a0dcc1ee07a872bebbf1f8d2fd7cb7513cdf67d9ed39a25c3
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51dc5a1433ef001a0dcc1ee07a872bebbf1f8d2fd7cb7513cdf67d9ed39a25c3

Threat Level: Known bad

The file 51dc5a1433ef001a0dcc1ee07a872bebbf1f8d2fd7cb7513cdf67d9ed39a25c3.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Makes use of the framework's foreground persistence service

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries account information for other applications stored on the device

Requests dangerous framework permissions

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 22:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 22:03

Reported

2024-04-25 22:19

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

crf.uy.isry

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

crf.uy.isry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.200.46:443 docs.google.com tcp
GB 142.250.200.46:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/crf.uy.isry/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

/storage/emulated/0/.msg_device_id.txt

MD5 83b20a02f9a9ce83020de1577f9b79f3
SHA1 0090a6260aea9af23999c62ea6efbcc9b767afcf
SHA256 4a09a8620cc44ec49105c78399c5ea5e3ab3d3d4b975a59632a6b4236b933301
SHA512 cc46dd865392cae787d0b8dd8c77d8551c9535b7d5a9f60f6659ad8db116f506e297f4504594c01135caa020e45cf662d7c409c3fd20e770518f6f448044580c

/data/data/crf.uy.isry/files/oat/dex.cur.prof

MD5 e8c46b795d1e9508e8890f49236c8ab4
SHA1 5e42599d466cc2dd6fe8e2ca17352bb9ca8e1f84
SHA256 cf3caa430580aec30d0a768139525dbcc0d1e244ac17e1fc268836e158df4738
SHA512 b8dd92e1a2122948635893e0c919a38e3b03be865161191937c44f410184e6ab6b0941da3001e012cf8136087505220a95cae52fdd1fb5ef1aae75b1b987f218

/data/data/crf.uy.isry/files/oat/dex.cur.prof

MD5 fe98abcfd478e3f0fb06ecc6430cae2d
SHA1 27343c0ef23f0d8add16b581887cf60ad123fd92
SHA256 663fa2ff7ec20bc35d127c5a691846ced0cc18d7b6ee4ba21f1e3cb7ba54585e
SHA512 df208182d511ef7d35f01c9972591365db26af7f4bc2213c8e250399c4b53133720f6a4ba46fa48a1c841eb08bcf210a99db88c25b23b92ee8069c14f2f3afaf

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-25 22:03

Reported

2024-04-25 22:20

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

crf.uy.isry

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

crf.uy.isry

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.180.14:443 docs.google.com tcp
GB 142.250.180.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/crf.uy.isry/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

/storage/emulated/0/.msg_device_id.txt

MD5 c1906c07598fcca5fb40d39060ef8ae8
SHA1 38d660f5c7cd416e4c116a1506a5b325c4a4ef3d
SHA256 f1c99b879d8153bb89b74d79f240863c03eb20f6ae0f0de3796192e05d0e32ea
SHA512 5fdd6f07b284a0d2509e41a2d6af8472914e32cb4adb89f79606fd408d6b588828f8bc0b3b9a6b54f373df475370c1bdb92b829d75e336e25f6a43eaa17119e8

/data/user/0/crf.uy.isry/files/oat/dex.cur.prof

MD5 4095374a895f89fecd4b400adb7a8baf
SHA1 9944529fe654f5457c82fdd8bbddef275ee0e17a
SHA256 9420815480e9e6f009a3c92277f9f25a7ed776ed9e9a96c0eec90497ef0f07ad
SHA512 9216aa1a8ee8a0a1e1af09a32451d8a9bdccfe8ccdd818c631adc82625e737c01bc93cdef288c41fd19c2e395557b0d4405bb7c41d99e60ea5a3ad1add59a8d6

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 22:03

Reported

2024-04-25 22:19

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

138s

Command Line

crf.uy.isry

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A
N/A /data/user/0/crf.uy.isry/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

crf.uy.isry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.178.14:443 docs.google.com tcp
GB 142.250.178.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/crf.uy.isry/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

/storage/emulated/0/.msg_device_id.txt

MD5 d2ccf35ba1a5493b5991bbce5e7d48b2
SHA1 fc6923d5cb64a0368ba630aa425b75a61edf5cfc
SHA256 19af4b9237196b05042f47b03bec824a0adb98bd76b03e361f6c31676365e30e
SHA512 f9ca8a3d40630daad7014d1667f293555f17858b992e4180e6874559c6699820a65e7ad0e9f173e76b246666afc191ba8ba3faf66c86f318cddbee1331757d0e

/data/data/crf.uy.isry/files/oat/dex.cur.prof

MD5 4c2d76cc413109710190948db88cd245
SHA1 2b36c1da1623500864569ec18c72f3e23d2cb164
SHA256 6b8c2332bdea3021aeabc22ff27407108e975a330575e6935b4d1e8da8afba1b
SHA512 afa352565a0677af8ec2c1770e175c520823ddda3086b0da13b08931e10bafbea980498f144af32f5b66d756f35b62436e27701d1b61683e6c0b3d2d496c665e