Analysis
-
max time kernel
179s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
14-05-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
437808d7d9f97e9f4dff211f72f0ae0be5d251a67a161628d5b533d465ad38bc.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
437808d7d9f97e9f4dff211f72f0ae0be5d251a67a161628d5b533d465ad38bc.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
437808d7d9f97e9f4dff211f72f0ae0be5d251a67a161628d5b533d465ad38bc.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
437808d7d9f97e9f4dff211f72f0ae0be5d251a67a161628d5b533d465ad38bc.apk
-
Size
217KB
-
MD5
c9e99613d473c9ca37f2c75aabb73965
-
SHA1
9d9a95eef70d60d1b3f2e4b33b8f8a3950b63fa0
-
SHA256
437808d7d9f97e9f4dff211f72f0ae0be5d251a67a161628d5b533d465ad38bc
-
SHA512
a9985cf188bd305fbf76e34625256a4fc35bfeb0980977df6a3f996f54f45f4a30364bbbaca0dcad804fe6b851a7ec98f24e4650c4615de5a5b7a68c00675656
-
SSDEEP
6144:sA0ChFhFBvrbvxB/XEwR/aJXyjt4k64W+U:ECLNvrLLESgXKDZfU
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/lbdd.eivbc.qhzbm/files/dex family_xloader_apk /data/data/lbdd.eivbc.qhzbm/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
lbdd.eivbc.qhzbmioc pid process /data/user/0/lbdd.eivbc.qhzbm/files/dex 4285 lbdd.eivbc.qhzbm /data/user/0/lbdd.eivbc.qhzbm/files/dex 4285 lbdd.eivbc.qhzbm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
lbdd.eivbc.qhzbmdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground lbdd.eivbc.qhzbm -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
lbdd.eivbc.qhzbmdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts lbdd.eivbc.qhzbm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
lbdd.eivbc.qhzbmdescription ioc process URI accessed for read content://mms/ lbdd.eivbc.qhzbm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
lbdd.eivbc.qhzbmdescription ioc process Framework service call android.app.IActivityManager.registerReceiver lbdd.eivbc.qhzbm -
Acquires the wake lock 1 IoCs
Processes:
lbdd.eivbc.qhzbmdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock lbdd.eivbc.qhzbm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
lbdd.eivbc.qhzbmdescription ioc process Framework API call javax.crypto.Cipher.doFinal lbdd.eivbc.qhzbm
Processes
-
lbdd.eivbc.qhzbm1⤵
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/lbdd.eivbc.qhzbm/files/dexFilesize
456KB
MD56e3d29b5306a57dba7028a8da4609797
SHA1da143c2306182d664c850b74b4afa7fa948c974d
SHA25607f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915
-
/data/data/lbdd.eivbc.qhzbm/files/oat/dex.cur.profFilesize
1KB
MD5c5938b7d3eb5baf3ded6ef350d2c3639
SHA177e64bdf0e743cdca6300bf3833cb383e5f73776
SHA2567a21e3b5889949740ce4421dc610b7e1995d7755f8f0ff681e89a06c7270189a
SHA5125f981b83a6a09a41b850bdb6d9c1e3bb5d99e20d63ef0bf527f6d6fb523899c84e1e1fa641cfa6209b1f27693645ab61b026033f05d53e3f4eb7e6490d3006d9
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD57906a66f94e5bd11c5c0628478fe0e82
SHA186b603422a6a1351c63a5c0b0f32397ebe2aaa09
SHA256d6e4054b1a38d6fd9e7acae71d44466bad56eebddfa62f3e560d0af4f3cb2de2
SHA512074b10f2427c0edeeb7ebebbcad39ec5377a5bfdb79f33ce05aee0da55ebebc29db3f04e11151c5ff0a739474f545f222d14f85dee8636db64433c3daca1cc17