xloader_apk | a81e5f5de0d59e919283d6298757782026b6b7266c1a0d4595ed9bed386a3f10

Analysis

max time kernel
179s
max time network
147s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
19-05-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a81e5f5de0d59e919283d6298757782026b6b7266c1a0d4595ed9bed386a3f10.apk
Size

218KB
MD5

ad90fb82cdc9b0d8da98b38afc14689f
SHA1

5dd0204227148151e4378bc409858042e6ddf009
SHA256

a81e5f5de0d59e919283d6298757782026b6b7266c1a0d4595ed9bed386a3f10
SHA512

de44cd7d5f868c7ee71e46e1e984699e6ffa5867d0ab7534a0b79b8d1b161bfef56c2a3402e597aa0002b71de4039a7258c494dcc3d7a5b7407bdf073c992a56
SSDEEP

6144:wnKfwIGhIJeEbhGi7U8zqdluUfUJ+JUVi:KKfwI5eEbtInXeJ+JUVi

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.227.39:28844

DES_key

Signatures

XLoader payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/nngn.mhyar.lglzu/files/dex	family_xloader_apk
/data/user/0/nngn.mhyar.lglzu/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

nngn.mhyar.lglzu

ioc process

/system/bin/su nngn.mhyar.lglzu
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

nngn.mhyar.lglzu

pid process

4618 nngn.mhyar.lglzu
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

T1636.004

T1582

Processes:

nngn.mhyar.lglzu

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT nngn.mhyar.lglzu
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

nngn.mhyar.lglzu

ioc pid process

/data/user/0/nngn.mhyar.lglzu/files/dex 4618 nngn.mhyar.lglzu
/data/user/0/nngn.mhyar.lglzu/files/dex 4618 nngn.mhyar.lglzu
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

nngn.mhyar.lglzu

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground nngn.mhyar.lglzu
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

nngn.mhyar.lglzu

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser nngn.mhyar.lglzu
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

nngn.mhyar.lglzu

description ioc process

URI accessed for read content://mms/ nngn.mhyar.lglzu
Acquires the wake lock 1 IoCs

Processes:

nngn.mhyar.lglzu

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock nngn.mhyar.lglzu
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

nngn.mhyar.lglzu

description ioc process

Framework API call javax.crypto.Cipher.doFinal nngn.mhyar.lglzu

ioc	process
/system/bin/su	nngn.mhyar.lglzu

pid	process
4618	nngn.mhyar.lglzu

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	nngn.mhyar.lglzu

ioc	pid	process
/data/user/0/nngn.mhyar.lglzu/files/dex	4618	nngn.mhyar.lglzu
/data/user/0/nngn.mhyar.lglzu/files/dex	4618	nngn.mhyar.lglzu

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	nngn.mhyar.lglzu

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	nngn.mhyar.lglzu

description	ioc	process
URI accessed for read	content://mms/	nngn.mhyar.lglzu

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	nngn.mhyar.lglzu

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	nngn.mhyar.lglzu

nngn.mhyar.lglzu
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4618

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/nngn.mhyar.lglzu/files/dex
Filesize
456KB

MD5
c5654523e4899cf11630fe902e74b494

SHA1
d51781ac831b0442d5aaa8fb801d664f0daeb1c4

SHA256
fd7e515d5732df7cc5632a8411671fdad79815c7df963ef68f728398c8c8db31

SHA512
19e1fdb04673dec606e0376b0ffb4e32bd12d37cf50d22815c114ccc2a76824b114835ef858e0fbc84d89dc6be1e1951be047e24521771c05d6ce43fac137bdb

Download Submit
/data/user/0/nngn.mhyar.lglzu/files/oat/dex.cur.prof
Filesize
1KB

MD5
035206d5488f98c8e33763df0844f393

SHA1
4963ee0c689cecf0aa113b00c405189965d583aa

SHA256
d7b2d94087de478eaf8092a07ca472a33efbab235f5367a63aa07a124dfbe943

SHA512
20a71426115f0afc8c9aebec418072a2b9faca68ad67e52e8f87f6393050996b01d637877c4b864295522a80a4e53ec8d2e66f43a651c9da9a63dbe68a19d3e8

Download Submit
/storage/emulated/0/.msg_device_id.txt
Filesize
36B

MD5
d6efa25dccdcc5139416644c17190228

SHA1
fcd7e86fd873dabfa1365f570e875420f8144a68

SHA256
cd3ff84e676af0f9fe70792cd077393d1903ad91bcf175ba18ecb1c6b9f6fd0e

SHA512
56d95f2eaa33d5f3d68fa1e53fff2645c51e05c08b287942788847eab8feafac4a86f29a1a73e8d13683e63b716370c2dc56d96d0030d205ed9aff6083dcd122

Download Submit