xloader_apk | e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b

Analysis

max time kernel
179s
max time network
187s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
21-05-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b.apk
Size

302KB
MD5

454375d894a3d4d4bb473d4cd3269ffb
SHA1

d7c2d1c2f5d98369bbd00ec7b428979fd6ad3603
SHA256

e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b
SHA512

654fb9707ad47191003a576b08fe2f5b5df85866602c6f92934feecc0a23da7720d1e3734c82cdf572b9934dc40026115e24fcc3c91e26456ce4d1d1d0c87293
SSDEEP

6144:9pkNPMSzQx5lzu2jd8de8/bgfUj6QPX3z2p9ToCBTzJ:91/lBjd8e8UfUjJP3Ixx

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.227.39:28844

DES_key

Signatures

XLoader payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/hghb.svacm.pifmn/files/dex	family_xloader_apk
/data/user/0/hghb.svacm.pifmn/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

hghb.svacm.pifmn

ioc process

/system/bin/su hghb.svacm.pifmn
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

hghb.svacm.pifmn

pid process

4676 hghb.svacm.pifmn
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

T1636.004

T1582

Processes:

hghb.svacm.pifmn

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT hghb.svacm.pifmn
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

hghb.svacm.pifmn

ioc pid process

/data/user/0/hghb.svacm.pifmn/files/dex 4676 hghb.svacm.pifmn
/data/user/0/hghb.svacm.pifmn/files/dex 4676 hghb.svacm.pifmn
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

hghb.svacm.pifmn

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground hghb.svacm.pifmn
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

hghb.svacm.pifmn

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser hghb.svacm.pifmn
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

hghb.svacm.pifmn

description ioc process

URI accessed for read content://mms/ hghb.svacm.pifmn
Acquires the wake lock 1 IoCs

Processes:

hghb.svacm.pifmn

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock hghb.svacm.pifmn
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

hghb.svacm.pifmn

description ioc process

Framework API call javax.crypto.Cipher.doFinal hghb.svacm.pifmn

ioc	process
/system/bin/su	hghb.svacm.pifmn

pid	process
4676	hghb.svacm.pifmn

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	hghb.svacm.pifmn

ioc	pid	process
/data/user/0/hghb.svacm.pifmn/files/dex	4676	hghb.svacm.pifmn
/data/user/0/hghb.svacm.pifmn/files/dex	4676	hghb.svacm.pifmn

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	hghb.svacm.pifmn

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	hghb.svacm.pifmn

description	ioc	process
URI accessed for read	content://mms/	hghb.svacm.pifmn

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	hghb.svacm.pifmn

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	hghb.svacm.pifmn

hghb.svacm.pifmn
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/hghb.svacm.pifmn/files/dex
Filesize
580KB

MD5
8c7542abcfd5e2c08e99555d8d0bc605

SHA1
5f40007a5343603be18a1ce3c39ce43604099be5

SHA256
0cd2b17aa21cd8de63842da21e3464df7bb2bd4a278fffbbfea6b294c3ca9e6d

SHA512
362c7dd23aa52a9c72e9d90eebb99e1d4e4cd01b68348249bbeee4bb407728aabd30874488926635bacb2e1d640ad4e95852e345afa8ad66057c80c8f768ed88

Download Submit
/data/user/0/hghb.svacm.pifmn/files/oat/dex.cur.prof
Filesize
1KB

MD5
665fe01462c6b5ab3a1e30d5fb3acdbf

SHA1
0dd527ccea467532d7a6bef870af1fbfe02ba9b9

SHA256
868823a6e6e74cca6ac1f00bdb11f491644f54aaf55cbf1f6c4c0d2a923d4a54

SHA512
c8d0045d8af816af2e118b6e1e1e325cf99e0e231c42d9efcb3179152d233ccd2e62587930b5d6526bd370dfdc4a39258d2bd3df70d36eb85cc24f19d965fc44

Download Submit
/storage/emulated/0/.msg_device_id.txt
Filesize
36B

MD5
9844c30d158ecf5c8717c36857d2ed13

SHA1
9ebdd720632d47646f97631e4e44fb29bbbe602e

SHA256
f62278d669643750102967702f9171ace8af97936836dabb7895644c8db28d4d

SHA512
821fef4ce7121e1234397512bf3725ef66c2e24d0f1ed6ebf888dd5684a3bfcbe5603d22a5f2bd0428590cfd6fc83e2e8d0834d95ed90724fff9cdbeef8f79ea

Download Submit