Overview

overview

10

Static

static

6

a89ab7a079...f1.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    161s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    30-05-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a89ab7a079cdec1c42e038ae5e54dd8e36aa62d71ecf982b2c125f4df74ff0f1.apk

  • Size

    440KB

  • MD5

    0ace9b82e5c108a3e812360d444738a1

  • SHA1

    4dd872556838d32be207026e2940a8f1fb8585de

  • SHA256

    a89ab7a079cdec1c42e038ae5e54dd8e36aa62d71ecf982b2c125f4df74ff0f1

  • SHA512

    883251e64174ce14f754b2c3fe2e5395e78dabb2c29b0523f985b26ea4d2228fae5b8474db87e92d785dac45c04d9fe7f279cf7e8bef1d6267c91869a1fd8603

  • SSDEEP

    12288:Mh3M3kGKATD2/rQEO7ZXZjqutpp5hDTS+JyaIipuS:CMD9TqUn7ZXwutjvDO+ZIipJ

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • r.vtolp.nawwxf
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4223

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/r.vtolp.nawwxf/files/d
    Filesize

    453KB

    MD5

    a0d33b0500d1583e27643c8e196a6364

    SHA1

    f96482f00a8545dd6c70c0a65b21f051ed34dde2

    SHA256

    9cdaf7ebed7c3a34653b8cffa6ccdc3304150a34254859c19920235daa6395a9

    SHA512

    3dbb3d73d710aceb7028a472c7d61ceff97c976dab53fb390a8024b01d3a58755374cb2d41012c8d1763b258afc87efacfef9bf6833c92883d6c386cee265a24

    Download Submit
  • /data/data/r.vtolp.nawwxf/files/oat/d.cur.prof
    Filesize

    1KB

    MD5

    ac2294b1d1aa59db58461225d6477b7f

    SHA1

    26e86cd021d0183c85eeed6608f5266adc12b14f

    SHA256

    341ee777059be8831cbe9e8418686c4e645d48949c1ee383d60de2e792d75794

    SHA512

    272992e87eae05c88882b9e13f3ae1441740906211cc27a9e4eaebe4d6d8b428d10ac82feaf13097ce36844c99f625288708b64b84e1d3a59278413dc6672a18

    Download Submit
  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    f5b9950704a793acf184ab19e984a2d5

    SHA1

    47645bf1aee26f0cfe1f8c3b89d8d1e45fb7a4a5

    SHA256

    b060d54d1da4a2c6f2343d2c0566d117a7bafce55d37cc6db0b6cdbdcf9846cf

    SHA512

    8b7304d748b106d8a80560e3cf254cfc54733e8e9b87b7fb024a33862941604a4315544dbe95c3363962a67eb821446eb3bbb24a5495e6a9e34fb990ae723ad8

    Download Submit