xloader_apk | 1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33

General

Target

1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33.bin
Size

205KB
Sample

240602-al952sca3w
MD5

f2d6f6a3c2ce6df2c3ec787a24ce55d1
SHA1

787dfe527aa93a7488b14175d9b182c2eb304cf3
SHA256

1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33
SHA512

61c1499bd6e9989f11e215d510fd9961b693d6bfcfbdc1f1f7659459a37e986ae4d6c021e29119820e48e618dd13430c63899d93bfc8a3955112d3b3def1136d
SSDEEP

6144:i2ydMW03PlMHKLATFhjHCORXelZGUXx++oPnOv+sU:5yl0f+MCb1efBk+VvRU

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33.bin
- Size
  
  205KB
- MD5
  
  f2d6f6a3c2ce6df2c3ec787a24ce55d1
- SHA1
  
  787dfe527aa93a7488b14175d9b182c2eb304cf3
- SHA256
  
  1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33
- SHA512
  
  61c1499bd6e9989f11e215d510fd9961b693d6bfcfbdc1f1f7659459a37e986ae4d6c021e29119820e48e618dd13430c63899d93bfc8a3955112d3b3def1136d
- SSDEEP
  
  6144:i2ydMW03PlMHKLATFhjHCORXelZGUXx++oPnOv+sU:5yl0f+MCb1efBk+VvRU
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Requests changing the default SMS application.
  collection impact
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the contacts stored on the device.
  collection
- Reads the content of the MMS message.
  collection
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Acquires the wake lock
- Checks if the internet connection is available
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Requests changing the default SMS application.

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries account information for other applications stored on the device

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Reads the content of the MMS message.

Registers a broadcast receiver at runtime (usually for listening for system events)

Acquires the wake lock

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3