Analysis
-
max time kernel
10s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
19-06-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271.apk
-
Size
412KB
-
MD5
5b67ab4e3153123a990baa15454ea38a
-
SHA1
6c1e31d107783c21601fd027572a32fc9c917789
-
SHA256
5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271
-
SHA512
feb4ee7efc319c6f175c8e2226bb71f0dcd02be4cf21ac67eff1188261910437d0022eac0c22d4d33329fbfce7310d8ed3b1b079ae8b3732c95ea0a537eb0e99
-
SSDEEP
12288:h7RlScl3evk6OR7jwflvqn+T9Gj1E/zQw9g:Vzlj60s9Z8Ym
Malware Config
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/citneqj.yhcnkbxqj.arsmaq/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
citneqj.yhcnkbxqj.arsmaqioc process /sbin/su citneqj.yhcnkbxqj.arsmaq /system/bin/su citneqj.yhcnkbxqj.arsmaq /system/xbin/su citneqj.yhcnkbxqj.arsmaq -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
citneqj.yhcnkbxqj.arsmaqioc pid process /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg 4344 citneqj.yhcnkbxqj.arsmaq /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg 4344 citneqj.yhcnkbxqj.arsmaq /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b 4344 citneqj.yhcnkbxqj.arsmaq /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b 4344 citneqj.yhcnkbxqj.arsmaq -
Checks CPU information 2 TTPs 1 IoCs
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpgFilesize
170KB
MD5e04b61068deeadc8c19e5ee4b2f9de4d
SHA1112d59ad0f079246df6228080f3f219fc4ad53bb
SHA2565b3d2060b3298ff49a4f59e922d152271eff1df75caa20127bdf48b9b8403dcc
SHA512e216869ccdf2ab8d257c8acd6a96678d369e39a6a62b7644ff815bdf28582ee342e24dc9915a69c41038896e731571d3f3d28bef4c728bc655e09b6646281e0d
-
/data/data/citneqj.yhcnkbxqj.arsmaq/files/bFilesize
446KB
MD54f4569db9ddb90b5f60c424621cf3a72
SHA163c79e63187921b33d30c66de3e791e3f51d746e
SHA25618c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929
-
/data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpgFilesize
170KB
MD5ad62abf0a43c4b7cfa83a26e2152f250
SHA157a1edac6c4897119aecf3485dae900fcc45f298
SHA256eac8b83c45cb80713bb4ac451c6bddafa43b90249c1628fdb60d8537961f237d
SHA512b1954b52f2ff0b8e5090b80591a1dc9c8512320640f9b9380990fae00d4aa1bc9032be6721736fb164060bf31b49b2231cea3e8f93447b6e2e616f65eecdc2bd