Malware Analysis Report

2024-09-09 13:06

Sample ID 240619-cnne6ssbmb
Target 5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271.bin
SHA256 5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271
Tags
xloader_apk banker evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271

Threat Level: Known bad

The file 5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker evasion infostealer trojan

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:13

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:13

Reported

2024-06-19 02:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

10s

Max time network

130s

Command Line

citneqj.yhcnkbxqj.arsmaq

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg N/A N/A
N/A /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg N/A N/A
N/A /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b N/A N/A
N/A /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

citneqj.yhcnkbxqj.arsmaq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg

MD5 e04b61068deeadc8c19e5ee4b2f9de4d
SHA1 112d59ad0f079246df6228080f3f219fc4ad53bb
SHA256 5b3d2060b3298ff49a4f59e922d152271eff1df75caa20127bdf48b9b8403dcc
SHA512 e216869ccdf2ab8d257c8acd6a96678d369e39a6a62b7644ff815bdf28582ee342e24dc9915a69c41038896e731571d3f3d28bef4c728bc655e09b6646281e0d

/data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg

MD5 ad62abf0a43c4b7cfa83a26e2152f250
SHA1 57a1edac6c4897119aecf3485dae900fcc45f298
SHA256 eac8b83c45cb80713bb4ac451c6bddafa43b90249c1628fdb60d8537961f237d
SHA512 b1954b52f2ff0b8e5090b80591a1dc9c8512320640f9b9380990fae00d4aa1bc9032be6721736fb164060bf31b49b2231cea3e8f93447b6e2e616f65eecdc2bd

/data/data/citneqj.yhcnkbxqj.arsmaq/files/b

MD5 4f4569db9ddb90b5f60c424621cf3a72
SHA1 63c79e63187921b33d30c66de3e791e3f51d746e
SHA256 18c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512 cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929