Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x64 -
resource
android-x64-arm64-20240611.1-en -
resource tags
-
submitted
21-06-2024 00:28
General
-
Target
fd25366cafc3a126e29a6172e2bbad79ef70905c5deef1e49123e97aaca4ed07.apk
-
Size
278KB
-
MD5
52c9ceda98479096215ccc2817b88e85
-
SHA1
19a40c88749d940f685b74ac1a8b98439f11dbd3
-
SHA256
fd25366cafc3a126e29a6172e2bbad79ef70905c5deef1e49123e97aaca4ed07
-
SHA512
0684a2cd9c229cf330a62b05635d4ca19bef4475339d77cf22d7ded1fcc5a3f55a571fff33850a719fe6b33a68d9cace6fd50b3c97622e4a17258e641c27e0d4
-
SSDEEP
6144:U+XkAbYMVE0Q1pT2wun1IgpnfRhzzXHK6XIG/n5DnR2q3l4P:3XvbYMoOt1Dpnf/zbHr5zccl4P
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
ewvxt.wrsxcl.dvdibu.ckkr1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD5105e2dcbc89ff58ece125bfb4f69a612
SHA10d868cd028ceb507544465ae7e68978d025bec4d
SHA2560de0a008613e7a70bafc5b249ffc5b4112ba2a4eef03219e43912efb53604a5a
SHA512254e3df724a160ffd42e0344e58b15bf8ac004ab6c51bf1b2c52cfa35ca3c894ce92d8c6a22d507b410aa35a8c9875ba95e8a6a9e881dfefb40887c8c7b9b465
-
Filesize
1KB
MD559d59e724bb98689816f0c622ef6edd7
SHA14ad62f27b4579301340597ab058115dd8237d134
SHA25683b7e312fa77ee4645750680a156374be59c6941d4167545898b207c51454753
SHA512c1368b146471a1329a3acfe4ce64072401e90d5b53371a89b172ad1275c4a59b834522c870f815e27b4d00a8c52fe6189b7592d2a492659d87b57e236e028844
-
Filesize
36B
MD58590a98b9fefdf94d32acc32002507e4
SHA1676cd4918ee118ce754fce9810a9cda66edf22c6
SHA256fc0c7e111dc2f4a7322cfbe402be2ed82aae3f215a0b6d159d080c7a6ffb35c7
SHA512fab1091433551d2dc47451cee7d5fe91daf274f7ca2f6af000fef00b97938f67d593d48acacd548433ec7e41b2c227c6d778c49a8768ade5168f02e9a4afeb35