Extracted

• • Target

    3145c1177f8170961e9e4328b425971c68ec83b14b1cf4989d8017131f44eb34.bin

  • Size

    408KB

  • MD5

    1269dfdf73ed6083e74657f812bc25bc

  • SHA1

    c6107fa0c9d7393b2bbd5d36b0c2d1792e4e515f

  • SHA256

    3145c1177f8170961e9e4328b425971c68ec83b14b1cf4989d8017131f44eb34

  • SHA512

    56292b73848f203c228af6ce4b37f2f146cb4259da649d5b427caf72f65a091d05427d20638ed9e4ccf2cad91d03f75f04b4d810c792b67cb501d991e73490d6

  • SSDEEP

    6144:MRcfkBTvCWBYT7kZGqyQDz3a12UH/aiNBkcnOxH2R30vUEbObpm8jYJAwus:MRZ9nBawIyDNUHiiQDhu0vUEbqmEYxF

  Score

  10^/10

  xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

  • XLoader payload

  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk

  • Checks if the Android device is rooted.

    evasion

  • Removes its main activity from the application launcher

    stealthtrojanevasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries account information for other applications stored on the device

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Reads the content of the MMS message.

    collection

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Reads information about phone network operator.

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1