Overview

overview

10

Static

static

6

5fd68667b7...16.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    153s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    29-06-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fd68667b7fc8c83eab360c4014528aca926df2dba879b743188d4a29881ef16.apk

  • Size

    412KB

  • MD5

    ecac1769596b243d2db8d47a2e21088f

  • SHA1

    2891a7bf98f2a83df611fc943a0214a33c594baf

  • SHA256

    5fd68667b7fc8c83eab360c4014528aca926df2dba879b743188d4a29881ef16

  • SHA512

    d06436235327929aad18952c583661e4d0934efd6bcccec78c3916580515193da8dfa9db98bc6f5d174bb7e5f7aa17be175bf5d24c77dfe6ac2497aee0b6aaf7

  • SSDEEP

    6144:MyQDz3a12UH/aiNBkcnOxH2R30vUEbObpm8jYJAwu+2nwWk4hekf1DPv0hMHrLz:4DNUHiiQDhu0vUEbqmEYxswaekf1Y+vz

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • tbxrukp.lwsppxkhw.qbjozn
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4315

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/tbxrukp.lwsppxkhw.qbjozn/app_picture/1.jpg
    Filesize

    168KB

    MD5

    f7e0b8691c5affd2d37a9eb3343979a1

    SHA1

    a7bcba862e1027cc5e738aab71122bacb880eeb3

    SHA256

    ed68e8baa74b5d6f37266cc33b0cdba6936784b7b2bfeaf788ff99c527802183

    SHA512

    65d82bcdb615a38d3a07496d6331a2361881cb1efc8953fb36c4c84584382ec7677caa854828f5e5528ab648ee74462f8da06cdc17c549846d76836adccdf842

    Download Submit

  • /data/data/tbxrukp.lwsppxkhw.qbjozn/files/b
    Filesize

    446KB

    MD5

    5daa1f3756c6785b25d466ca6b7bdc50

    SHA1

    ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6

    SHA256

    a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7

    SHA512

    2dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9

    Download Submit

  • /data/user/0/tbxrukp.lwsppxkhw.qbjozn/app_picture/1.jpg
    Filesize

    168KB

    MD5

    c021c48a864d832f107913b2f2891a1a

    SHA1

    3a15fa05a112b2796723354f62668c116adabe51

    SHA256

    b83fee91e8b19e0b20cec3dd6de97aca7e13426dc403af4ce798de88355cca76

    SHA512

    a0f81d635aa429cf4f698b2a8b9899f01e94b14515248f75b7d2602bc28a31886305fc641739668d173ed36980bbba4d93da2f7f1945a07f4728791f365939f6

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    dd104b6407a8126910baba134c732211

    SHA1

    e5edcd1f56e1854174c677ada971171f46c52ee6

    SHA256

    a28bd1d8cd8f4fedd0a13a7537be6d5597da80ceba486175a1bbb037d9a31c7f

    SHA512

    b42a605f302061578fbc2f6e0fd3f0d72ed4b2ed5a2fef2b3817e00504234af43d66141dcdee81d9205a7f043e74d5675844c6ccb9b978b10398758aad012f62

    Download Submit