Malware Analysis Report

2024-09-09 13:10

Sample ID 240717-1zc1ks1fqn
Target 96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.bin
SHA256 96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440

Threat Level: Known bad

The file 96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Reads the content of the MMS message.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests changing the default SMS application.

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-17 22:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 22:04

Reported

2024-07-17 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

146s

Command Line

com.qblj.qinx

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.qblj.qinx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.178.14:443 docs.google.com tcp
GB 142.250.178.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/com.qblj.qinx/files/dex

MD5 e9b14ba46445d4e776c77cb397aaacf2
SHA1 9159ba397ea55f389c2551a17e998c7f1dd367cf
SHA256 4614f98969b993ad6fc3c4d5e1a497404be32d31ac67fcfdbdb14b518720531b
SHA512 4cb8ff639ea24b4866dfd1691e5170724dc4c87dda99841c6f2fc2f77a7cc44cd212fac229ad604ea262bb4e2a35aead0f1e59a8e27731296ec4d9e163869e7e

/data/data/com.qblj.qinx/files/oat/dex.cur.prof

MD5 ec1cbb8d9311f744bbdb746b553aa850
SHA1 87b30993b74132a1be41a0a4da4b92639214356f
SHA256 80bfda9a2514c5af32737800001c65181b67d39d7c554c0e2df74d6be81ecfa4
SHA512 682075c9c46b289a378ed8aa888fe40ecf9dfbf6d47401ded9179e0572f8ee89f69e94811383fa1d6a80a0d918c5092bbb2b1832fb645fae5e85b0eea3564792

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 22:04

Reported

2024-07-17 22:19

Platform

android-x64-20240624-en

Max time kernel

5s

Max time network

169s

Command Line

com.qblj.qinx

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.qblj.qinx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.16.227:443 tcp
GB 142.250.200.46:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.180.10:443 g.tenor.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.180.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.16.238:443 docs.google.com tcp
GB 172.217.16.238:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.169.46:443 docs.google.com tcp
GB 172.217.169.46:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/com.qblj.qinx/files/dex

MD5 e9b14ba46445d4e776c77cb397aaacf2
SHA1 9159ba397ea55f389c2551a17e998c7f1dd367cf
SHA256 4614f98969b993ad6fc3c4d5e1a497404be32d31ac67fcfdbdb14b518720531b
SHA512 4cb8ff639ea24b4866dfd1691e5170724dc4c87dda99841c6f2fc2f77a7cc44cd212fac229ad604ea262bb4e2a35aead0f1e59a8e27731296ec4d9e163869e7e

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-17 22:04

Reported

2024-07-17 22:19

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

167s

Command Line

com.qblj.qinx

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A
N/A /data/user/0/com.qblj.qinx/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.qblj.qinx

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
GB 142.250.187.206:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/com.qblj.qinx/files/dex

MD5 e9b14ba46445d4e776c77cb397aaacf2
SHA1 9159ba397ea55f389c2551a17e998c7f1dd367cf
SHA256 4614f98969b993ad6fc3c4d5e1a497404be32d31ac67fcfdbdb14b518720531b
SHA512 4cb8ff639ea24b4866dfd1691e5170724dc4c87dda99841c6f2fc2f77a7cc44cd212fac229ad604ea262bb4e2a35aead0f1e59a8e27731296ec4d9e163869e7e

/data/user/0/com.qblj.qinx/files/oat/dex.cur.prof

MD5 585f167acc015211164ac8c164687265
SHA1 926b040b51c6219094482933831d3dac80c4ce1b
SHA256 029611e72f2fba6e1e3f1c6e3236dadd35965af2e2387b4afc23bd7a316f5f94
SHA512 639108dc74a09a0b45e8df3ef0411417bfabae75e57cdf9dd615d9257a4dbc1bec33e5ca13c4777f91502b54399d9156fa5a2d08657fcb3583f0cae2f9e328ac