xloader_apk | 5018a3c684150c2fe51abeff223301e3b3572de3674498fbe2b38cd72c64728d | Triage

Sharing

General

Target

5018a3c684150c2fe51abeff223301e3b3572de3674498fbe2b38cd72c64728d.bin
Size

296KB
Sample

240809-152acssaml
MD5

402f5bdb95f051721b288b3e14f68957
SHA1

585c028e3061bb276e36a0be1cea3c6f4d8204f9
SHA256

5018a3c684150c2fe51abeff223301e3b3572de3674498fbe2b38cd72c64728d
SHA512

22a0f676939dfb1d0df5c36310828ce2e67864804eb9d9c6aaf3cf7e8088f6ec562ea2e54778d3cd79b15269f486b41f5b93f6b120ab59963f475dce43ce4fb9
SSDEEP

6144:/REKhj14kdXtyFEaQJ1og63BIjglQjdtBLUdp6uV4P4ukcFffqu7fi92wIry:55F13d9rrmg63Csq31ins48FfSGq9h

Score

10^/10

xloader_apk android banker collection discovery evasion impact infostealer persistence trojan

Malware Config

Targets

- Target
  
  5018a3c684150c2fe51abeff223301e3b3572de3674498fbe2b38cd72c64728d.bin
- Size
  
  296KB
- MD5
  
  402f5bdb95f051721b288b3e14f68957
- SHA1
  
  585c028e3061bb276e36a0be1cea3c6f4d8204f9
- SHA256
  
  5018a3c684150c2fe51abeff223301e3b3572de3674498fbe2b38cd72c64728d
- SHA512
  
  22a0f676939dfb1d0df5c36310828ce2e67864804eb9d9c6aaf3cf7e8088f6ec562ea2e54778d3cd79b15269f486b41f5b93f6b120ab59963f475dce43ce4fb9
- SSDEEP
  
  6144:/REKhj14kdXtyFEaQJ1og63BIjglQjdtBLUdp6uV4P4ukcFffqu7fi92wIry:55F13d9rrmg63Csq31ins48FfSGq9h
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests changing the default SMS application.
  collection impact
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Credential Access

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Protected User Data

SMS Messages

Command and Control

Exfiltration

Impact

SMS Control

Tasks

static1

behavioral1

xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan

behavioral2

xloader_apkbankercollectiondiscoveryevasioninfostealerpersistencetrojan

behavioral3

xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan