Overview

overview

10

Static

static

6

eec6b19bb5...9e.apk

android-9-x86

10

eec6b19bb5...9e.apk

android-10-x64

10

eec6b19bb5...9e.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e.bin

  • Size

    252KB

  • Sample

    240916-11vxsascpg

  • MD5

    24f14895fe87a5d4290a8a39c4d249fe

  • SHA1

    7113ab0afda800b97dcf22b689ca69c45233ea71

  • SHA256

    eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e

  • SHA512

    f809f15b385b9db3b7e19ecba5967032c4a0c28c4e310fab268a338e8ee9173143471b15e14e0b5610d3052b118205bbac6d0bc4ead0ca08e00a9d664c3550c6

  • SSDEEP

    6144:JHlXxfWeYotM16gKg1xJ8YGw/cIGtSZweDSfZq2eA8rTJ51MdQ7:jXQeXM16Tg1RRcFe2xNaTJ51p7

Score
10/10
xloader_apkandroidbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

    • Target

      eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e.bin

    • Size

      252KB

    • MD5

      24f14895fe87a5d4290a8a39c4d249fe

    • SHA1

      7113ab0afda800b97dcf22b689ca69c45233ea71

    • SHA256

      eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e

    • SHA512

      f809f15b385b9db3b7e19ecba5967032c4a0c28c4e310fab268a338e8ee9173143471b15e14e0b5610d3052b118205bbac6d0bc4ead0ca08e00a9d664c3550c6

    • SSDEEP

      6144:JHlXxfWeYotM16gKg1xJ8YGw/cIGtSZweDSfZq2eA8rTJ51MdQ7:jXQeXM16Tg1RRcFe2xNaTJ51p7

    Score
    10/10
    xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

    • XLoader payload

    • XLoader, MoqHao

      An Android banker and info stealer.

      trojaninfostealerbankerxloader_apk

    • Checks if the Android device is rooted.

      evasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Reads the content of the MMS message.

      collection

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Requests changing the default SMS application.

      collectionimpact
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Tasks