Overview

overview

10

Static

static

6

446b9329db...d9.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    07-10-2024 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    446b9329dbd79fce6305298b346854a7c8863e5afce13e5a2f780d037a0040d9.apk

  • Size

    208KB

  • MD5

    5eaf9eb4c31983daec37862c8b0a7783

  • SHA1

    c81bb2c72f49da300f8c0a2763f9b3cf8d483aa1

  • SHA256

    446b9329dbd79fce6305298b346854a7c8863e5afce13e5a2f780d037a0040d9

  • SHA512

    979b0458eed8493f60e4c694545c22bf0a436174b5471ca2746410197a659c95ef96585d02e8c4024eeeaf7700e1e98104fd0f16b8120958fad16bcec630c8da

  • SSDEEP

    6144:HTwOdvj4Tq7wJj0L3/gfhOFLkpiwogYcYF0W:Pvjb9zgZwnwoncYF0W

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • h.fktl.ldsma
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests changing the default SMS application.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4472

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/h.fktl.ldsma/files/dex
    Filesize

    446KB

    MD5

    8bb09c2927ef88bda95970b61599f314

    SHA1

    391656ad53355854928f21a99e995f14e5c75ce7

    SHA256

    27ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd

    SHA512

    94f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68

    Download Submit