Overview

overview

10

Static

static

6

60f457ca6b...eb.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    17-10-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60f457ca6b3d74df9bca6b5dcdd4fb5608d7a17501a8443d25add8b9c450e9eb.apk

  • Size

    208KB

  • MD5

    32b7d2476cc11038bc52540a095ba00b

  • SHA1

    e7ec623397ad4d66544e82ada4ad1a9cd86befcc

  • SHA256

    60f457ca6b3d74df9bca6b5dcdd4fb5608d7a17501a8443d25add8b9c450e9eb

  • SHA512

    fe20d266b80b814954434f55a83923236c89733faf607d28ca4e56d44cadd29d1436b0cfa5d0fee937a4609fd0d44ad8b80d9bf8d26a7b9c25641ca9a662a9a7

  • SSDEEP

    6144:4Xn02mcs/fz1pYeV51yDyUt1WUNhiqI0nUTcKG:3FXvqT3Ia6nG

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • c.chuw.vqjxv
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests changing the default SMS application.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4483

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/c.chuw.vqjxv/files/dex
    Filesize

    446KB

    MD5

    8bb09c2927ef88bda95970b61599f314

    SHA1

    391656ad53355854928f21a99e995f14e5c75ce7

    SHA256

    27ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd

    SHA512

    94f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    6aef02bed6668940495f444c98e0155c

    SHA1

    758d3d9857a4d962dce8ca1dcfa3ccac757d1f40

    SHA256

    3a5282a66275cc671b3b81171d55dbe10ee067444beb2db5685a0a2cbc034e3b

    SHA512

    76344f0eabe7359899717053e430b2e1878cd85e1d370d6665f7e38bedada1ab1b4601813b1839c54cb8ea8536bf8d1b9d2c88c4cb3183aa045c958f5a5281c5

    Download Submit