Overview

overview

10

Static

static

6

82d988fd3d...04.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    19-10-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82d988fd3d6ddacdbc5a86cabe3f10f92f0e9c4e20f0a348bbf136851786da04.apk

  • Size

    208KB

  • MD5

    f2c7336cd9071797d8dffb6c783866ee

  • SHA1

    ee049a10b1c3499c1f435872b1cba66abd36c879

  • SHA256

    82d988fd3d6ddacdbc5a86cabe3f10f92f0e9c4e20f0a348bbf136851786da04

  • SHA512

    656e48df4a439639fa87ffa3be8cb373e1fcf6c1751fe9b2ab52cdb88da7952ffcaf1ad3ea4bcba8392fa81e2b9da837ca4c02ea884834a0ac3f3b4de871cf14

  • SSDEEP

    6144:9aakN0ocs/fz1pYeV51yDyUt1WUNhiqI0nmm:fiJXvqT3Iamm

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • qluj.mhrmkw.tmukmw
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests changing the default SMS application.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4350

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/qluj.mhrmkw.tmukmw/files/dex
    Filesize

    446KB

    MD5

    8bb09c2927ef88bda95970b61599f314

    SHA1

    391656ad53355854928f21a99e995f14e5c75ce7

    SHA256

    27ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd

    SHA512

    94f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    d60c706d4fd8d300db7e136885ded08a

    SHA1

    5992e6398b42c93a16f6c0120b8c7d9b63f17c62

    SHA256

    e45689935c8a802175a3a2b64610c2a94dbf69c58cf5c62c02e01185454270c1

    SHA512

    9ab1dac48ed3d0316bdf6161a5b2615191e62a2d2360adeaa5ea968454821c5b3e49db91c776813dc82b3ae679b31ab10556063fe42dc33bca2d1c640b662662

    Download Submit