Analysis
-
max time kernel
149s -
max time network
135s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
02-11-2024 22:05
General
-
Target
bcc9e6009bc4f79e809d15c12f39d081d26de4cc0b1b2ec3b2deefa2a52f2e16.apk
-
Size
282KB
-
MD5
da2e2bc204da710420d4c8616cb2086b
-
SHA1
b69834bb3c54c0993efcca01d52c080ca103e531
-
SHA256
bcc9e6009bc4f79e809d15c12f39d081d26de4cc0b1b2ec3b2deefa2a52f2e16
-
SHA512
aa8381928e347a7402531f1b7b9b58ca0255beeaf2f248ed3511929eda978f1efd582f34fe28489a21086c370d7adade413bbf42a3c4d602ed07528ce8cac357
-
SSDEEP
6144:AtNor/7huAoogmp6uIZkpBcxqjpDYypUt2YM7o5jnqoPZP:4NQSogO6H0xYkcmoscP
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
frgox.bnu.ard.zh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD51948f47b3ea40b56b95c2afea1715414
SHA15c690f45283971be674c6d8a2e54175b0ecf55eb
SHA25655e4054d9045b3a34d808883c387d64cbae6a402ba7551f1c7a19d6b2bcc5ae7
SHA5128f3e40ff08f864901147cd60dd88191b9f792a746f0d923e3fea3a30f1ce951ec984013641b32ce1130b764f3d27974ac1a4a9d281090c8bbbff02808ffeb436
-
Filesize
36B
MD50b4c020122693ca19f20f072d5e0d060
SHA1be9e221b9682ff4136f96db808b6faabfc0c76aa
SHA25675228cfc68c74f1517655018b91b8ee8abb3fdb9c0a762ea5e6e21ad2db01a56
SHA5123525e5eec77440f7471cdf0618770e1743032c241c11d297653fc68fef275e949f290aae0fd01fd71c03e3b56a1f6ecdb592beb0941ccaff1e929584231744f4