Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
05-11-2024 22:04
General
-
Target
35292d17cbf814403137cbeaf00758e3222879231d2f7d8b9d810568169aefaa.apk
-
Size
446KB
-
MD5
66f1063270eda1e1e83d51a5618bb379
-
SHA1
503ee3f58922e1811df56be863c6573684e0c1da
-
SHA256
35292d17cbf814403137cbeaf00758e3222879231d2f7d8b9d810568169aefaa
-
SHA512
c0971215837d46f8eaee2e75fd05d9f53e2854f7838bb7612f98e1fac53311686d01f6e821397bcc74ba78bb1e8210c2fe721f632f150890257db3a1e71443c5
-
SSDEEP
12288:ouZjy0QPkbDOL7pFtUKcWJo1FfBsS+b4dMoY+:XtEgCL7pFt6gS+cdMa
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.kbqb.mtuw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD57962ea579bddfb2d56deaeb75556d33a
SHA1292c29c70d73caff3148eb993fc389c58b966cde
SHA256ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551
SHA512bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4
-
Filesize
1KB
MD52dd5f16d3df2314ccf7638192a1bc697
SHA191724dc06331c8ed99d4b17c30399ad2f9b9ec30
SHA25694995964d77a71d8e3d00b8104cbce5af69ede852e468443dd9abc54ffec2526
SHA5121566d5079c37d4a85a57bb51b8acef66332d56702851b17855ff9504b58c6f95b90f9117aa18267d27d8dba24d243c949b970b4e10928acf25b5b87dc6b5d93f