General

  • Target

    a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790.bin

  • Size

    278KB

  • Sample

    241105-1y3jvazbjf

  • MD5

    a12f5c20439d4cb1ff3b8d2e15c9440c

  • SHA1

    0b261bafe34a2d11f101273cf5743d82370ba7e1

  • SHA256

    a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790

  • SHA512

    ab9cc37252319bf7e59b529a05f1c3bf0899df5d28bacd6f7d6cdf19c75452e32dda37c38191f97dfa4abb66ab46757c958124a470340274e2fd3095582ffa86

  • SSDEEP

    6144:N2+NMc8Sy1W0UXDZIk8K3eIKEoY49q6l2dPg3nfsYkQA67ySS/FM8+:VNmU9Ikj3eIln49q6l2do3fIQA67ySSW

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key
1
4162356431513332

Targets

    • Target

      a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790.bin

    • Size

      278KB

    • MD5

      a12f5c20439d4cb1ff3b8d2e15c9440c

    • SHA1

      0b261bafe34a2d11f101273cf5743d82370ba7e1

    • SHA256

      a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790

    • SHA512

      ab9cc37252319bf7e59b529a05f1c3bf0899df5d28bacd6f7d6cdf19c75452e32dda37c38191f97dfa4abb66ab46757c958124a470340274e2fd3095582ffa86

    • SSDEEP

      6144:N2+NMc8Sy1W0UXDZIk8K3eIKEoY49q6l2dPg3nfsYkQA67ySS/FM8+:VNmU9Ikj3eIln49q6l2do3fIQA67ySSW

    • XLoader payload

    • XLoader, MoqHao

      An Android banker and info stealer.

    • Xloader_apk family

    • Checks if the Android device is rooted.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Reads the contacts stored on the device.

    • Reads the content of the MMS message.

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about active data network

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests changing the default SMS application.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.