xloader_apk | cbc15ae53dd8cc7ced297f8dea62243b0629e56612e7dd3a5cdc0a040f957d29

Analysis

max time kernel
149s
max time network
146s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
09-11-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc15ae53dd8cc7ced297f8dea62243b0629e56612e7dd3a5cdc0a040f957d29.apk
Size

302KB
MD5

bb38d6d62c62d734701a38eec016d27f
SHA1

d8b32eb8de4d9a6312404d2ff4c51880d8e68665
SHA256

cbc15ae53dd8cc7ced297f8dea62243b0629e56612e7dd3a5cdc0a040f957d29
SHA512

c67d89851b40c5a3cee03bc5c320a7bc8fb4fd351b34bb16e36baf95d29812b34c11670991bbb9f7c5840df11f3f8b03ae1c4aab0ddd355e054fc38e3f86ecb2
SSDEEP

6144:mD1UZo+EaDWsclJ/RY8QiVGlKqmbOAWJVogxhNAuSDqnT:mDio+LNqZY8Qi8KqmbO/OgnljnT

Score

10^/10

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Signatures

XLoader payload 2 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xloader_apk
behavioral2/files/fstream-1.dat	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Xloader_apk family
xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	hvnf.xtgjt.bsprz
/system/bin/su	hvnf.xtgjt.bsprz
/system/xbin/su	hvnf.xtgjt.bsprz

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5051	hvnf.xtgjt.bsprz

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/hvnf.xtgjt.bsprz/files/dex	5051	hvnf.xtgjt.bsprz
/data/user/0/hvnf.xtgjt.bsprz/files/dex	5051	hvnf.xtgjt.bsprz

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	hvnf.xtgjt.bsprz

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	hvnf.xtgjt.bsprz

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	hvnf.xtgjt.bsprz

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	hvnf.xtgjt.bsprz

hvnf.xtgjt.bsprz
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5051

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/hvnf.xtgjt.bsprz/files/dex

Filesize
580KB

MD5
f51fa0481451ad4df6c3686f2a41e29a

SHA1
c38c35f5da0921eedeb256986fbd6bb00314ec0e

SHA256
7a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4

SHA512
af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9

Download Submit
/data/data/hvnf.xtgjt.bsprz/files/oat/dex.cur.prof

Filesize
798B

MD5
69fb15ae72c5812cac89f6180ae666fa

SHA1
5533eec4c3e9a539e9abed1ce2597e4c9ee9ec6f

SHA256
4010d6227265f7fcf97683a1a93deeaeacc3558ec43378458e7b38eb78c22edc

SHA512
79aef1a42b1708b1986b8dadf5f786144f51a9a918efc7eda852bf8b0f16e8c6f416f41777e705e51ca65237b79726fa986741b77bcab1de5d52c29300e600ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads