Malware Analysis Report

2025-01-19 04:58

Sample ID 241126-1x42aasjdw
Target 39eca00859380f5da1b0a3299db4896eec826d1f35356ba671da41618b946e99.bin
SHA256 39eca00859380f5da1b0a3299db4896eec826d1f35356ba671da41618b946e99
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39eca00859380f5da1b0a3299db4896eec826d1f35356ba671da41618b946e99

Threat Level: Known bad

The file 39eca00859380f5da1b0a3299db4896eec826d1f35356ba671da41618b946e99.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

Xloader_apk family

XLoader, MoqHao

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Reads the content of the MMS message.

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 22:02

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 22:02

Reported

2024-11-26 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

yblsjrk.fsxerdbrl.mflcgh.cpllgojz

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Xloader_apk family

xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg N/A N/A
N/A /data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg N/A N/A
N/A /data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg N/A N/A
N/A /data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/b N/A N/A
N/A /data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/b N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

yblsjrk.fsxerdbrl.mflcgh.cpllgojz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 m.vk.com udp
RU 87.240.129.133:443 m.vk.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp

Files

/data/data/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg

MD5 281a4225cadef912b272056ae0c01ee0
SHA1 b10143b9a3dd9160a3de6e72c80654365d810729
SHA256 bb663f2bc4f2cc1efd8c7c9eadab9f1dc65c5fa5ceab3be6565514287ccc1753
SHA512 543410d7b39a63d600f4aff5a6340f1236f872cc360fd547faa443325b87d0181da6f307f30fc6dbce4f893871691fc808a62f282f29ad551b75d0901ed4c265

/data/user/0/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/app_picture/1.jpg

MD5 9289c478a89f56428c9cc7d4e5e02997
SHA1 b61b8968f67ca0de7084bdfaf678e83974965481
SHA256 eefdc7a70b9f16916532604d011305d283ccff32740df2b0290daef5371690ba
SHA512 603687ffbb654f952d7c6bae1f77cf9e1f509b0b99ecbea05da7c6b71576788e34f631c706a91a762ec215e97834fb7d74c3a0301f1a114db94a3e6a2140c5e2

/data/data/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/b

MD5 3e04a3b314779ab7b515b04648084b64
SHA1 4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1
SHA256 d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7
SHA512 cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

/storage/emulated/0/.msg_device_id.txt

MD5 fa8a3db748cac3c6da27c2bc6ed4f21b
SHA1 f57364a7fca0e2cee9f279fc000b55001ce58c58
SHA256 f2f47f59b2131a0d6761087ac5da103567d6bb4553b522bf19a5a656f702150d
SHA512 cf00118f75e0753defb2691e3fb6d69786d409bcca2c6164b68384b59f2daa9e264a7cf1570719021fc467204c8710e6cdc5124aca97e1db71710db8c679f3e6

/data/data/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/oat/b.cur.prof

MD5 c0052b7e9ec3b9d5b89886ad1c599802
SHA1 95bb98319eb455836b318b96a7fa85ba0e1511ce
SHA256 84fc19a1a5b243435c637425f2901da5e902845798d69d2716030c204b46a561
SHA512 e7d21ae843f42c1ae76652f7400bc176f936d51b92ab9f49f9c069d9d5d7b1e8562aa49bd5b8c3b7cbb9d905e4b3af4605ebc3198ffcd34fd0fb4515e46c07d7

/data/data/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/oat/b.cur.prof

MD5 c8e757f6f5399c41b4b2760b30e23333
SHA1 efb0118a21df0f2c8d77567c9f17053ddb3bd3b7
SHA256 92183a01708c6f35cb3f78e04c10ec7a44a6023903de76adf6eaafbf377d390d
SHA512 8d33b12f960bd197930a2b8acbe7a21352346b2924d57aedbf3830cdb75c9d095209b41d2a368f5a3bb6ffc79e29c554a44e372b230f6ac2c1879802ed3adf9c

/data/data/yblsjrk.fsxerdbrl.mflcgh.cpllgojz/files/oat/b.cur.prof

MD5 2442199439ba66562cb5dd64907a5f64
SHA1 c954565f543814b466e3b5a9e6d4734b392e4fbf
SHA256 1b97c39858111ed7513b644a8ec7a87c8044ba1a91500632aa54f24befd7784b
SHA512 f9648e832774f0c4ba58b467516c9f6325ce4a6687338254c2baa0f9d6a55cfd83dd4443f3055da9723dd424484cfc592dc913ec79a6d6196105770f41e7858e