xloader_apk | fc26b5da78908ac3e39766351860c821433cd3bc38ea0176d5b2c8dd6caec237

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
03-12-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc26b5da78908ac3e39766351860c821433cd3bc38ea0176d5b2c8dd6caec237.apk
Size

283KB
MD5

0f2dd5ce672efe9fb5bdcb549c66439f
SHA1

b1d6f1dd0fe4058fd2e56f8a53a8cfbe3641005e
SHA256

fc26b5da78908ac3e39766351860c821433cd3bc38ea0176d5b2c8dd6caec237
SHA512

1113b1569cd116b962a3dcc2be6667e105e2ad357cce92eff131f4bbc1940812cdd8a3ae0fd9e2cfcbe84c5895fe619e8b4d1b0179e60dbb849b88cef24f9c58
SSDEEP

6144:jCmLeJkqEVBRl7u/ISQOhRmUoVsU5y5GTcwFLXzl5T:jVeJkq2BReQOhc35MGTcwb5T

Score

10^/10

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Signatures

XLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/4449-0.dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Xloader_apk family
xloader_apk

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	lerkua.zaxsy.jhtp.iqofrz

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4449	lerkua.zaxsy.jhtp.iqofrz

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/lerkua.zaxsy.jhtp.iqofrz/files/b	4449	lerkua.zaxsy.jhtp.iqofrz
/data/user/0/lerkua.zaxsy.jhtp.iqofrz/files/b	4449	lerkua.zaxsy.jhtp.iqofrz

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	lerkua.zaxsy.jhtp.iqofrz

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	lerkua.zaxsy.jhtp.iqofrz

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	lerkua.zaxsy.jhtp.iqofrz

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	lerkua.zaxsy.jhtp.iqofrz

lerkua.zaxsy.jhtp.iqofrz
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4449

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/lerkua.zaxsy.jhtp.iqofrz/files/b

Filesize
505KB

MD5
459917fd4e058cb60c30622af684e7dc

SHA1
7f28399b39fa78e4e3e1bcb78fd6bccbd7fd98e6

SHA256
1dbc00bbad6f4c931082537314646ef5da4ef0a9a594f1b071cf480c002837b3

SHA512
bcae7396f84826351a3544b441837f9da4a22a74a68efd971bb599233cc84fb88ca829ce90630af878c5118844b07f2c739f5ccc24f4653ab990ee6a38d9774e

Download Submit
/data/user/0/lerkua.zaxsy.jhtp.iqofrz/files/oat/b.cur.prof

Filesize
768B

MD5
8c31cdac095eaeda0d22d58b0783c770

SHA1
ab3eb59fc6993ea9a7d9f742b9e15c24edb85eb3

SHA256
514f71b699affd24520681a62faf289b7d5a3bc73d6540931abefa0dd00ada17

SHA512
5e904a9363e493325f52f188ec50971761a407aa4ff13c5a2fa627fe9e935e92d3d4a49ae992fce6aec609f86c2bc0fb03de1a948e675f414f162506b4f76207

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads