Overview

overview

10

Static

static

6

49fe54988c...c9.apk

android-9-x86

10

Resubmissions

16-12-2024 22:36

241216-2h95essrgn 10

16-12-2024 22:35

241216-2hv1haske1 10

12-12-2024 22:08

241212-118hwaypgt 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    49fe54988c981d54448e9063a9cf867eced8a34ec0e13f94263e5a6d508cc4c9.bin

  • Size

    260KB

  • Sample

    241212-118hwaypgt

  • MD5

    01b53f573b3fa9455ca93328836cae44

  • SHA1

    d94f0b8e269650d8642a8bfdcc3a7aff3e5d688e

  • SHA256

    49fe54988c981d54448e9063a9cf867eced8a34ec0e13f94263e5a6d508cc4c9

  • SHA512

    a72ff73a1ddc5b01f8022d14c13ea961b4c1599f89ff9b1bdcaa6701e6a145d4a6a1d6e74d6bc3c97a6b07cf0b89d6afbd680f582a586cd1f08cad0888b13165

  • SSDEEP

    6144:Jb7PcyO2onwwr3w+4m+qRFfJtl9rrAJEzrwdaj/ea:x7PZ3wrwERFTHI2wMZ

Score
10/10
xloader_apkandroidbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Targets

    • Target

      49fe54988c981d54448e9063a9cf867eced8a34ec0e13f94263e5a6d508cc4c9.bin

    • Size

      260KB

    • MD5

      01b53f573b3fa9455ca93328836cae44

    • SHA1

      d94f0b8e269650d8642a8bfdcc3a7aff3e5d688e

    • SHA256

      49fe54988c981d54448e9063a9cf867eced8a34ec0e13f94263e5a6d508cc4c9

    • SHA512

      a72ff73a1ddc5b01f8022d14c13ea961b4c1599f89ff9b1bdcaa6701e6a145d4a6a1d6e74d6bc3c97a6b07cf0b89d6afbd680f582a586cd1f08cad0888b13165

    • SSDEEP

      6144:Jb7PcyO2onwwr3w+4m+qRFfJtl9rrAJEzrwdaj/ea:x7PZ3wrwERFTHI2wMZ

    Score
    10/10
    xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

    • XLoader payload

    • XLoader, MoqHao

      An Android banker and info stealer.

      trojaninfostealerbankerxloader_apk

    • Xloader_apk family

      xloader_apk

    • Checks if the Android device is rooted.

      evasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

      collection

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Reads the content of the MMS message.

      collection

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Reads information about phone network operator.

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral1

MITRE ATT&CK Mobile v15

Tasks