xloader_apk | c9fe8087dcba9abe891741205dd96fd80876672c14fde35ee7cc6c2898c3c82e

General

Target

c9fe8087dcba9abe891741205dd96fd80876672c14fde35ee7cc6c2898c3c82e.bin
Size

307KB
Sample

250105-1z13eazkhp
MD5

a6102bf8ce06c07378f0b34161025457
SHA1

e98651ff2f56b55b6c5e87bda77ae7f1535bb6b2
SHA256

c9fe8087dcba9abe891741205dd96fd80876672c14fde35ee7cc6c2898c3c82e
SHA512

338994e52b3c43135711fc8c2b8442d61f5d427ce9eed53faba3fe47bf3da0bda5e8aef5fdd7475f5120f2d072e3ae9539cc7d56e43daf661ef4495a7e7ba41f
SSDEEP

6144:Ui5hNwK+nbbsuVWlVZV8Q15Ptk1mqNscZlCbeVyxCGKFh+KZ:Ui5huKebrVWTT8Q1R/qKxhj8

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://1.171.162.250:33669/user_info_uploader

https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic

Attributes

user_agent
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Targets

- Target
  
  c9fe8087dcba9abe891741205dd96fd80876672c14fde35ee7cc6c2898c3c82e.bin
- Size
  
  307KB
- MD5
  
  a6102bf8ce06c07378f0b34161025457
- SHA1
  
  e98651ff2f56b55b6c5e87bda77ae7f1535bb6b2
- SHA256
  
  c9fe8087dcba9abe891741205dd96fd80876672c14fde35ee7cc6c2898c3c82e
- SHA512
  
  338994e52b3c43135711fc8c2b8442d61f5d427ce9eed53faba3fe47bf3da0bda5e8aef5fdd7475f5120f2d072e3ae9539cc7d56e43daf661ef4495a7e7ba41f
- SSDEEP
  
  6144:Ui5hNwK+nbbsuVWlVZV8Q15Ptk1mqNscZlCbeVyxCGKFh+KZ:Ui5huKebrVWTT8Q1R/qKxhj8
Score

10^/10

xloader_apk banker collection defense_evasion discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Xloader_apk family
  xloader_apk
- Checks if the Android device is rooted.
  defense_evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Requests changing the default SMS application.
  collection impact
behavioral1 behavioral2 behavioral3