xloader_apk | 1e70ee62b6d81016dca716f8e481a8e9c926ad379b858bba2cdf6a24eebd08e4

General

Target

1e70ee62b6d81016dca716f8e481a8e9c926ad379b858bba2cdf6a24eebd08e4.bin
Size

208KB
Sample

250121-hmwm2s1pfn
MD5

840738950a27bc20212b3c340c57ed3c
SHA1

0cc50b40a25caea53bed0768fe8b215cb693e83f
SHA256

1e70ee62b6d81016dca716f8e481a8e9c926ad379b858bba2cdf6a24eebd08e4
SHA512

fc2373214d4787feeaf035081b4e6644735b9a243756876194d496a7866bd40a8f713fdf6fcbf957d59c7eaaa30feb0d0fd9c63de65c8f5d1c56aa2c530fdb44
SSDEEP

3072:M7J7MNYAY/5L3JvcislvA7UuDKdh9SO/pxe8RVlTyKIVxiBxv4r0G77/U5lDh:29AY/xZE5Aw7So/eWkxc40xh

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

https://www.blogger.com/profile/00923906685492659914

https://www.blogger.com/profile/05266480135863770247

https://www.blogger.com/profile/10167018452592752091

Attributes

user_agent
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Targets

- Target
  
  1e70ee62b6d81016dca716f8e481a8e9c926ad379b858bba2cdf6a24eebd08e4.bin
- Size
  
  208KB
- MD5
  
  840738950a27bc20212b3c340c57ed3c
- SHA1
  
  0cc50b40a25caea53bed0768fe8b215cb693e83f
- SHA256
  
  1e70ee62b6d81016dca716f8e481a8e9c926ad379b858bba2cdf6a24eebd08e4
- SHA512
  
  fc2373214d4787feeaf035081b4e6644735b9a243756876194d496a7866bd40a8f713fdf6fcbf957d59c7eaaa30feb0d0fd9c63de65c8f5d1c56aa2c530fdb44
- SSDEEP
  
  3072:M7J7MNYAY/5L3JvcislvA7UuDKdh9SO/pxe8RVlTyKIVxiBxv4r0G77/U5lDh:29AY/xZE5Aw7So/eWkxc40xh
Score

10^/10

xloader_apk banker collection defense_evasion discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Xloader_apk family
  xloader_apk
- Checks if the Android device is rooted.
  defense_evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Requests changing the default SMS application.
  collection impact
behavioral1 behavioral2 behavioral3 behavioral4