Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

febb1e8d2d...98.apk

android-10-x64

febb1e8d2d...98.apk

android-9-x86

10

Resubmissions

28/02/2025, 06:13 UTC

250228-gy5jnatqs6 10

28/02/2025, 06:09 UTC

250228-gwrvsatpx2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    febb1e8d2d85567e8cca1e28ad6f6ccb0f3780456af8b330ca365fa36bdb6998.apk

  • Size

    164KB

  • Sample

    250228-gwrvsatpx2

  • MD5

    902d27bad3c9c892c4722528c8cff0ca

  • SHA1

    e1248a91d6161f64661ced66f902364fd1c6a0cb

  • SHA256

    febb1e8d2d85567e8cca1e28ad6f6ccb0f3780456af8b330ca365fa36bdb6998

  • SHA512

    7b52784263e7441291fcefa56938b93de48ad6dcb47afc11fa5f1f3601d66a2a131ec3ace7015f50ad3b954beb36ce24cb9a6ca0987f64bba4b43618adf94c32

  • SSDEEP

    3072:Gfy7lXnqr+MFchH62h60RYxPhqnUYF//+x7g/PQsJ3s:Gfy7lXnqr+2SthAxPhqnUYOIPQKs

Score
10/10
xloader_apkandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

https://m.vk.com/id730148259?act=info

https://m.vk.com/id730149630?act=info
Attributes
  • user_agent

    Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key
1
4162356431513332

Targets

    • Target

      febb1e8d2d85567e8cca1e28ad6f6ccb0f3780456af8b330ca365fa36bdb6998.apk

    • Size

      164KB

    • MD5

      902d27bad3c9c892c4722528c8cff0ca

    • SHA1

      e1248a91d6161f64661ced66f902364fd1c6a0cb

    • SHA256

      febb1e8d2d85567e8cca1e28ad6f6ccb0f3780456af8b330ca365fa36bdb6998

    • SHA512

      7b52784263e7441291fcefa56938b93de48ad6dcb47afc11fa5f1f3601d66a2a131ec3ace7015f50ad3b954beb36ce24cb9a6ca0987f64bba4b43618adf94c32

    • SSDEEP

      3072:Gfy7lXnqr+MFchH62h60RYxPhqnUYF//+x7g/PQsJ3s:Gfy7lXnqr+2SthAxPhqnUYOIPQKs

    Score
    10/10
    xloader_apkbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

    • XLoader payload

    • XLoader, MoqHao

      An Android banker and info stealer.

      trojaninfostealerbankerxloader_apk

    • Xloader_apk family

      xloader_apk

    • Checks if the Android device is rooted.

      defense_evasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

      collection

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Reads the content of the MMS message.

      collection

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Reads information about phone network operator.

      discovery

    • Requests accessing notifications (often used to intercept notifications before users become aware).

      collectioncredential_access

    • Requests changing the default SMS application.

      collectionimpact

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Virtualization/Sandbox Evasion

1
T1633

System Checks

1
T1633.001

Credential Access

Access Notifications

1
T1517

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Protected User Data

2
T1636

SMS Messages

2
T1636.004

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

SMS Control

1
T1582

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.