Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

718af3a23c...8f.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    05/03/2025, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    718af3a23cc0adb29a5cc99d157aac2292276332ddef251d54386a0d002ea38f.apk

  • Size

    164KB

  • MD5

    adffc21186d3b460a66524edcc977381

  • SHA1

    77b3a1a62a21f13e7a635dc889f317665f46aed7

  • SHA256

    718af3a23cc0adb29a5cc99d157aac2292276332ddef251d54386a0d002ea38f

  • SHA512

    d9d2b8768c697d0e77c96598eacb336bec060bf9ade37b5717fbd4f3ec0d156e5596c1b7aa8083fc3c64600fec7a4dd9f3c7dc2421514eceb62073211fb89cdd

  • SSDEEP

    3072:uiJdYGbXP+bvQpVysC+05+CBljUcfhNy5bpfXC0OZOruPjdf2kmFmovi4EHPvW:u6dYGbXOo3SBJ3fhNy5bp6ZO6PwkxD3W

Score
10/10
xloader_apkbankercollectiondefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    defense_evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • qmvanmg.vjstgjoao.yrjfqf.otqgtrxa
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4239

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/app_picture/1.jpg
    Filesize

    6KB

    MD5

    012abcc9bea34a7d33b4e02d59be3ee9

    SHA1

    9bea2e2d4206b9fa2d91c470b50a8961622b5077

    SHA256

    1f6708f8db9908b61941c8c3ac87b21c22a38dbed1b6c7985e4e0ca6521de609

    SHA512

    2b0bc5c9ff5a40f57684dd0084c511c1b7d4611d419c48e6451735a213d46caf8a153a9d844f368469a6a995a535b1bd80ef55bd0ef29ad6d73a2e2c53a9a45b

    Download Submit

  • /data/data/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/files/b
    Filesize

    300KB

    MD5

    f60877a1602c5eaf2c76739c48fece05

    SHA1

    7a4ca110ca810e1d5b458455f6800d5ffe313dad

    SHA256

    d2e257a9eb736324f1cf91ba4aaf483fea82ee96ce9c499f16b4dab2879c0070

    SHA512

    862a34c8ae8dc16f74c0e4b32ab5210700a7dffd3cdd78d0838db43e52a1cbaf5d1eebfc84ede67bffc5a4c8d0085ed45fca428a086a3aac595986553fb8e8b9

    Download Submit

  • /data/data/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/files/oat/b.cur.prof
    Filesize

    772B

    MD5

    c3307fdef3461d3388117553e964c4f5

    SHA1

    f025758632ee25e963e1bc15d80f2802489de568

    SHA256

    b881b1601f7da1f0d58ae1a6ab194ed61af3871f7853009cd57293a716eb2dcc

    SHA512

    514164f6ab086ce3149a4bfb126fe344ac6b619508ac4befc14cac99b61bf2e1a69526b2248f43c8294ad8aec8cf081c40545fdcceddd42de2c24259a7fa8ec5

    Download Submit

  • /data/user/0/qmvanmg.vjstgjoao.yrjfqf.otqgtrxa/app_picture/1.jpg
    Filesize

    6KB

    MD5

    213096b5dd85d3817e885f11aa347c25

    SHA1

    3b24afa943d0c41897ba811195dc1eed3b5e615d

    SHA256

    60388550f048cb03460d0f21bf40339cd2a81a712097968e1be9dfc55611f424

    SHA512

    238fcdc4b92892208c2078d76c033b8e1e2bd561dc41045ede00c1378b4fa5f9ef45042f339954a086991cef18ea7b81daa873aa225a99cdcd3c38aa043bc952

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    50fc38d78adc7bc67aaa7504f7071e26

    SHA1

    65f57d77fad96faead67a89c55cdc4c5fceec3f8

    SHA256

    dd741d785e4699f55eccf73412f13b444edd0575013f42aa7ffdcca3c186ba86

    SHA512

    6a5b9f05c779c9245bd5d96eaf69cad0f1f91c700169e8270557c17b9149993d8cb4b3a5182bfc0979252fb0e5a50b1d628b1d200b88d76f88d1833ec78e736b

    Download Submit