xloader_apk | aea805067c8d665ccf75213152d9b0e332ca1bdfaaef5f48a67e11fb932a2ad3

General

Target

aea805067c8d665ccf75213152d9b0e332ca1bdfaaef5f48a67e11fb932a2ad3.zip
Size

302KB
Sample

250327-cc4ysawsgz
MD5

bd60f99d82593bc467b509b488f15612
SHA1

c4eddf41aec4a0514ba18fe7ebd6f4b85a5a329a
SHA256

aea805067c8d665ccf75213152d9b0e332ca1bdfaaef5f48a67e11fb932a2ad3
SHA512

2b4b0b04f4acc892ba000c3e36ea857ef0f2188911b2dede82a29cbce662efed002353e6d6b4a6d43065c40bf39b7a52afeee33dd8d3118adc8c0a8c7f0120ec
SSDEEP

6144:4bfDIE2RGohkcvTowSX3+1rwoROUKd8NG7I86RIWkVXNO4NIl+xC/S02e:4bfDIE2RGoCckwSYrwoZKd8AMRgXRG1N

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://1.171.162.250:33669/user_info_uploader

https://y42wgrsfd.blogspot.com/?m=1

https://y43wrgsdf.blogspot.com/?m=1

https://y4wgres.blogspot.com/?m=1

Attributes

user_agent
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Targets

- Target
  
  94b8ba79b4c51fe93ada27e635ce9dcf6b43eaa7b416c59019e69e002a5ea66a.apk
- Size
  
  302KB
- MD5
  
  2cb8a3fc838677fcd0d1c36cb7786e3e
- SHA1
  
  563865892623edffb9ec7210add765edc978c421
- SHA256
  
  94b8ba79b4c51fe93ada27e635ce9dcf6b43eaa7b416c59019e69e002a5ea66a
- SHA512
  
  a6ecb518997013b0efc1c1b0c8b6a2b041c6f64e000bcbe90a391052c53ea9f3e0d27e301c7ffe7c17b4c71c2a2c23b22c63bfd9f51af815ffca70d2fd7e98b2
- SSDEEP
  
  6144:UTKV5yQx4fBj7EVMXyuGq1kpZUDDEsocX/9LI7kUJ/Smtak:UTWodfBjwVcN6eyyFLI7kURfn
Score

10^/10

xloader_apk banker collection defense_evasion discovery evasion infostealer persistence stealth trojan impact
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Xloader_apk family
  xloader_apk
- Checks if the Android device is rooted.
  defense_evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Requests changing the default SMS application.
  collection impact
behavioral1 behavioral2 behavioral3