xloader_apk | aea805067c8d665ccf75213152d9b0e332ca1bdfaaef5f48a67e11fb932a2ad3

Analysis

max time kernel
149s
max time network
149s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
27/03/2025, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b8ba79b4c51fe93ada27e635ce9dcf6b43eaa7b416c59019e69e002a5ea66a.apk
Size

302KB
MD5

2cb8a3fc838677fcd0d1c36cb7786e3e
SHA1

563865892623edffb9ec7210add765edc978c421
SHA256

94b8ba79b4c51fe93ada27e635ce9dcf6b43eaa7b416c59019e69e002a5ea66a
SHA512

a6ecb518997013b0efc1c1b0c8b6a2b041c6f64e000bcbe90a391052c53ea9f3e0d27e301c7ffe7c17b4c71c2a2c23b22c63bfd9f51af815ffca70d2fd7e98b2
SSDEEP

6144:UTKV5yQx4fBj7EVMXyuGq1kpZUDDEsocX/9LI7kUJ/Smtak:UTWodfBjwVcN6eyyFLI7kURfn

Score

10^/10

xloader_apk banker collection defense_evasion discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://1.171.162.250:33669/user_info_uploader

https://y42wgrsfd.blogspot.com/?m=1

https://y43wrgsdf.blogspot.com/?m=1

https://y4wgres.blogspot.com/?m=1

Attributes

user_agent
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Signatures

XLoader payload 2 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xloader_apk
behavioral2/files/fstream-1.dat	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Xloader_apk family
xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	sjmo.zfzln.phqdw
/system/bin/su	sjmo.zfzln.phqdw
/system/xbin/su	sjmo.zfzln.phqdw

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5242	sjmo.zfzln.phqdw

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/sjmo.zfzln.phqdw/files/dex	5242	sjmo.zfzln.phqdw
/data/user/0/sjmo.zfzln.phqdw/files/dex	5242	sjmo.zfzln.phqdw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	sjmo.zfzln.phqdw

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	sjmo.zfzln.phqdw

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	sjmo.zfzln.phqdw

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	sjmo.zfzln.phqdw

sjmo.zfzln.phqdw
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5242

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/sjmo.zfzln.phqdw/files/dex

Filesize
580KB

MD5
9d7d88e7a721b1c45185c71b309006b0

SHA1
5e6fa7b2545d4946dade288f39b4cfa3edcfa69a

SHA256
7d44c15bb0b2e7994022602dfcb042e3dfb3ff513dcaa81bf169282edc1873a9

SHA512
bf2c71a434e761a39b011e103caf94ee4c97740da0da763a75a79c554a3517a94e1967cfec255afb298309bc3dfa4a7c7b12d1d84eee2c91a7c0f6ab32bdc8f0

Download Submit
/data/data/sjmo.zfzln.phqdw/files/oat/dex.cur.prof

Filesize
794B

MD5
83c2b9aae24f3bd44719ec20edce3e46

SHA1
83edcd37dea7bf6835bb2a53ba16084a4c1f3414

SHA256
c165d210589d05855af11733e3afa9befe34f1091755e45860196c653087f680

SHA512
4315200b1f919e9e36fc2da7b0748b385d077174fdbfce11da59c0ac447030a303d5f4cd7211a29f50021d7748c18030f86caa2e56721358bf97d034481fa08b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads