Edit tour
Android
Analysis Report
Vezmhoup7U
Overview
General Information
| Sample Name: | Vezmhoup7U |
| Analysis ID: | 1315840 |
| MD5: | e4e0ad27227e83a4e0536a6b5c05cf30 |
| SHA1: | 7901d85f316d293da81b8114b0523033d65d6b85 |
| SHA256: | 259e88f593a3df5cf14924eec084d904877953c4a78ed4a2bc9660a2eaabb20b |
| Infos: | |
 | |
Detection
Xenomorph
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Detected Xenomorph
Antivirus / Scanner detection for submitted sample
Loads a dropped dex file via MultiDexApplication
Removes its application launcher (likely to stay hidden)
Tries to disable the administrator user
Drops a new dex file
Found potential keylogger
Kills background processes
Checks if app is currently debugged
Checks if taint analysis is available
Uses accessibility services (likely to control other applications)
Checks if a SIM card is installed
Queries list of running processes/tasks
Queries media storage location field
Tries to detect QEMU emulator
Queries the SIM provider name (SPN - Service Provider Name)
Obfuscates method names
Has permission to read the SMS storage
Installs a new wake lock (to get activate on phone screen on)
Found suspicious command strings (may be related to BOT commands)
Monitors incoming SMS
Sends SMS using SmsManager
Checks an internet connection is available
Queries list of installed packages
Found very long method strings
Checks if phone is rooted (checks for su binary)
Creates SMS data (e.g. PDU)
Requests potentially dangerous permissions
Requests root access
Potential date aware sample found
Has permission to perform phone calls in the background
May take a camera picture
Queries the phones location (GPS)
Opens an internet connection
Queries the network operator name
May access the Android keyguard (lock screen)
Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)
Has permission to receive SMS in the background
Lists and deletes files in the same context
Queries a list of installed applications
Uses DownloadManager to fetch additional components
Queries the network operator ISO country code
Detected TCP or UDP traffic on non-standard ports
Has functionality to send UDP packets
Has permission to draw over other applications or user interfaces
Queries the unqiue device ID (IMEI, MEID or ESN)
Accesses /proc
Has permission to read the phones state (phone number, device IDs, active call ect.)
Queries the SIM provider ISO country code
Might use exploit to break dedexer tools
Accesses android OS build fields
Executes native commands
Reads boot loader settings of the device
Checks if the device administrator is active
Performs DNS lookups (Java API)
Queries the network operator numeric MCC+MNC (mobile country code + mobile network code)
Queries several sensitive phone informations
Has permission to send SMS in the background
Checks CPU details
Queries the unique operating system id (ANDROID_ID)
Has permission to terminate background processes of other applications
Sets an intent to the APK data type (used to install other APKs)
Has permission to execute code after phone reboot
Uses reflection
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Xenomorph | Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor. | No Attribution |
⊘No yara matches
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | Code Location: | ||
| Source: | Method string: | ||
| Source: | Method string: | ||
| Source: | Method string: | ||
| Source: | Method string: | ||
| Source: | Method string: | ||
| Source: | API Call: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | TCP traffic: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | API Call: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||