Overview

overview

10

Static

static

7

0fd16e91ce...68.apk

android-9-x86

10

0fd16e91ce...68.apk

android-10-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68.bin

  • Size

    541KB

  • Sample

    230722-s1396abc59

  • MD5

    52bffc6ee57dc05127b0ff5fa0b271b2

  • SHA1

    49529bfddbbafc73bfaf63d9e034dd339fbdaba6

  • SHA256

    0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68

  • SHA512

    de7867b4ab6061cdee6d80eabf1aa5d08a552cf8ba0cca2703e9c57f92a21eaddb8b87a7d144ec73843d5c493f493ca5a1c8c4e2ece60d5ebce83b43406c0516

  • SSDEEP

    12288:07t9/9bc8U/4AtkMfABsVP2vPDd53+mEb8dIgbni:C9/JLAtk9BoP2vrdR+n8dIUni

Score
10/10
octoandroidbankerevasioninfostealerransomwarerattrojan

Malware Config

Extracted

Family

octo

C2

https://193.42.32.180/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss222.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss122.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk4ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks6s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk7ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks8s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss2322.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruksas282.net/ZjU3NWNhYzE5Mzhm/
AES_key

Targets

    • Target

      0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68.bin

    • Size

      541KB

    • MD5

      52bffc6ee57dc05127b0ff5fa0b271b2

    • SHA1

      49529bfddbbafc73bfaf63d9e034dd339fbdaba6

    • SHA256

      0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68

    • SHA512

      de7867b4ab6061cdee6d80eabf1aa5d08a552cf8ba0cca2703e9c57f92a21eaddb8b87a7d144ec73843d5c493f493ca5a1c8c4e2ece60d5ebce83b43406c0516

    • SSDEEP

      12288:07t9/9bc8U/4AtkMfABsVP2vPDd53+mEb8dIgbni:C9/JLAtk9BoP2vrdR+n8dIUni

    Score
    10/10
    octobankerevasioninfostealerransomwarerattrojan

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

      bankertrojaninfostealerratocto

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

      banker

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Uses Crypto APIs (Might try to encrypt user data).

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks