Overview

overview

10

Static

static

7

a427bd8c69...3a.apk

android-9-x86

10

a427bd8c69...3a.apk

android-11-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    a427bd8c697a0776f06974ab1927a2c31acb30b9159066f4bc1dacbdce51253a.bin

  • Size

    541KB

  • Sample

    230722-s1mx6sbf8v

  • MD5

    4fb1980fa9d8c1d3ed144bd020122143

  • SHA1

    bc0b7eda34203b83f4050e81d1131e542a130c5d

  • SHA256

    a427bd8c697a0776f06974ab1927a2c31acb30b9159066f4bc1dacbdce51253a

  • SHA512

    1fd9818247f7821b15a516ff199607dd55bfef07910c925eabe6dd63e395903ba00b21d2034921ccb24d1a8c562f58592b3ebd1918880c09f8d0d5f3ea5f6b22

  • SSDEEP

    12288:bggw22T5MSVf+xsXfrCPACF3jYitbQUdQgDC4ssIq2FUCZFn/:Ut2cZVfVXfHCF3jYitFQgDC5JfFZn/

Score
10/10
octoandroidbankerevasioninfostealerransomwarerattrojan

Malware Config

Extracted

Family

octo

C2

https://193.42.32.180/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss222.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss122.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk4ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks6s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk7ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks8s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss2322.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruksas282.net/ZjU3NWNhYzE5Mzhm/
AES_key

Targets

    • Target

      a427bd8c697a0776f06974ab1927a2c31acb30b9159066f4bc1dacbdce51253a.bin

    • Size

      541KB

    • MD5

      4fb1980fa9d8c1d3ed144bd020122143

    • SHA1

      bc0b7eda34203b83f4050e81d1131e542a130c5d

    • SHA256

      a427bd8c697a0776f06974ab1927a2c31acb30b9159066f4bc1dacbdce51253a

    • SHA512

      1fd9818247f7821b15a516ff199607dd55bfef07910c925eabe6dd63e395903ba00b21d2034921ccb24d1a8c562f58592b3ebd1918880c09f8d0d5f3ea5f6b22

    • SSDEEP

      12288:bggw22T5MSVf+xsXfrCPACF3jYitbQUdQgDC4ssIq2FUCZFn/:Ut2cZVfVXfHCF3jYitFQgDC5JfFZn/

    Score
    10/10
    octobankerevasioninfostealerransomwarerattrojan

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

      bankertrojaninfostealerratocto

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

      banker

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Uses Crypto APIs (Might try to encrypt user data).

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks