octo

General

Target

4662160d5be3dd7b23547e04cd3cde493270181b00c5753a96f4fa7223e79572.bin
Size

1.4MB
Sample

230828-1w33labc6s
MD5

849658d94aad072a207ae3d40dcb7027
SHA1

b9444c828e6e4137603bec985fb6709e74e965c3
SHA256

4662160d5be3dd7b23547e04cd3cde493270181b00c5753a96f4fa7223e79572
SHA512

1f29e4830b1ec63da4d50e874746e1a28e548a1f3048e178cb1af507d28b0c9cbff833638047ff5a2e9505dcd3018ff1a459f82a0fb600e07031a0d7d0413dc9
SSDEEP

24576:i9Lk/AmN92tAQ88vLwBHVv2CB2akhR6Qf9cGE7XtgZODZH7mqHmfJFMAE4KvASw:bj2tAdggb2akhRFC7XiZGZbmqGBFMAES

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://29p0jb1nyxmt.biz/MTU2OWE0NzJjNGY5/

https://fmri3i4567ng.biz/MTU2OWE0NzJjNGY5/

https://ahs8a4mz8ehq.online/MTU2OWE0NzJjNGY5/

https://518tudu7579h.xyz/MTU2OWE0NzJjNGY5/

https://4jsi8qj3203u.org/MTU2OWE0NzJjNGY5/

https://4n51yg9firr3.site/MTU2OWE0NzJjNGY5/

https://0eto0mhk6g7b.top/MTU2OWE0NzJjNGY5/

https://icbm5s5oj028.xyz/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://wanrflitrnvn.asia/MTU2OWE0NzJjNGY5/

https://tv1ed54je1ws.cc/MTU2OWE0NzJjNGY5/

https://63651iz40cio.biz/MTU2OWE0NzJjNGY5/

AES_key

Targets

- Target
  
  4662160d5be3dd7b23547e04cd3cde493270181b00c5753a96f4fa7223e79572.bin
- Size
  
  1.4MB
- MD5
  
  849658d94aad072a207ae3d40dcb7027
- SHA1
  
  b9444c828e6e4137603bec985fb6709e74e965c3
- SHA256
  
  4662160d5be3dd7b23547e04cd3cde493270181b00c5753a96f4fa7223e79572
- SHA512
  
  1f29e4830b1ec63da4d50e874746e1a28e548a1f3048e178cb1af507d28b0c9cbff833638047ff5a2e9505dcd3018ff1a459f82a0fb600e07031a0d7d0413dc9
- SSDEEP
  
  24576:i9Lk/AmN92tAQ88vLwBHVv2CB2akhR6Qf9cGE7XtgZODZH7mqHmfJFMAE4KvASw:bj2tAdggb2akhRFC7XiZGZbmqGBFMAES
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2
- Target
  
  license.html
- Size
  
  30KB
- MD5
  
  a095d4be2768cb6d37f9aa2de90a8a67
- SHA1
  
  2c87de9a26cf1ee17d701c333f088db314b1bce1
- SHA256
  
  30d2be0e050b7f1ec5e390326cefedb6e4a6304f5e2a623d0f7678cb67ff308b
- SHA512
  
  0ec91a396b39029ec6585215e777495d97e72191438ec37d93e203931a1ac79b1a966e201b9b92982439e3d372f82af98a64914647464d30e1f7f3ab8a558998
- SSDEEP
  
  768:/03s/uZ7je9IeMkkEdgC3BOgNMXUgPGaMx6NzJhCgaZpGgPGaxvam:/0c/uZ7je9IeMFIgeOgNMXUg6x6NzJhu
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4