octo

General

Target

103ec406cec2e4408aceb4da267363390dd3e849f2a140b32b00e4d378040d91.bin
Size

541KB
Sample

230828-1xdt4agc62
MD5

56c734b6072f85b13cad7094ad265f4b
SHA1

b4e30de0c087bf6c10de440f233e92320d0e526f
SHA256

103ec406cec2e4408aceb4da267363390dd3e849f2a140b32b00e4d378040d91
SHA512

611421b29dffb2d657b9e672cb79fd2d62f300195f615e045e2901c79cfd6e0e4982622407b0f9d15101472dc6c1e655faf04cdc73a1f866ff7f8b7b1775255d
SSDEEP

12288:CHBM13dFvVhF7+Ky2QUlUMvle3j1jI+MM2LSX0qcdet53l+3d4rS:CH6FPv/9+KXQUlw1M5Mis0Ddet5UX

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://176.111.174.151/Y2NlMmYyMmYwMGI5/

https://ghost23241312.xyz/Y2NlMmYyMmYwMGI5/

https://ghost232412512.xyz/Y2NlMmYyMmYwMGI5/

https://ghost232412312.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda227.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda27.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda237.xyz/Y2NlMmYyMmYwMGI5/

https://epi2nciifirarda227.xyz/Y2NlMmYyMmYwMGI5/

https://epi3nciifirarda27.xyz/Y2NlMmYyMmYwMGI5/

https://epi5nciifirarda237.xyz/Y2NlMmYyMmYwMGI5/

https://idriskocovali1900.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali1784.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali9651.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali258.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali147.net/Y2NlMmYyMmYwMGI5/

AES_key

Targets

- Target
  
  103ec406cec2e4408aceb4da267363390dd3e849f2a140b32b00e4d378040d91.bin
- Size
  
  541KB
- MD5
  
  56c734b6072f85b13cad7094ad265f4b
- SHA1
  
  b4e30de0c087bf6c10de440f233e92320d0e526f
- SHA256
  
  103ec406cec2e4408aceb4da267363390dd3e849f2a140b32b00e4d378040d91
- SHA512
  
  611421b29dffb2d657b9e672cb79fd2d62f300195f615e045e2901c79cfd6e0e4982622407b0f9d15101472dc6c1e655faf04cdc73a1f866ff7f8b7b1775255d
- SSDEEP
  
  12288:CHBM13dFvVhF7+Ky2QUlUMvle3j1jI+MM2LSX0qcdet53l+3d4rS:CH6FPv/9+KXQUlw1M5Mis0Ddet5UX
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2