octo

General

Target

98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd.bin
Size

541KB
Sample

230903-1w8m3scf86
MD5

2e9fd25d4e9531882cd3c2bfaa5a83be
SHA1

034b600ec412f729f4051f7cb790060386c77d35
SHA256

98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd
SHA512

4157d9e3800abd8417530ba48aac89ac2c02c99681d098b3b29f1f754bbaedaa65485d873743328263a82ff577ffee92f98623cb61dcc6ce5ce2fe118f5d0f14
SSDEEP

12288:nsJvbTrAOBdF4f3NNuYEY2n1FEEaK3OSKImLBHS/vnvz932baxdkU2StLHaG:sJ7BvQeJB1F3a2Vm9HKV2bVU3D

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

- Target
  
  98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd.bin
- Size
  
  541KB
- MD5
  
  2e9fd25d4e9531882cd3c2bfaa5a83be
- SHA1
  
  034b600ec412f729f4051f7cb790060386c77d35
- SHA256
  
  98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd
- SHA512
  
  4157d9e3800abd8417530ba48aac89ac2c02c99681d098b3b29f1f754bbaedaa65485d873743328263a82ff577ffee92f98623cb61dcc6ce5ce2fe118f5d0f14
- SSDEEP
  
  12288:nsJvbTrAOBdF4f3NNuYEY2n1FEEaK3OSKImLBHS/vnvz932baxdkU2StLHaG:sJ7BvQeJB1F3a2Vm9HKV2bVU3D
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2