octo

General

Target

1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7.bin
Size

541KB
Sample

230903-1wrdsscc71
MD5

996b605512002be8d176b18eeb81e5d7
SHA1

8ec24fedca8e0fc6f4ebb27ecba41404dd462bca
SHA256

1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7
SHA512

075ab3889986b151be8009b59df0fe4bb6a5e368327fcce96882e269ebb56ee6dc6f060543326d54dfc52f302aeccadb8f05feeb6e8a215831ecd844f1bcbd33
SSDEEP

12288:IzHy+eInPVB243kQuHl0lYUqpJKZX49iozyJRx8KOi9/Oj:IewB73kQuMYUqp4W38GKOi9c

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

- Target
  
  1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7.bin
- Size
  
  541KB
- MD5
  
  996b605512002be8d176b18eeb81e5d7
- SHA1
  
  8ec24fedca8e0fc6f4ebb27ecba41404dd462bca
- SHA256
  
  1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7
- SHA512
  
  075ab3889986b151be8009b59df0fe4bb6a5e368327fcce96882e269ebb56ee6dc6f060543326d54dfc52f302aeccadb8f05feeb6e8a215831ecd844f1bcbd33
- SSDEEP
  
  12288:IzHy+eInPVB243kQuHl0lYUqpJKZX49iozyJRx8KOi9/Oj:IewB73kQuMYUqp4W38GKOi9c
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2