General
-
Target
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.bin
-
Size
541KB
-
Sample
230906-1w8cbacc46
-
MD5
8304b0d846e5f7e5d32ea90f8294b99d
-
SHA1
bdbdd44c2084a36a7d410088a63573ef7a55a7ed
-
SHA256
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7
-
SHA512
67728d9fceabc50b1ea1de1836623cffa5d87ea8f5ba4130137bd7285870b00918b7f891b4521d91b63803ecd36ceadde6620a231f5787676ab66af26a1dfa58
-
SSDEEP
12288:HEISuqL8tOioLfhet79XuRpkLhfM5Am/1M9UrNF2UdYeyhwGs7ZoKsY:H3pxrEehZuP0hkim/1M9SP2UddUY1
Static task
static1
Behavioral task
behavioral1
Sample
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.apk
Resource
android-x64-20230831-en
Malware Config
Extracted
octo
https://79.110.62.121/YTFlMzViNjNiNWM3/
https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
Targets
-
-
Target
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.bin
-
Size
541KB
-
MD5
8304b0d846e5f7e5d32ea90f8294b99d
-
SHA1
bdbdd44c2084a36a7d410088a63573ef7a55a7ed
-
SHA256
adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7
-
SHA512
67728d9fceabc50b1ea1de1836623cffa5d87ea8f5ba4130137bd7285870b00918b7f891b4521d91b63803ecd36ceadde6620a231f5787676ab66af26a1dfa58
-
SSDEEP
12288:HEISuqL8tOioLfhet79XuRpkLhfM5Am/1M9UrNF2UdYeyhwGs7ZoKsY:H3pxrEehZuP0hkim/1M9SP2UddUY1
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
-
Acquires the wake lock.
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Removes a system notification.
-
Uses Crypto APIs (Might try to encrypt user data).
-