octo | 59f8a393a30d1754e0ba9768aa4eaeeecdb838b79f6374061116a6cf8a0d5fcd | Triage

Sharing

General

Target

59f8a393a30d1754e0ba9768aa4eaeeecdb838b79f6374061116a6cf8a0d5fcd.bin
Size

1.9MB
Sample

230907-1w8cbaee72
MD5

206ef4d8c65e7e826cad668c0b5e122e
SHA1

10b3a7213d90cf8f6ddedee051e0920409f2846a
SHA256

59f8a393a30d1754e0ba9768aa4eaeeecdb838b79f6374061116a6cf8a0d5fcd
SHA512

0a86b368cfc43bc4e12df915d3c44ac6473e6cc25222e481766980e87f4191efb988f27cb0fe221355971703b83bc5999268f0c64b4a4ae650916e9d11cadc73
SSDEEP

49152:DYaRSfALycw1LSlZ9fLp88wNJwFdKZu6BOU3PuDT:DYaR5mOZ9Tp81fLZnBOOG

Score

10^/10

octo android banker evasion infostealer linux ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://grpweufnh734bfr3.online/N2Y5ZmU3OTI5ZDky/

https://poewjehfbwery47fr.top/N2Y5ZmU3OTI5ZDky/

https://fcercvv7erwcvnrew.site/N2Y5ZmU3OTI5ZDky/

https://wevmuty56gbfdg.xyz/N2Y5ZmU3OTI5ZDky/

AES_key

Targets

- Target
  
  59f8a393a30d1754e0ba9768aa4eaeeecdb838b79f6374061116a6cf8a0d5fcd.bin
- Size
  
  1.9MB
- MD5
  
  206ef4d8c65e7e826cad668c0b5e122e
- SHA1
  
  10b3a7213d90cf8f6ddedee051e0920409f2846a
- SHA256
  
  59f8a393a30d1754e0ba9768aa4eaeeecdb838b79f6374061116a6cf8a0d5fcd
- SHA512
  
  0a86b368cfc43bc4e12df915d3c44ac6473e6cc25222e481766980e87f4191efb988f27cb0fe221355971703b83bc5999268f0c64b4a4ae650916e9d11cadc73
- SSDEEP
  
  49152:DYaRSfALycw1LSlZ9fLp88wNJwFdKZu6BOU3PuDT:DYaR5mOZ9Tp81fLZnBOOG
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2
- Target
  
  libirdevice.so
- Size
  
  21KB
- MD5
  
  745f82a17b483ef489242a9c255135ae
- SHA1
  
  e9fce7b5d02b094b2652d15e115d43ed6877cf9c
- SHA256
  
  2ca264daa7b200dc031f1611f612213228fbad8b3db34256ab2aeece2448da54
- SHA512
  
  e6422f25bbd6dccbbd6e1486382c520f43b9c43fe1746b099dffcf222adfb61860294e29b83d89600518050b2e68fc6b91f17c15a99946bec4738de988622759
- SSDEEP
  
  384:bWzjLTmExbm6OPXd3nYCjcoX5OhKhj6mv6eD:bMTxxbB2QoJOhKhj7v6eD
Score

1^/10
behavioral3 behavioral4 behavioral5 behavioral6
- Target
  
  libmibraindec.so
- Size
  
  133KB
- MD5
  
  5df3a19c1e3da8a47f88365e08298b57
- SHA1
  
  944da917293c272efd5d2b30a8436db65d146c14
- SHA256
  
  78af3ee793a9e0471e7ff8670b32963f2c5ee3070a6191f18d93e306585e4a4d
- SHA512
  
  88c21ed85e50515ecd4ff8ac607c3c92e6d3bd9b9e48890cd47366f44580888d7dff053d689f447bb0fb2142d12855c85f3125e79ba3e495dc5fc88498d9ce8f
- SSDEEP
  
  3072:xLoRXzCQccpIL9D2jaFGVfYQuDmufLQZfoyy:x0X+Q9mL1eaFGVfY5laQyy
Score

1^/10
behavioral10 behavioral7 behavioral8 behavioral9
- Target
  
  libmibrainjni.so
- Size
  
  45KB
- MD5
  
  e29dc8f54a883303e639c5766717e26c
- SHA1
  
  5582e77513981a5035081f0ea9298474e1bbed8e
- SHA256
  
  0719039f275bc36276ae80fe4464ae0bde7c7e4a429cfc4fa416a279abbc3290
- SHA512
  
  4ed83cc4fbb26a16e9cb873885aa86fbc360ca35a198e61458efe1e2aec208cf0c7cb74d7a1d28518aac9b622178d1a6514a6f73540a879fccf75b8b0d0b224f
- SSDEEP
  
  384:4+rLrlp/j8TT/83JZ42miyvdDbC9r/B7EODQwyEqKKzA/a5BmPfTnqqKi:4+rLjQQ3JZ5mHbE9pQwUzJ5IPfTnqti
Score

1^/10
behavioral11 behavioral12 behavioral13 behavioral14
- Target
  
  libmiir.so
- Size
  
  13KB
- MD5
  
  5c57e01e1f628d965a302fc357dca643
- SHA1
  
  8c7cb09ff123e5f66ca0eabbb39550c873aa58ea
- SHA256
  
  bcb2497cfc4dd4428a4413d289a50f754415deb0cb1d42da97bb33cbf6dcc29d
- SHA512
  
  4926b5f3fab0a833f61a185438e71e8a4b326e5665d6315b44ba98b887e665382b6dba3fcc416f6c99b1307c4c8f228e220b41a96b6008d82cd81fc722ad9a9a
- SSDEEP
  
  192:ijv4skT4vbRuCZcvvb26WrGdp5Gkg0I6Nm:ijgskT4vbRgvbLtf8D
Score

1^/10
behavioral15 behavioral16 behavioral17 behavioral18
- Target
  
  libphotocli.so
- Size
  
  21KB
- MD5
  
  bc2a9d47f6e7a05e3fe88396dab7663b
- SHA1
  
  c90bba544fb7f42f0c7de71c0b8a99c6e44dc8f3
- SHA256
  
  63b1ab1a51dabc9aed72457f22b84612816970fff9ea916a445bd841ec7af302
- SHA512
  
  0b6409ca3aa4504a570959ed878cabd70b651cac630782ae622a8b1221b06c476bf8c096b3f9c6d91b420b41d17bb5bb37c8e888f63c532d87f26d618bb880f5
- SSDEEP
  
  192:HAuYgCTqMQl92pHQq/KRrMvLDMoZ/6V7FfJM16xn1+FQVCBdTPixJxXvrvNHO2s8:HA5gCTRQl9lRrMsi/6nZn13ZxlsZJqx
Score

1^/10
behavioral19 behavioral20 behavioral21 behavioral22
- Target
  
  libtruss2.so
- Size
  
  17KB
- MD5
  
  47340da43d382556930b8690b38414cc
- SHA1
  
  ec5cb5b1787ad61f832da55014c8a1454b2009a8
- SHA256
  
  059ed2bb2e2d7ed6e813a999cd3472c5c293a2873b141d8282b5e280d44d5712
- SHA512
  
  89cef8ae2dc69705ca416bb3edfd8d2cc43f7ad766d79aa77dff3ce57d896fd36f10e1c89fd526eed041815234fafc9031054f1bfc8661954aeaf6d87138991e
- SSDEEP
  
  192:NgX0B/9dTDs8tjdtuokj1gLBKmS9bt8LKkyJ4m5XJb8p:Nsa/PvVtjd4okj1WBKZCKcoXg
Score

1^/10
behavioral23 behavioral24 behavioral25 behavioral26

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

octobankerevasioninfostealerransomwareratstealthtrojan

behavioral2

octobankerevasioninfostealerransomwarerattrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26