octo

General

Target

371a2fca3dd65de1912c2268c301bf28326a806257807b6bd3202f7e5a41c48f.bin
Size

541KB
Sample

230911-1xgkzsbc6t
MD5

c634d708b3ce7a7e460da9d41525be00
SHA1

8bc9ef7bae7d846c7c0c3479703980d7b056e349
SHA256

371a2fca3dd65de1912c2268c301bf28326a806257807b6bd3202f7e5a41c48f
SHA512

0ba47d74cef1de835c1b69feed56e294dcd882e300d05ad939ce4b4e453c5a31abd02b59f2eea45f8b7efe9b22b4582874df3a6aa097b46b78bda25a16c27bf5
SSDEEP

12288:gXgwLZWgshwFRCj2WYIBG0/bcl+YGSwy0ZSy:gVLZbNFRCjgI40iCn/

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

- Target
  
  371a2fca3dd65de1912c2268c301bf28326a806257807b6bd3202f7e5a41c48f.bin
- Size
  
  541KB
- MD5
  
  c634d708b3ce7a7e460da9d41525be00
- SHA1
  
  8bc9ef7bae7d846c7c0c3479703980d7b056e349
- SHA256
  
  371a2fca3dd65de1912c2268c301bf28326a806257807b6bd3202f7e5a41c48f
- SHA512
  
  0ba47d74cef1de835c1b69feed56e294dcd882e300d05ad939ce4b4e453c5a31abd02b59f2eea45f8b7efe9b22b4582874df3a6aa097b46b78bda25a16c27bf5
- SSDEEP
  
  12288:gXgwLZWgshwFRCj2WYIBG0/bcl+YGSwy0ZSy:gVLZbNFRCjgI40iCn/
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2