octo

General

Target

05aaa2964513b270063a89da52cb9ec4f7e96000979731f712983d2864769739.bin
Size

541KB
Sample

230911-1ybfcsbc7s
MD5

e90e18e21599aaf2da460ffe2010be46
SHA1

61fc862f08e8ce7b502a799a3ce51d4bee959734
SHA256

05aaa2964513b270063a89da52cb9ec4f7e96000979731f712983d2864769739
SHA512

cd24f2b770c5de4b1121aac538f21a58d9c45c8fe932b2348cb8fe2947d650d800a4a1d1b556664f7ae1e6e54a72035b38ee5608b6d564c40de00aafcb7e31a1
SSDEEP

12288:/tKQdBw42FeE9dy1vq+X9bbSGJ7spLN8uAqb:lKQkIsHOFSGupx8uT

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

- Target
  
  05aaa2964513b270063a89da52cb9ec4f7e96000979731f712983d2864769739.bin
- Size
  
  541KB
- MD5
  
  e90e18e21599aaf2da460ffe2010be46
- SHA1
  
  61fc862f08e8ce7b502a799a3ce51d4bee959734
- SHA256
  
  05aaa2964513b270063a89da52cb9ec4f7e96000979731f712983d2864769739
- SHA512
  
  cd24f2b770c5de4b1121aac538f21a58d9c45c8fe932b2348cb8fe2947d650d800a4a1d1b556664f7ae1e6e54a72035b38ee5608b6d564c40de00aafcb7e31a1
- SSDEEP
  
  12288:/tKQdBw42FeE9dy1vq+X9bbSGJ7spLN8uAqb:lKQkIsHOFSGupx8uT
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2