octo

General

Target

80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2.bin
Size

541KB
Sample

230914-1xx8qshh89
MD5

d27641e60c2bdcf2b0e8e26ea6c17740
SHA1

b4580be1eab0900af8e648ca30c17bdda500c808
SHA256

80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2
SHA512

fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187
SSDEEP

12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

- Target
  
  80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2.bin
- Size
  
  541KB
- MD5
  
  d27641e60c2bdcf2b0e8e26ea6c17740
- SHA1
  
  b4580be1eab0900af8e648ca30c17bdda500c808
- SHA256
  
  80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2
- SHA512
  
  fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187
- SSDEEP
  
  12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2