octo

General

Target

63ddb72dd05c16d6f3a7516677e660dbeb405fd684ea6e827b9f7a5aa1f2e22a.bin
Size

541KB
Sample

230920-1xe26ach79
MD5

5f893b3a6b0a6f0ece6d26820c4492a3
SHA1

4f599760bfca1430b265b7b8641e52a36d4b0515
SHA256

63ddb72dd05c16d6f3a7516677e660dbeb405fd684ea6e827b9f7a5aa1f2e22a
SHA512

6186e32d22ec766466c3001374b4eb6ef9d8d9bf9e83e0a4a2dfd2f455ff2d493fb7863dcd6d427da79709ae1d216e9470b30167c8d81b41ddfa17f9fac17b65
SSDEEP

12288:3++c72pNSDUBCWtmrqA4ybMAm3Y+pcj9TKR:rTNXCWKbMRYllu

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://176.111.174.92/ZTIyNTVmMmE1NzNl/

https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan101.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan102.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan103.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan104.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan105.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan106.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan107.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan108.xyz/ZTIyNTVmMmE1NzNl/

AES_key

Targets

- Target
  
  63ddb72dd05c16d6f3a7516677e660dbeb405fd684ea6e827b9f7a5aa1f2e22a.bin
- Size
  
  541KB
- MD5
  
  5f893b3a6b0a6f0ece6d26820c4492a3
- SHA1
  
  4f599760bfca1430b265b7b8641e52a36d4b0515
- SHA256
  
  63ddb72dd05c16d6f3a7516677e660dbeb405fd684ea6e827b9f7a5aa1f2e22a
- SHA512
  
  6186e32d22ec766466c3001374b4eb6ef9d8d9bf9e83e0a4a2dfd2f455ff2d493fb7863dcd6d427da79709ae1d216e9470b30167c8d81b41ddfa17f9fac17b65
- SSDEEP
  
  12288:3++c72pNSDUBCWtmrqA4ybMAm3Y+pcj9TKR:rTNXCWKbMRYllu
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2