octo

General

Target

f471ff45d6c9fd91fda9d224901c5ddd214375898d054419bf7faac09cc6b9cf.apk
Size

546KB
Sample

240319-l556zsaa5s
MD5

32692b7422865a6f8c133021aec513af
SHA1

0ed39aa880b52715a45df0481755e68c847a56ea
SHA256

f471ff45d6c9fd91fda9d224901c5ddd214375898d054419bf7faac09cc6b9cf
SHA512

50653a63527d392661b04f85044dacb848c84d6c94ee56945c746a73b31979e55fd068f45e0ab53f481fd9e64981270a206000a9f42e304660a1308dc79d118d
SSDEEP

12288:iMkNUrYAJ9uQXeu+qCemdOvHWx3vKA9mTHezwkRGFDQSlPEnP:pkirYAJ9xXehHOvHWxTmzezwkRjSl8nP

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://autoinspain.top/ZTZkNTJjNTkwYzk3/

https://bookakasay2.site/ZTZkNTJjNTkwYzk3/

https://bookakasay3.site/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqwq.com/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqdfdsfsq.com/ZTZkNTJjNTkwYzk3/

https://bookakasayyy.site/ZTZkNTJjNTkwYzk3/

https://nqgnqgnqgnqg.online/ZTZkNTJjNTkwYzk3/

https://qdfdsvbvqqdtt.top/ZTZkNTJjNTkwYzk3/

https://qdfdsvbvqqdsa.top/ZTZkNTJjNTkwYzk3/

https://qdfdsvbvqq3d.top/ZTZkNTJjNTkwYzk3/

https://qdfdsvbvqqd.net/ZTZkNTJjNTkwYzk3/

https://dfdsvbvqq.cc/ZTZkNTJjNTkwYzk3/

Attributes

target_apps
com.coinbase.android
com.android.smspush
es.evobanco.bancamovil
com.android.mms.service
com.android.mms
com.google.android.gms
es.caixabank.caixabanksign
com.samsung.android.messaging
com.google.android.gm
com.transferwise.android
com.google.android.apps.messaging
com.bbva.bbvacontigo
com.abanca.bancaempresas
com.bancsabadell.wallet
com.bankinter.bkwallet
com.bankinter.empresas
com.bankinter.launcher
com.bbva.netcash
com.cajasur.android
es.vodafone.mobile.mivodafone
com.db.pbc.mibanco
com.grupocajamar.wefferent
com.imaginbank.app
com.indra.itecban.mobile.novobanco
com.indra.itecban.triodosbank.mobile.banking
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancosantander.apps
es.bancosantander.empresas
es.caixageral.caixageralapp
es.ceca.cajalnet
es.cm.android
es.ibercaja.ibercajaapp
es.lacaixa.mobile.android.newwapicon
es.liberbank.cajasturapp
es.openbank.mobile
es.pibank.customers
es.univia.unicajamovil
gt.com.bi.bienlinea
net.inverline.bancosabadell.officelocator.android
www.ingdirect.nativeframe
com.carrefour.carrefourPass
com.correosprepago
com.elcorteingles.app
com.feci.apps
es.unicajabanco.app
com.mediolanum
es.orangebank.app
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.bgz
com.finanteq.finance.ca
com.getingroup.mobilebanking
com.konylabs.cbplpat
eu.eleader.mobilebanking.invest
payumoney.merchantap
pl.aliorbank.aib
pl.allegro
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.envelobank.aplikacja
pl.fakturownia
pl.ideabank.mobilebanking
pl.ifirma.ifirmafaktury
pl.ing.mojeing
pl.mbank
pl.nestbank.nestbank
pl.noblebank.mobile
pl.orange.mojeorange
pl.pkobp.iko
pl.raiffeisen.nfc
pl.sgb.wallet
softax.pekao.powerpay
wit.android.bcpBankingApp.millenniumPL
com.avuscapital.trading212
com.binance.dev
com.bitfinex.mobileapp
com.bitmarket.trader
com.bitpay.wallet
com.btcturk
com.changelly.app
com.cmcmarkets.android.cfd
com.gemini.android.app
com.huobionchainwallet.gp
com.kraken.trade
com.kubi.kucoin
com.mycelium.wallet
com.okinc.okcoin.intl
com.okinc.okex.gp
com.plunien.poloniex
com.squareup.cash
com.unocoin.unocoinwallet
com.wavesplatform.wallet
global.bithumb.android
net.bitbay.bitcoin
net.bitstamp.app
org.electrum.electrum
piuk.blockchain.android
pl.cinkciarz
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
com.cm_prod.bad
com.ocito.cdn.activity.creditdunord
fr.banquepopulaire.cyberplus
fr.creditagricole.androidapp
fr.lcl.android.customerarea
ma.gbp.pocketbank
mobi.societegenerale.mobile.lappli
net.bnpparibas.mescomptes
cgd.pt.caixadirectaparticulares
com.abanca.bm.pt
com.bbva.mobile.pt
com.exictos.mbanka.bic
pt.bancobpi.mobile.fiabilizacao
pt.novobanco.nbapp
pt.santandertotta.mobileparticulares
wit.android.bcpBankingApp.millennium
app.wizink.pt
com.baninter
com.bankinter.portugal.bmb
eu.atlantico.bancoatlanticoapp
pt.bancobest.android.mobilebanking
pt.bctt.appbctt
pt.bigonline.BiGMobile
pt.cgd.caixadirectaempresas
pt.santandertotta.mobileempresas
pt.sibs.android.mbway
wit.android.bcpBankingApp.activoBank
ae.almasraf.mobileapp
ae.hsbc.hsbcuae
app.alansari
com.NBQBank
com.a2a.android.burgan
com.aaib
com.adcb.bank
com.adcb.cbgdigi
com.adib.mobile
com.alahli.mobile.android
com.bankfab.pbg.ae.dubaifirst
com.base.bankalfalah
com.cbd.mobile
com.citibank.mobile.citiuaePAT
com.dib.app
com.ebos.bos
com.emiratesnbd.android
com.etisalat.ewallet
com.fab.personalbanking
com.fh.payday
com.infosys.alh
com.mashreq.NeoApp
com.mbanking.ajmanbank
com.mbankuae.amcb
com.myc3card.app
com.rak
com.riyadbank.strategic
com.scb.ae.bmw
com.sib.retail
com.uab.personal
com.ubldigital.uae
com.vipera.nbf
com.vipera.ts.starter.MashreqAE
com.yap.banking
enbd.mobilebanking
tcig.mynajm
com.BankAlBilad.EnjazApp
com.BankAlBilad
com.acceltree.mtc.screens
com.alahli.quickpay
com.alinma.retail.mobile
com.arabbank.arabimobilev2
com.fi7026.godough
com.friendipay.app
com.mbc.anb.keystore
com.sabb.mobilebanking
com.saib.banking.mobile.android
com.samba.mb
com.urpay.consumer
sa.alrajhibank.tahweelapp
sa.com.stcpay
com.db.mobilebanking
com.pozitron.qib
com.vipera.ts.starter.QNB
com.cbq.CBMobile
com.Barwa
com.amx.amxremit
com.boubyanapp.boubyan.bank
com.globe.gcash.android
com.nbk.IBGmobile
com.ofss.gbkprodret
com.veripark
com.warbabank.wallet
eu.eleader.mobilebanking.kib
qa.ooredoo.omm
com.cimb.sg.clicksMobile
com.citibank.mobile.sg
com.dbs.sg.dbsmbanking
com.dbs.sg.posbmbanking
com.ocbc.mobile
com.uob.biz.mobi.app
com.uob.mighty.app
sg.com.hsbc.hsbcsingapore
sg.maybank.pmb
sg.trust
air.app.scb.breeze.android.main.sg.prod
com.paypal.android.p2pmobile
com.revolut.revolut
com.verse
de.number26.android
com.bunq.android
vivid.money
app.wizink.es

AES_key

Targets

- Target
  
  f471ff45d6c9fd91fda9d224901c5ddd214375898d054419bf7faac09cc6b9cf.apk
- Size
  
  546KB
- MD5
  
  32692b7422865a6f8c133021aec513af
- SHA1
  
  0ed39aa880b52715a45df0481755e68c847a56ea
- SHA256
  
  f471ff45d6c9fd91fda9d224901c5ddd214375898d054419bf7faac09cc6b9cf
- SHA512
  
  50653a63527d392661b04f85044dacb848c84d6c94ee56945c746a73b31979e55fd068f45e0ab53f481fd9e64981270a206000a9f42e304660a1308dc79d118d
- SSDEEP
  
  12288:iMkNUrYAJ9uQXeu+qCemdOvHWx3vKA9mTHezwkRGFDQSlPEnP:pkirYAJ9xXehHOvHWxTmzezwkRjSl8nP
Score

10^/10

octo banker collection discovery evasion infostealer rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2