octo | 792c20662fcd624b5dbd120fbce9ab410e8fb964cb9c3282c7f5480d655a5ec7

Resubmissions

25-03-2024 06:49

240325-hlggqsad94 10

22-03-2024 22:02

240322-1yattscb2t 10

Analysis

max time kernel
300s
max time network
309s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
25-03-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

792c20662fcd624b5dbd120fbce9ab410e8fb964cb9c3282c7f5480d655a5ec7.apk
Size

298KB
MD5

1604992123eb5fc79ae60b48dfb79953
SHA1

d83e83c51402e68ec7f008724ae0ddf54a0419f9
SHA256

792c20662fcd624b5dbd120fbce9ab410e8fb964cb9c3282c7f5480d655a5ec7
SHA512

08a288c52cd08d01a1287de55ef90556385dd5317a22127c159c601d04557b3bb839177370994880efdf8c7ff3931cd4b5c4b67c8d6479a004657f4a2864f792
SSDEEP

6144:9+Skpd5ol4xg13P07jk202YPoF4ZODrFZRlRNGzszloFoqeA:9+SkpPoGO5qQ202YAF77gslQoZA

Score

10^/10

octo banker collection discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://45.93.20.118:7117/gate/

https://45.93.20.118:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://45.93.20.118:80/builderxxxzzz/gate/

Attributes

target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
ccom.tmob.denizbank
com.tmob.tabletdeniz
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.idamobile.android.hcb
logo.com.mbanking
com.openbank
com.google.android.apps.walletnfcrel
com.samsung.android.spay
com.cardsapp.android
cz.bsc.rc
cb.ibank
com.bifit.mobile.ubrr
com.bssys.mbcphone.ubrir
net.bl
com.bifit.mobile.bin
com.webmoney.my
com.polehin.android
com.bitcoin.mwallet
io.totalcoin.wallet
com.quppy
com.sharpdev.fxcoin
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
com.amazon.windowshop
com.ebay.mobile
com.idamob.tinkoff.android
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet_20
com.fragment.akbank
com.ykb.android
com.ykb.android.mobilonay
com.ykb.avm
com.ykb.androidtablet
com.veripark.ykbaz
com.softtech.iscek
com.yurtdisi.iscep
com.softtech.isbankasi
com.monitise.isbankmoscow
com.finansbank.mobile.cepsube
finansbank.enpara
com.magiclick.FinansPOS
com.matriksdata.finansyatirim
finansbank.enpara.sirketim
com.vipera.ts.starter.QNB
com.redrockdigimark
com.garanti.cepsubesi
com.garanti.cepbank
com.garantibank.cepsubesiro
biz.mobinex.android.apps.cep_sifrematik
com.garantiyatirim.fx
com.tmobtech.halkbank
com.SifrebazCep
eu.newfrontier.iBanking.mobile.Halk.Retail
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.DijitalSahne.EnYakinHalkbank
com.ziraat.ziraatmobil
com.ziraat.ziraattablet
com.matriksmobile.android.ziraatTrader
com.matriksdata.ziraatyatirim.pad
de.ingdiba.bankingapp
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.moneybookers.skrillpayments
com.clairmail.fth
com.konylabs.capitalone
com.yinzcam.facilities.verizon
com.chase.sig.android
com.infonow.bofa
com.bankofamerica.cashpromobile
uk.co.bankofscotland.businessbank
com.grppl.android.shell.BOS
com.rbs.mobile.android.natwestoffshore
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.investisir
com.phyder.engage
com.rbs.mobile.android.rbs
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderUK
uk.co.santander.businessUK.bb
com.sovereign.santander
com.ifs.banking.fiid4202
com.fi6122.godough
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
com.unionbank.ecommerce.mobile.android
com.unionbank.ecommerce.mobile.commercial.legacy
com.snapwork.IDBI
com.idbibank.abhay_card
src.com.idbi
com.idbi.mpassbook
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
sk.sporoapps.accounts
sk.sporoapps.skener
com.cleverlance.csas.servis24
org.westpac.bank
nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
MyING.be
com.imb.banking2
com.fusion.ATMLocator
au.com.cua.mb
com.commbank.netbank
com.citibank.mobile.au
com.citibank.mobile.uk
com.citi.citimobile
org.bom.bank
com.bendigobank.mobile
me.doubledutch.hvdnz.cbnationalconference2016
au.com.bankwest.mobile
com.bankofqueensland.boq
com.anz.android.gomoney
com.anz.android
com.anz.SingaporeDigitalBanking
com.anzspot.mobile
com.crowdcompass.appSQ0QACAcYJ
com.arubanetworks.atmanz
com.quickmobile.anzirevents15
at.volksbank.volksbankmobile
it.volksbank.android
it.secservizi.mobile.atime.bpaa
de.fiducia.smartphone.android.securego.vr
com.isis_papyrus.raiffeisen_pay_eyewdg
at.easybank.mbanking
at.easybank.tablet
at.easybank.securityapp
at.bawag.mbanking
com.bawagpsk.securityapp
at.psa.app.bawag
com.pozitron.iscep
com.vakifbank.mobile
com.pozitron.vakifbank
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.mobile.android.pushtan
com.entersekt.authapp.sparkasse
com.starfinanz.smob.android.sfinanzstatus.tablet
com.starfinanz.smob.android.sbanking
com.palatine.android.mobilebanking.prod
fr.laposte.lapostemobile
com.cm_prod.bad
com.cm_prod.epasal
com.cm_prod_tablet.bad
com.cm_prod.nosactus
mobi.societegenerale.mobile.lappli
com.bbva.netcash
com.bbva.bbvacontigo
com.bbva.bbvawallet
es.bancosantander.apps
com.santander.app
es.cm.android
es.cm.android.tablet
com.bankia.wallet
com.bestbuy.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
com.portfolio.coinbase_tracker
com.bitpay.wallet
com.bitcoin.wallet.btc
com.blocktrail.mywallet
org.electrum.electrum
com.paxful.wallet
com.bitcoin.pocketbook.btc
net.bitstamp.app
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
xmr.org.freewallet.app
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx
com.cajasur.android
app.wizink.es
com.grupocajamar.wefferent
caixagalicia.activamovil
com.abanca.bancaempresas
net.inverline.bancosabadell.officelocator.android
es.caixageral.caixageralapp
com.bankinter.bkwallet
com.db.pbc.mibanco
com.indra.itecban.mobile.novobanco
es.openbank.mobile
es.pibank.customers
es.bancosantander.empresas
com.indra.itecban.triodosbank.mobile.banking
es.univia.unicajamovil
com.westernunion.moneytransferr3app.es
www.ingdirect.nativeframe

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.nameown12

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.nameown12
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.nameown12

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
banker discovery

T1418.001

Processes:

com.nameown12

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.nameown12
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.nameown12

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.nameown12
Acquires the wake lock 1 IoCs

Processes:

com.nameown12

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.nameown12
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.nameown12

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nameown12
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.nameown12

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.nameown12

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.nameown12

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.nameown12

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nameown12

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.nameown12

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.nameown12

com.nameown12
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4445

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nameown12/.qcom.nameown12
Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
45B

MD5
4f8611ef5c8eed3e72f882812b4a2e43

SHA1
d54e6733fe4181cfd40ae5e457f6894e4aafdbf2

SHA256
5bae978f29d3a6b40c459e9f6b1ad4ca3a880d21de8b82422fd200f7f5fd0093

SHA512
672901f00fc35dcc1dff052b6b477f88e97c1de75613a27a2abbaa8eb6358c6aa7b0074983b896dd5da391c7fdd467de10b2a4ef4fda10f9e17f854fda67ce82

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
66B

MD5
6f79b92c59f921b9bd268b8b9ff9b075

SHA1
7d44112843b3b7a8da5612b0665265ad8f13db14

SHA256
64b59ff03428c5c8e31419f0b05ada22e7fae02290bec77235df1a9bd28faba5

SHA512
4767a9e44819dd100c0989267a93732c0883c40bf31979c655948f2d53b6d87386aed02beb63e6c909d64aec127bbf15b4a48b7a88ff25dfc9ccb92491427821

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
84B

MD5
5cf4eae6181bc0f693445a3fe580e86e

SHA1
1de46669fdcadf28bb9a72e00bd1da0bf5488c57

SHA256
bc84b6bed83f1e7b5b6f99fa5a25f87d5d3e7f2f34b2c49839df506d8dac4da0

SHA512
8317f3aa955dc03e239031c2b3838311d692ef18f0ba34557e11d3a79e618c35f78458be3afd079924185372658bd81ca7f941592f70295c62007772647eac0c

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
63B

MD5
7eb3b285dbf42f8af1858667cab4f1ca

SHA1
cf695eacdfae72e40ed54fe46c3a87685350b8a7

SHA256
a541b76c57e2e089835ff835d19815890542dd6c02c2533ed6a5b73b2b58a07f

SHA512
91468a8e1b5152236a4c788fb8804eb2b07f177ef4975603faf7118139f482dadf2d21239e279a88c9b43cdde2a8ef69243b74b8ab93067c4c19bb83bf362275

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
58B

MD5
9f758ee047749bb912ab56cb7effb2d0

SHA1
9e84b8fc85c972141b9d505b459350ede89ed6a6

SHA256
88293e36ce7809fbebd26ff5a0e6cc4aaa993602bdacbac371944c0cffd97032

SHA512
e8deb4286fbac74c61139b9176d2a80790c9493ae8fd1960537ce4a31e61e22bfe85513c12a8aef5a0e03e730eeb3e9b53e23ee539ef312ed8087a17a65eefbf

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
230B

MD5
381ca0457aa8dccd092af80c3228731a

SHA1
b0ff724c8fa2ca33d63579d5b4142bb1ff985a5e

SHA256
59bf7129cb4dd3bebffc0b45df5989c3a05f85aa448fd8d8970c35dd6c956fd4

SHA512
e39478976ea41291f8297007997bf6ce891f583e1da199820b4ccfdc0afe38dfe5a6dae6320805c67945b54d3fe2afd40aa7cc119bba914504aa369e34fb8afa

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
45B

MD5
8a0a2e0e6748dae71b4db8fc913ae9ea

SHA1
f31560d28d7b90b35f1b905a749b80895a61344a

SHA256
0ad864c824205369b9e8133c0359003d9d1c739a8f308b2ed9f43e834f61981a

SHA512
2c9c6118bff7e0aafdc55214910ec3ae16c0737d47ed4b4493703139c8bc8e83e5a9c4799896ed5e926d4af9e6dd3014fb6a90da3999dc08b8b23c2ad5b84cad

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
63B

MD5
5fc4b0e35ac085c1beaa401604b7ccfe

SHA1
c1beddd5fcfe9e76c9c59082b325e760db6e5049

SHA256
a739a2d8c18d6a3fd24b7bdf6b88acb9bfa1724a52f0fe95a913881563f0053e

SHA512
dd658a416c66fd9943a4e7d06f20ccd740149da389bea5440df66bca44b31e1fe4e5f055955e4dcb13f44bd9d9ee32bfb40d790550de04448044be173459778b

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
45B

MD5
8e5b5c16026b40e6d727fd49d68a869d

SHA1
685122bc56bbcc9635642edd58fb2323772ca3e7

SHA256
332b4855b1b25f0fc0fa7d285632c86ff8e53a3a0efcc1be67d1e47cfc80ab3c

SHA512
85827a7f17963844c7a36e3bb4698449078d5082676d54536f39c6b1f3f36df5cf7fceb768301bbca16bf6488305ea5bc0411f94fadc974130f97add5b4f6cff

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
68B

MD5
b2bd515be22203c2185f50a4e25d5661

SHA1
b0f0b4391051f5609234495ede3e7c21d6e9933b

SHA256
d4d5f2a20c619b8db2b37a23697ce64cc33f917c6354782e3e41776a3a836022

SHA512
65c3083cb541f18086f2c20e1c232fe5f86119aacabb4e7e46b9b850f8055fb463ee8f7792f3ce5fd20c15c0611657b0147e0b46850d504e96b4b3f2bc5a3694

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
63B

MD5
e55250bbff152da8048b95fe0c0356e5

SHA1
d4b1f5f01d67222df868aef01ae541bcaba70afb

SHA256
df1ef7d612f59e8ab04696db0fb0bf2b0c4aeb8780acfe0c66acbcc2bead7d9c

SHA512
3fd11746084259e33b63e913691e301e86ab01c29f6606b66fb961250d4ac3b8065291edbf31f18de27041f3c592c98944161a84eeb3cce3f2b4b9e96c9a50ce

Download Submit
/data/user/0/com.nameown12/kl.txt
Filesize
58B

MD5
591c7bca7b8370af7c5a24fcef33ba14

SHA1
f70d97800adb00f42fcf9736efe795fe40b3eee9

SHA256
3ea08d134f3de969f0e3ef41be7e947a241e715e8846a0d4ca17bfbf95d0786a

SHA512
4b70c4ede5ac8361b7c85b2ebcd1509f8af6607fcf685f936e46703db45bbbbb3078ce94a938927e85c4a30c88e83c3aeb33a1abf2c2cb4c6a323cdf9035c3bd

Download Submit