General
-
Target
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333.bin
-
Size
1.5MB
-
Sample
240417-1x3hfsfe74
-
MD5
b9b0f9c2438ee017f12b26c96df09471
-
SHA1
8ac7030c04bab94468c6b25256efb7139450b9d6
-
SHA256
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333
-
SHA512
a1f17aa1181fa2a04464c9b9511ca71914e6c4e51f6fc320fac253b395a65d643ed5cf0ec00aeacfc1c5f6f6c0701005ca4ef22515338dfe1a45d569e76c0540
-
SSDEEP
49152:SCki/x3DikWtF9ROjMgXkYUw/3AE4KoSOqX+ZGZbmqB:SCp12kW39RQCqQ8X+ZQ/B
Static task
static1
Behavioral task
behavioral1
Sample
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333.apk
Resource
android-33-x64-arm64-20240229-en
Malware Config
Extracted
octo
https://musherpicka.live/MTU2OWE0NzJjNGY5/
https://golevasi800.top/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Targets
-
-
Target
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333.bin
-
Size
1.5MB
-
MD5
b9b0f9c2438ee017f12b26c96df09471
-
SHA1
8ac7030c04bab94468c6b25256efb7139450b9d6
-
SHA256
5c03a8380fdb956c48158734e86f8a2d1eaad5257ce6c74a39dcb85c5917f333
-
SHA512
a1f17aa1181fa2a04464c9b9511ca71914e6c4e51f6fc320fac253b395a65d643ed5cf0ec00aeacfc1c5f6f6c0701005ca4ef22515338dfe1a45d569e76c0540
-
SSDEEP
49152:SCki/x3DikWtF9ROjMgXkYUw/3AE4KoSOqX+ZGZbmqB:SCp12kW39RQCqQ8X+ZQ/B
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-