octo

General

Target

3f27e01f916fc9a2074931ce18956ccdd9a44578ba446275b3584c8c67abade7.bin
Size

2.7MB
Sample

241010-1114ssygpf
MD5

94c8808ab62d910e791a89dabd3395cd
SHA1

fc5e5e091155388cff4841b078dc8e08c4b15b8f
SHA256

3f27e01f916fc9a2074931ce18956ccdd9a44578ba446275b3584c8c67abade7
SHA512

f09c066ce8913270c5d784afc3313d377b8f5d9dcb0606de13d3eb2a2e59a8d5b3d91e103fb7ec5c31f706d9fd481c5f575a94bd4b4ca50593f4484089b9fe43
SSDEEP

49152:2uoYS1rTJH4b3V5c1Wi0WAejlvwfuVjH9wBtp/0TsA+YqYtiov+aSjL2RXk0/:72rTJ0PsHjFuuVjH0zcTwxYtFvGXS3

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/

https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/

https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/

https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/

https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/

https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/

https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/

https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/

https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/

https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/

https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/

https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/

https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/

https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/

https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/

https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/

https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/

https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/

https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/

https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/

https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/

https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/

https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/

https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/

https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/

https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/

https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/

https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/

AES_key

Targets

- Target
  
  3f27e01f916fc9a2074931ce18956ccdd9a44578ba446275b3584c8c67abade7.bin
- Size
  
  2.7MB
- MD5
  
  94c8808ab62d910e791a89dabd3395cd
- SHA1
  
  fc5e5e091155388cff4841b078dc8e08c4b15b8f
- SHA256
  
  3f27e01f916fc9a2074931ce18956ccdd9a44578ba446275b3584c8c67abade7
- SHA512
  
  f09c066ce8913270c5d784afc3313d377b8f5d9dcb0606de13d3eb2a2e59a8d5b3d91e103fb7ec5c31f706d9fd481c5f575a94bd4b4ca50593f4484089b9fe43
- SSDEEP
  
  49152:2uoYS1rTJH4b3V5c1Wi0WAejlvwfuVjH9wBtp/0TsA+YqYtiov+aSjL2RXk0/:72rTJ0PsHjFuuVjH0zcTwxYtFvGXS3
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral1 behavioral2