octo

General

Target

93cdb065d98306b1ba9351f687719ef6a19c7001ad5438567f89de41ebc23782.zip
Size

7.3MB
Sample

241011-k8ggcswand
MD5

e76834546baf2a15501f415bf703dda7
SHA1

07cbbdb007cb25c1b7a04bf1639506b3638dfc7f
SHA256

93cdb065d98306b1ba9351f687719ef6a19c7001ad5438567f89de41ebc23782
SHA512

dd305f087f6f5d7aecf9b33c9b87bfbb4f59398cf1d04d700bc8147829797e5e4d7f83c9a47fd1f062fe6dd3ff1acbfd811f94442c5dd4b89b74666e8115002a
SSDEEP

98304:LNHn+5iSRGzz74a0qasJegRsbmE/j7pVKw6QnyY7GybVJBkM4Y:5Hn+ri4aCgRhUj7pUbQnj7aY

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://0e97556072acd897b127d53221a49ecb.com

AES_key

Targets

- Target
  
  93cdb065d98306b1ba9351f687719ef6a19c7001ad5438567f89de41ebc23782.zip
- Size
  
  7.3MB
- MD5
  
  e76834546baf2a15501f415bf703dda7
- SHA1
  
  07cbbdb007cb25c1b7a04bf1639506b3638dfc7f
- SHA256
  
  93cdb065d98306b1ba9351f687719ef6a19c7001ad5438567f89de41ebc23782
- SHA512
  
  dd305f087f6f5d7aecf9b33c9b87bfbb4f59398cf1d04d700bc8147829797e5e4d7f83c9a47fd1f062fe6dd3ff1acbfd811f94442c5dd4b89b74666e8115002a
- SSDEEP
  
  98304:LNHn+5iSRGzz74a0qasJegRsbmE/j7pVKw6QnyY7GybVJBkM4Y:5Hn+ri4aCgRhUj7pUbQnj7aY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2