octo

General

Target

a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374
Size

7.6MB
Sample

241017-gzygqswajc
MD5

b8411f981726df894bd3be20fc905be3
SHA1

91a1455e833505c864c7911524a2d92bb66f6de8
SHA256

a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374
SHA512

4006968afe1de57608235e18d2373f19374b9c2270f9d440d3f4607bdd19ce12215afd9e513d6128ff694fa9c991d3b94f7ca184f17b429bf0bee61f2120780d
SSDEEP

98304:MElSb73N1O86wj7KRstD399zlZVKLnc/9/5iSRG0gVpsk:MBRNj7KRm99zXUrwxrW9

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://3eaeecee59236992bdd208952b783e39.au

https://9439fba008d7b8de8f77b13f0b55792b.uk

https://649561c1c64a0163240fe3b4aa9e84df.net

https://2a10fb95e85de2ec8940ffcde6d625ed.in

https://8f3935d7f12f86703cfe6634f42995ff.ua

https://0fda2d426ed8312561b8a9885a89f9e0.de

https://3c5ed2332f91eb9c1471f4b15b9affd9.ca

https://30dbb12403845fe70854f073b49ea567.us

https://29b9cd62c2d3a637943ea235409895c3.org

https://8fd9bd7ff33c890cbce381116049071e.info

https://b2823414ceb39e6c24579bbba518d081.ir

AES_key

Targets

- Target
  
  a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374
- Size
  
  7.6MB
- MD5
  
  b8411f981726df894bd3be20fc905be3
- SHA1
  
  91a1455e833505c864c7911524a2d92bb66f6de8
- SHA256
  
  a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374
- SHA512
  
  4006968afe1de57608235e18d2373f19374b9c2270f9d440d3f4607bdd19ce12215afd9e513d6128ff694fa9c991d3b94f7ca184f17b429bf0bee61f2120780d
- SSDEEP
  
  98304:MElSb73N1O86wj7KRstD399zlZVKLnc/9/5iSRG0gVpsk:MBRNj7KRm99zXUrwxrW9
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Checks Android system properties for emulator presence.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2