Extracted

• • Target

    0338989191ce53a1a4adf3d4dd5471e470a299f6e8a30b1aa1858e1bc1b5f203

  • Size

    7.9MB

  • MD5

    51f9f4196f87f456a7e246fb9659a486

  • SHA1

    721090ca68835f3957552fe4e41335cdf046a74c

  • SHA256

    0338989191ce53a1a4adf3d4dd5471e470a299f6e8a30b1aa1858e1bc1b5f203

  • SHA512

    7934b833adad63329bb3a258553ad1e09baa17f3312a1d9e5905b7c3ab1a5616249d5b88b6dd6bef9a68c65b07dc6daad5cce874d94c1b2f3b10089e4180d00f

  • SSDEEP

    98304:Ed2/CHRshfrc3XKVKEW5iSRGax8Czeu6F8HSKXnEWIgnGMiS4rKtGag8dZC:Ew/QRYfw3XKUXrd8keunHXxXnnIKtzK

  Score

  10^/10

  octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto

  • Octo payload

  • Checks Android system properties for emulator presence.

    evasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery
  behavioral1behavioral2