octo

General

Target

e9e1c24ce79084f1e3ab0dc1d62b1672899d45aaa312ec47ee4f6ace64244a50.bin
Size

4.8MB
Sample

241111-1x2wxsxfrm
MD5

39b1cce8e84b6da80656891e493ff755
SHA1

b6410e0baa3cf4c24fc10d550358dd81d1740292
SHA256

e9e1c24ce79084f1e3ab0dc1d62b1672899d45aaa312ec47ee4f6ace64244a50
SHA512

b9a4a9bdba866fb6bf028ddb69d7dcc9822579b9db8144deaf747aa1d8f64caca2a29446fe1a3257e87d9970e1b4a57cac0bf2746a079729cc2f4da2e65f0b0e
SSDEEP

49152:NTsRsEXNFKkzj7U45iS7xrGZvi8IR6jVKScdE00nQHak2uOJP2p:WRsyxzj7d5iSRGEEVKsm6kNp

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://c33e5046bf42eb4b312024b42582cda5.in

https://56724c2aedf990741575bdf280125065.net

https://700168455561bc19f43dfc350ae17925.info

https://21cb16de393bc2f0ade66678b59aebe8.au

https://1621d00e1f19743bd2b32e0294860070.de

AES_key

Targets

- Target
  
  e9e1c24ce79084f1e3ab0dc1d62b1672899d45aaa312ec47ee4f6ace64244a50.bin
- Size
  
  4.8MB
- MD5
  
  39b1cce8e84b6da80656891e493ff755
- SHA1
  
  b6410e0baa3cf4c24fc10d550358dd81d1740292
- SHA256
  
  e9e1c24ce79084f1e3ab0dc1d62b1672899d45aaa312ec47ee4f6ace64244a50
- SHA512
  
  b9a4a9bdba866fb6bf028ddb69d7dcc9822579b9db8144deaf747aa1d8f64caca2a29446fe1a3257e87d9970e1b4a57cac0bf2746a079729cc2f4da2e65f0b0e
- SSDEEP
  
  49152:NTsRsEXNFKkzj7U45iS7xrGZvi8IR6jVKScdE00nQHak2uOJP2p:WRsyxzj7d5iSRGEEVKsm6kNp
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2