octo | 4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1

Analysis

max time kernel
54s
max time network
145s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
13/11/2024, 22:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1.apk
Size

3.7MB
MD5

12b8f6d4af2c83dba8e6edea9b1bfd92
SHA1

254137ca4230deea6aacb184ab81fa6ee1a33172
SHA256

4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1
SHA512

0afe5e02f3279b8f8b8973b6050d389b181f16f324564d970c20a9a8f5c2503c3cf220e8071424e412f65b5d209a6b3aef45f2cd494cb1c78f5aa388900a8608
SSDEEP

98304:fnSJ9JgbbU4HjbNBMZAGNKdO+QmbedvdPGvWC3l:fnS7JgHU4HjB6ZAGUI+6gWc

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

1
g32rMSJ1VxtE1xFu7p6

Extracted

Family

octo

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.google.android.apps.walletnfcrel

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

www.ingdirect.nativeframe

DES_key

1
69686f6c61666263

AES_key

1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-7.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4280	com.riverlightlrab

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.riverlightlrab/app_dex/classes.dex	4280	com.riverlightlrab
/data/user/0/com.riverlightlrab/app_dex/classes.dex	4308	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.riverlightlrab/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.riverlightlrab/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.riverlightlrab/app_dex/classes.dex	4280	com.riverlightlrab
/data/user/0/com.riverlightlrab/cache/mcagswvws	4280	com.riverlightlrab
/data/user/0/com.riverlightlrab/cache/mcagswvws	4280	com.riverlightlrab

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.riverlightlrab
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.riverlightlrab

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.riverlightlrab

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.riverlightlrab

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.riverlightlrab
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.riverlightlrab
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.riverlightlrab
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.riverlightlrab

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.riverlightlrab

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.riverlightlrab

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.riverlightlrab

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.riverlightlrab

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.riverlightlrab

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.riverlightlrab

com.riverlightlrab
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4280
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.riverlightlrab/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.riverlightlrab/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4308

Network

DNS

fukiyibartiyom2.com

Remote address:

1.1.1.1:53

Request

fukiyibartiyom2.com

IN A

Response
DNS

oyunbaimlisi35.com

Remote address:

1.1.1.1:53

Request

oyunbaimlisi35.com

IN A

Response

oyunbaimlisi35.com

IN A

193.143.1.4
POST

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

Remote address:

193.143.1.4:443

Request

POST /NzY2NDZkZmViYjZj/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 3530
Host: oyunbaimlisi35.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 13 Nov 2024 22:03:24 GMT
Server: Apache/2.4.62 (Debian)
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

malkafali222.com

Remote address:

1.1.1.1:53

Request

malkafali222.com

IN A

Response
DNS

mal1fukizmirli.com

Remote address:

1.1.1.1:53

Request

mal1fukizmirli.com

IN A

Response
POST

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

Remote address:

193.143.1.4:443

Request

POST /NzY2NDZkZmViYjZj/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 292
Host: oyunbaimlisi35.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 13 Nov 2024 22:03:25 GMT
Server: Apache/2.4.62 (Debian)
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.178.14
DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

216.58.201.106
POST

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

Remote address:

193.143.1.4:443

Request

POST /NzY2NDZkZmViYjZj/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 793
Host: oyunbaimlisi35.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 13 Nov 2024 22:03:51 GMT
Server: Apache/2.4.62 (Debian)
Vary: Accept-Encoding
Content-Length: 128
Connection: close
Content-Type: text/html; charset=UTF-8
POST

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

Remote address:

193.143.1.4:443

Request

POST /NzY2NDZkZmViYjZj/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 1617
Host: oyunbaimlisi35.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 13 Nov 2024 22:04:05 GMT
Server: Apache/2.4.62 (Debian)
Vary: Accept-Encoding
Content-Length: 128
Connection: close
Content-Type: text/html; charset=UTF-8

193.143.1.4:443

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

tls, http

5.0kB
25.6kB
19
23

HTTP Request

POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

HTTP Response

200
193.143.1.4:443

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

tls, http

3.0kB
97.9kB
43
74

HTTP Request

POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

HTTP Response

200
216.58.204.78:443

tls, https

858 B
40 B
1
1
142.250.178.14:443

android.apis.google.com

tls

4.8kB
8.7kB
16
21
193.143.1.4:443

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

tls, http

1.8kB
2.1kB
10
7

HTTP Request

POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

HTTP Response

200
193.143.1.4:443

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

tls, http

2.6kB
2.1kB
9
7

HTTP Request

POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

HTTP Response

200
193.143.1.4:443

oyunbaimlisi35.com

tls

2.3kB
2.1kB
9
7
193.143.1.4:443

oyunbaimlisi35.com

tls

1.3kB
2.2kB
9
8
193.143.1.4:443

oyunbaimlisi35.com

tls

1.3kB
2.2kB
9
8

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

fukiyibartiyom2.com

dns

65 B
138 B
1
1

DNS Request

fukiyibartiyom2.com
1.1.1.1:53

oyunbaimlisi35.com

dns

64 B
80 B
1
1

DNS Request

oyunbaimlisi35.com

DNS Response

193.143.1.4
1.1.1.1:53

malkafali222.com

dns

62 B
135 B
1
1

DNS Request

malkafali222.com
1.1.1.1:53

mal1fukizmirli.com

dns

64 B
137 B
1
1

DNS Request

mal1fukizmirli.com
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.178.14
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
304 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

142.250.200.10

216.58.212.202

216.58.213.10

142.250.178.10

172.217.169.74

216.58.204.74

172.217.16.234

142.250.187.202

172.217.169.10

142.250.180.10

142.250.200.42

142.250.187.234

142.250.179.234

216.58.201.106

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.riverlightlrab/app_dex/classes.dex

Filesize
3KB

MD5
fafd2517ecb1685b96f71845fa4ecabd

SHA1
c0eaf86a80573da14e9855deef0940eae87ae347

SHA256
1436e6ca525b89b050d645bdbf9be3925a7f3e589bb1711b01c814d1b37a31f5

SHA512
4a4773b461360fc792dfa11fb2cfaad3ff1a223ca517c181768df7737f7a439f1d43dfd578e6539f1a65aa7bc15cf7a8ef5d6791d140aeb1d87721c0e7993014

Download Submit
/data/data/com.riverlightlrab/cache/classes.dex

Filesize
1KB

MD5
2dbc54d718bab0af35d5845cfd7dd8ed

SHA1
c7f42ca13629f66ccf1b4bd9e68ab68c95069418

SHA256
bc41abbaf04484e2549a5ed9b54974073ec854fd817549b458064cc3f8ef0726

SHA512
3c829f13b0c8057bc5727baa5b9ffacc2eea259467a472ef10f6808c8d99afbd7ebe8f89cf387e6b4ecf171ceb5d572d8db8a05b9f0fe0920a9685dbb25cedaf

Download Submit
/data/data/com.riverlightlrab/cache/classes.zip

Filesize
1KB

MD5
7a6aa58730717c342195e7673baab112

SHA1
229347f74d7aec7c9ba0c46165003ea9a709f1f7

SHA256
34125a57487597c594698e718175dd293486e1976fddba3d0ec2012b51b8cd78

SHA512
f44bd4531a9fc0b6f61f215d9abade6736737ceff671a0df7edd2ba5b5c90cd268f9dc3ef7a5e96aacab0fedfc622bcba035976d6fe834aba6d961a4bc5565ad

Download Submit
/data/data/com.riverlightlrab/cache/mcagswvws

Filesize
449KB

MD5
9fce030ed71e5ebde87bd47b14fb0233

SHA1
f0714d1cccfacf1514430f6e4b6d66e6b9f68e70

SHA256
f6d9f10980d92deb506a11b8fff12013b3859d655c40f77fbb27cd7ea108e9ff

SHA512
82c417659ff30a19af15dc0bc8bfd56b5a13ac5ea5997f67343a365a45723ff3c2d3ced6b62dc1b6997658cb058413ea7cc46ee6d02ded4ce43c46d39c29a72d

Download Submit
/data/data/com.riverlightlrab/cache/oat/mcagswvws.cur.prof

Filesize
465B

MD5
bdd84208ee190992f31811b8c6b34f1d

SHA1
1a88ab4f4edda0726e7da6fc1cef067f458e6618

SHA256
f62a97dd6769ce42357d3a93baa8a915ab743744d7287acaf8722a0bdd06b659

SHA512
19876f07e660e4f574de559ced86e6275d81d4b75cbb3a4ab71d2c4a0e53d15b0c79e4ace3d78eafba6493d94be1cd07b9ad055b185c532cd3d402eafad489cd

Download Submit
/data/data/com.riverlightlrab/kl.txt

Filesize
237B

MD5
7301c2081e4a75465fdfa51efa6ecad0

SHA1
e80563098b95ce2b79b79ee659f941f5d3230389

SHA256
349bf24a89a6aaf27b5245a3d74872ccadfe700a91bffbc7734392e6ad21ec2c

SHA512
298adeac216c0e22e4f6b412873966d66871cb7a2dbb1f7a085d9bc1376e753b5ba06b3b615f14ae1668066d058954bbff7039b72d47a0b2a306367120a4325f

Download Submit
/data/data/com.riverlightlrab/kl.txt

Filesize
79B

MD5
d8787c4dedf8d1ffbfe185024ce476a5

SHA1
c6a3eeb40a80ac9a98ee30cfa24b8e826718c93b

SHA256
a8850aab2c52d5f816c09d25e7a6e7fe8d16ea1e552842d9430425f9279a81c1

SHA512
70d53e7b45c7c20b65123a1a166b946d1b84e505342e404766ca44a55cd9907e48c4b4d76143657b86200d93c3e8f2faa8fccafe70ffcce23feed1905ccc6e07

Download Submit
/data/data/com.riverlightlrab/kl.txt

Filesize
63B

MD5
7abd7c71f5f751f840b85fa0be89691e

SHA1
65f9662aec87f88a386a3b3ee21a07b1afea4f82

SHA256
8ca6cda9a690e98d3151bf8c18c3ee145c67d939f0704532ac163245bdf85250

SHA512
68c39fe016d20edea13ca61a82028afbf5f0db26053820fc8510281d1a7b67b512e67f4975c8cd286e82c341f98cbe9b9e835c1b38832a0e229adec7181ea3b9

Download Submit
/data/data/com.riverlightlrab/kl.txt

Filesize
45B

MD5
4d3f0ba5cc7e9a1ec4aae3b202a147f1

SHA1
cd27663cdb94e20cc0aa6353d8d4700c08371a8b

SHA256
0ee7250c6c7a635b6ce98356b7e67c1b5c1351db2aa50549c9a8c10f8c83fece

SHA512
76c57dfb578b5f58dda9faa5b19ab0c0be72c3a5753e687fc16672da4f7dfc24668ea0803ff7cc03f7292e94956aea7ee09b1237f55bd63770c12d1172928bff

Download Submit
/data/data/com.riverlightlrab/kl.txt

Filesize
437B

MD5
796738ecf561509f841e9af3efa91e0a

SHA1
0222c1a940f929032cd285c978350a2f0f4cc404

SHA256
2246b583f75140f45e79a0d5ed61656a5055870a2728981507f63262dcaebe99

SHA512
59d4db121cb68492e1a0062fa49086d711bed228d96ddb0268b3e3408e0b4e7a579f8e329ad62547679619772d4af1cc713d136fdc03f90b740a2d6f5fe758ad

Download Submit
/data/user/0/com.riverlightlrab/app_dex/classes.dex

Filesize
3KB

MD5
80309d58da80ade64481f0c8c82b47e5

SHA1
4b07e9706a7c1de65081b62599fd09a565a34323

SHA256
20db902842bcd0ed4c23883feb77708d441a40ddb24bdcf32b74d96f1e52226f

SHA512
ab8580ade16690d7caa538cb9bbace52f63e0b537fee3f508e3f57ba663e0ff8728b64e4d84e3d9bedc616a116f86b743f9b7897f2d0be12e76279f31f402d22

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.