alienbot

Sharing

General

Target

Downloaded.rar
Size

53.1MB
Sample

241123-m14ysszlgl
MD5

27280f8e76ebc16e905b2a47d69a7030
SHA1

e5fb912e598844621805e23a6fdce1351a81ed35
SHA256

96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213
SHA512

22ddaa1ec6137657240c2150a24401c442559171405e092c3b201c81748bb8d425552ddb3dd9bf9e867e2154b41f011cca9cc5052336605645de480ac79db364
SSDEEP

786432:7+TYxRGYehyqOheN8sGPoO9zPGYcgHsDqS614JkKC0+eOmh3kWREvdjRuiHmcliB:7D4prOAjGJBMmS61vKP/Om0d82iZ7

Score

10^/10

Malware Config

Extracted

Family

alienbot

http://84.32.214.45

rc4.plain

Extracted

Family

alienbot

http://84.32.214.45

Extracted

Family

octo

https://agambeniseviyoryav.com/MWZjODg0YjhhMWVi/

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Extracted

Family

octo

https://agambeniseviyoryav.com/MWZjODg0YjhhMWVi/

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.denizbank.mobildeniz

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

ccom.tmob.denizbank

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.google.android.apps.walletnfcrel

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

finansbank.enpara

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

finansbank.enpara.sirketim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepsubesi

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraatmobil

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

com.tmob.denizbank

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

www.ingdirect.nativeframe

AES_key

Targets

- Target
  
  01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
- Size
  
  1.1MB
- MD5
  
  53138b3f0f98b6433d28b5aef525f7b3
- SHA1
  
  01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
- SHA256
  
  31b0c269aebb2c98f47d73b0224f29a39ee0eac0b0f4989e741acf1e0606124d
- SHA512
  
  2a010c4013891417e9d6f4e8a32d8f20b71f2d5aaf401ea071ad8099270dd0aee29402c6c78862bf1e4ce1c341fa9cc1785fbafd43aee6975e8c052142f74a82
- SSDEEP
  
  24576:9rp4PsCmh+Tsn3m+wK536DCIMjyBugmhUpk3Ka1oob9jU4R7QHoHO2Edq:N6y+wn3mEGij6g5v1LNR7WZ2N
Score

10^/10

alienbot cerberus banker evasion infostealer persistence rat trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Alienbot family
  alienbot
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Cerberus family
  cerberus
- Cerberus payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1
- Target
  
  197359a4d8548b72c8e14e6d75d612ded5cfc3d7
- Size
  
  1.7MB
- MD5
  
  6c3941514784878a966ccdcad2076464
- SHA1
  
  197359a4d8548b72c8e14e6d75d612ded5cfc3d7
- SHA256
  
  9e24d8cf9c0775f65513de32940d7d508d6806e2185ef05fdc22b1df32e6ee8a
- SHA512
  
  bedaed69b307a18ed0896799d192b0f21ad21c2713c1e17eeb5b664d530cbdeb09ccf08dce7accb8879775a2599bde3e9ad705170cb9bed0b1478f0187839b5c
- SSDEEP
  
  49152:OOyBnSqcYNQerVChxz/Q8QP7u/DKk01j70AM+2ftGDCDQDrQJ8:ZEcKQehW9QbgM1fZMdtGDkQD8K
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral2
- Target
  
  2427241add3123a2e6fba0aa091c487816d9b670
- Size
  
  2.2MB
- MD5
  
  337d933f1a96325b4decf4c1efd80957
- SHA1
  
  2427241add3123a2e6fba0aa091c487816d9b670
- SHA256
  
  4a0ee191e0f6b400106812a55996b4d7848ce9d73d86aed7d58d1ec10cd46d2e
- SHA512
  
  033c88cd5d8801bfd1dbd0307fa71eb906d05a7497089fa27b26c46f73167d8bcad56793f154e3ce155d54d0c4a6c87d906f9ef2fd336ac5930720c869621f1a
- SSDEEP
  
  49152:qElGP+TaA9+wRqOsfGIg6j4PmrGngzsRjOJ21614u+Ii+0Un4mjO6wuOJW99EIpH:qElGgN5ysPmKgARjOJ461hGXUnRjTs89
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral3
- Target
  
  282a7cfccb03ab7ca7fa3eeb9a4cc28e262e2abd
- Size
  
  5.0MB
- MD5
  
  613ea39bc391c96f3af86ce77c9e7614
- SHA1
  
  282a7cfccb03ab7ca7fa3eeb9a4cc28e262e2abd
- SHA256
  
  245b4bab43a0df29bcb30b49b4426e1bcb7eadc9e4c23a8aecce2dbfc64014ae
- SHA512
  
  31c959e88ca8f61dfd2f0a836bd542c1f92731c6c46eb11a2eaa117df79a08f24f15f2b627255722a9b34b94b6372184f1c6504abb92f3270b66eb17f46f361c
- SSDEEP
  
  98304:0SznnPrMK4q1yTA7+McW8o8A0UzCGsIYyGWU6vAubwGDsPamJlb4P72BznF1kiEs:dxhYRfHe6GUYf5ag1m
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral4
- Target
  
  284d74a6fbc2c12745c475bc0d2f24e9b43488fa
- Size
  
  3.6MB
- MD5
  
  de7a38b41da418b842a161d126c1a4c4
- SHA1
  
  284d74a6fbc2c12745c475bc0d2f24e9b43488fa
- SHA256
  
  54c76c307c0e03a81921b4a5b66ce4218f04ed5da80f1ddde4a8b95e484df23f
- SHA512
  
  b6d19aa7a585c7fdc5ce10d1c940c96a4bb013b97db285be14aa90c29890562e398ef5565d176dcb88d61cbfc477df6059f10b3ccdfd1b89e0532107b28f24d8
- SSDEEP
  
  98304:5gOGK4q1yZA7+Mc1cwH/pP72bznFQnKT6Lt+8ZAcnzgePOY8Eg7exNJmtBhpD6gW:5gHTKT6p+8Z7nzgemOg7ex3f
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral5
- Target
  
  3221126c3590df52f238b0dcbfd5e77b226a8a63
- Size
  
  2.2MB
- MD5
  
  d02d3dbc0a1026c5004c7ef271d2547a
- SHA1
  
  3221126c3590df52f238b0dcbfd5e77b226a8a63
- SHA256
  
  ecadc9cdf7e70be4017a06fe6387fbee3b05862b552ada69bc9cbe2c8174f209
- SHA512
  
  2a1db9afa7d339796c04aef2faa296c39e1782d2c2b58d9f49bd6c5d8b90fb89136431328d66d0f8bae8534537ab7c9dfd96aace502ef6d72b6b9e5478ceada0
- SSDEEP
  
  49152:emqgT/t/pDlo3C8QQQQdW8QQQQ70vXYBKUXS8lwEACOlojOet0YR9i8QQQQc9E8Q:e0l/pDQ3hB98E1R69C
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral6
- Target
  
  3f3ab2cd7eea46a0b7061f692401952b6bf4fdbf
- Size
  
  4.2MB
- MD5
  
  5458df0e4701d95ee63723d2d266d670
- SHA1
  
  3f3ab2cd7eea46a0b7061f692401952b6bf4fdbf
- SHA256
  
  ec702df6a7d7c7c8c0b1167049a9d81c3b185e67752d53ab08d2a7b9ddc6a373
- SHA512
  
  b4915771cb8953ac82b6751adae06104e484b6e58bae9f026e475d84316aac970609d3da6925e2a00ae7de1173fe78c63d56100914e7c9aad61bd42060dd620f
- SSDEEP
  
  98304:ELVx5lbHhcUgIo8AHtjQsC2qH9VsvIubwGDsPamJlb4sXbhkSb3xWzSfWxT5zVVF:+gB4ECfpkqxczTA7iB
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral7
- Target
  
  43e48ed5f674dcf241ba8b9456162b97f671f7fc
- Size
  
  2.3MB
- MD5
  
  03fe02d1c77afc416ea7b2cde11d0730
- SHA1
  
  43e48ed5f674dcf241ba8b9456162b97f671f7fc
- SHA256
  
  001c43293f68ebc6a914518f5ef2fce3ec8eccef274f42662a783f0b340a1509
- SHA512
  
  ff6ad234ecd2f9399c647d23a67be8b325e2ba73eb6ee7e533593c6cb33039c7e5a5fcbe717d1a3e0f97ab1d6a5f1459b6f15894f0a837a44360d8a31f0734e5
- SSDEEP
  
  49152:Vc1Jy5LpRQk7pb3HQFBUX+uwsN0H6jECVDPVpN94y+wy:vBpqkBwFBUX+lw0svhY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral8
- Target
  
  616c4ad548e04baba19d12f04a427019c2a7c78a
- Size
  
  1.2MB
- MD5
  
  1c7286487d8b0703694ce16a5ce05bb1
- SHA1
  
  616c4ad548e04baba19d12f04a427019c2a7c78a
- SHA256
  
  1d2376d7bd4afd60ad565b43ff6148c071c9469e09cc79e88c5d3293e0e63f9d
- SHA512
  
  43783cd66577ce5968dc6ab999d0cb897e864bd3f7a2286905a4168f0674be5ebf0fcb05e61f71416e71cef751609c4b01e258b33b5357e1927a3d4340c4b7f3
- SSDEEP
  
  24576:iWx4ZNK4xu9HeSiZML8QXu1RIW3j4GdVHyiMMKEZwo28:iSONK4xu9+HZ5QXOjHBjvwoV
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral9
- Target
  
  74aca9fcfbe1a787b6ffec5e35155d664f5679e6
- Size
  
  2.4MB
- MD5
  
  f6055e5e71cbc725428770c9303c153a
- SHA1
  
  74aca9fcfbe1a787b6ffec5e35155d664f5679e6
- SHA256
  
  576f24b38e97218b1ba8e329800825f0e80d73bce3b9e2cf845562d37ef934ff
- SHA512
  
  df38660fe25f6a7b03ecb1bc212c63893c55a8bb56ba4e3c23418042a1599eec13686e454689de67d4874d69f459484e0b2cacd9f661958ae2feb737961e442f
- SSDEEP
  
  49152:25bKRK1PGjeL0SDGImRG6Ey6wFob+t7d69LfLXzpv7cm:iOD2GIkayfs+XaLjDum
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral10
- Target
  
  753c262257602605e79946ed42fa855da101761d
- Size
  
  2.0MB
- MD5
  
  40265050e0136239ffc1ac9d782e31ae
- SHA1
  
  753c262257602605e79946ed42fa855da101761d
- SHA256
  
  dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6
- SHA512
  
  03512268e0a9440c5f35a5c3b08f97a0c60b4bc5c11fa3cfd843089ad83d049cfb5ee525f00adf0b8334b5b413e23fae0287899f737cc1f9f4473155c85a654b
- SSDEEP
  
  49152:BTT+7AgEUy1I8ehFC1l8+E5RMoznNlJnFm:dT+dEUy1I3FCzE5R/z5c
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral11
- Target
  
  83684d8fa6a73bbbf2e402757e6ccf4b2018c497
- Size
  
  1.8MB
- MD5
  
  8e9fbb517a4b38f631b909c0f05db684
- SHA1
  
  83684d8fa6a73bbbf2e402757e6ccf4b2018c497
- SHA256
  
  05f6ecdd20f0c52c557d96eb5eefdf1d660aa9a68b307616fd0db803bb4690bf
- SHA512
  
  65987ef98193adeb55cda0ca12e17c6979a8ec2c5cbfb51f0fccb872f4648899753b35c1081957cb25edd6cbe43dc270b2565c7a4d69047b76fbddc0f095224c
- SSDEEP
  
  49152:A8QQQQj3tbct/p6WnJ70fcZCl5wlw0bV2eP5Wk9+C+dJ7H4:ZNM/p6WR0fj5we0bEydL+ddY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral12
- Target
  
  84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
- Size
  
  2.2MB
- MD5
  
  081bd06adceac9e3b5b19d9369156634
- SHA1
  
  84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
- SHA256
  
  0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b
- SHA512
  
  77f30b67b577f1fc5c4450b92211c85163eb94e4c6b0a2ed8e2fe4e1436ef1d0ccd115255d71272ca60c6890ce8c0d75aa65ee2eb7c7454b1f3625eebb172eae
- SSDEEP
  
  49152:DwufK3pY9s83fPmN+yOp97eYCyczag2XiZGZbmqQa6qAE4KoSx:DwuUY9sUfPmNfOeYQz/2XiZQ/Q5g
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral13
- Target
  
  865e193b3c83f15cfb0a180dd33affaed8bfab3d
- Size
  
  1.7MB
- MD5
  
  bed61342b7339b40f96172a8f3bf6e9e
- SHA1
  
  865e193b3c83f15cfb0a180dd33affaed8bfab3d
- SHA256
  
  55b92655fd372189cb7ae07dedefa23f7660c0500892150e8c5ffe788c3dc72f
- SHA512
  
  108b86ed363d03c222b7abb8c37cad4a5cff6c57241daa38ada14cec04173d311736b1cadb040beaf065235671e8fcdc40819eebc1168829580e87980da5f2dd
- SSDEEP
  
  49152:D8ow18yYd2Ws57EeC9vbOyLTE4+BPgwOrY:D8oFNdBce9vzLY41rY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral14
- Target
  
  8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f
- Size
  
  1.8MB
- MD5
  
  f8f55308787894637f25d60b36f9cd85
- SHA1
  
  8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f
- SHA256
  
  a740e47017159d8907da0d9752479ee28e7246104e6332a6f654ccaf846366d9
- SHA512
  
  051d35251a63e0d11b84f45da8fb41e2a7f6c28564ff8b1401d4615bc6976d8694db6ebdcae7c665eb2dd4ad6acc2b6cdb7fe6073d5cde62e883cb3401a0e7a8
- SSDEEP
  
  49152:7Nq2/4HF0X8HT5P4wOamxUGpeatOlvGkJ6g6ZX7Xq:BqHF0X81PPOnOGptkM0
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral15
- Target
  
  950867a96cc81824ec348bc9340f283c139d7832
- Size
  
  1.2MB
- MD5
  
  3f6a33d7c38c11e6d3499d019a4d78d5
- SHA1
  
  950867a96cc81824ec348bc9340f283c139d7832
- SHA256
  
  61109ef1b642603b1724b776ece76b9f2f5ff2511e0613b6f9ec7808b495bbe3
- SHA512
  
  e6f1bb7435de54b0bc8b75ddb4c02c1d50bf2d21f98ddda807479d489628fb907fade81ee6437c00d7b53afe5a5a5148d607d53498220ccccb696fab70faca73
- SSDEEP
  
  24576:+nFDk6De3q6iNavB/+htTvwmlm2lf+i05vk6Y7Hf6J3PMh/00sX9nJ:+ntk6Df6iNo1QrwmYSSvVs/6x0hcpXj
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral16
- Target
  
  98b720a6ca62407d6e1cadb11969bc3feceb0399
- Size
  
  1.8MB
- MD5
  
  fd49fa3b56264046cf94daa6711f11b6
- SHA1
  
  98b720a6ca62407d6e1cadb11969bc3feceb0399
- SHA256
  
  66499e7e3ea5a4ac26a459569d94e2893c4ba7c01227dfdd1fda96bb50279723
- SHA512
  
  656fb58338745af0bd3e9056365a6d6e8239ca7bb3db2ed82272ddd6356f7f9be55dcc2904f7127072c623db48df806f6d95a3b141f3316920e556544d615444
- SSDEEP
  
  49152:Ho4Zo19McNlkgxoawPcIci5HBlGLIx51yaV8t75Gs9K/qSQcOg9luZ:I0o1Fl7uNBlGLiKaI75tKiqH9la
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral17
- Target
  
  9cc247e8df72cd7938a43004864a235930d8c948
- Size
  
  541KB
- MD5
  
  071294694a7e883ac8ea8a2b7bcc078c
- SHA1
  
  9cc247e8df72cd7938a43004864a235930d8c948
- SHA256
  
  b23d6ed3feee24c8602e7e4313c1f3247575490468890721d35b3719a72d2bb7
- SHA512
  
  2445a097dbb624977fc1a5983c288c9744ee44183dd31f241b3fb913f421295cc73e22fc64a1b889741844b9f38c14b9c6675befee374ac48315dd39ee4453fc
- SSDEEP
  
  12288:exsDdlmR3oliBbDBk0mDHvAkZ2y4Bc5biBgkk/PIVIvaK1ozVQgJ:exsDuRYib+rDHvAkZ2mbK2P9vaK1oJQ0
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral18
- Target
  
  a3a5eefad1ab7ede2d493629ff7eb29f3d9c8134
- Size
  
  1.8MB
- MD5
  
  bb9fb07eebb6475636d9a508efa06744
- SHA1
  
  a3a5eefad1ab7ede2d493629ff7eb29f3d9c8134
- SHA256
  
  4bb97c43e2a4b6f8b0f725f8fa05dd8b8ef9055a2912649ea26cda0c097c9c27
- SHA512
  
  44184ee1995e156e6c02bf1cd920057999b39a7e47ee30eaa079b01a4d7d01decca2f55ea2752b1aec4654270abc4fa1a3355f8a113dfc12738dac52c3dd44a1
- SSDEEP
  
  49152:u3AQkaxOQjc1QtEhf+zYXFJ2N0C4ytPS/eVszsvKLG3NIdch5:u3ArYOQxEJnLFyVS/qszsN9mW5
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral19
- Target
  
  af3368fbdffaed6f089dbdd77d170b09dc9fc8c7
- Size
  
  1.9MB
- MD5
  
  cf72562e2263776d54be0bbd9e9d3909
- SHA1
  
  af3368fbdffaed6f089dbdd77d170b09dc9fc8c7
- SHA256
  
  73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da
- SHA512
  
  03e349f663de23c2f088f58a4d2c73cee8eafaaa569b683b506de1666faf08ff735410ed534bbc9e13d701e24369742be1d0d540027b5737751b144173e60241
- SSDEEP
  
  49152:VoF/+qiX0EnMFMab8dABmPJUG3LpFsn3PB/JlXX2ZGZbmqId8tAE4KoSJ:VoF/+qVEMFA6IUYdFO/B/nX2ZQ/IRc
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral20
- Target
  
  b0bb07c713ad70db85f0a6058fb0fa3bee58b0aa
- Size
  
  2.4MB
- MD5
  
  384df99e9cbfb5acb8e848f6f9c10b4d
- SHA1
  
  b0bb07c713ad70db85f0a6058fb0fa3bee58b0aa
- SHA256
  
  578228a784b5e674f623affed7a812bc5bcd9ec2d22fea5d837465e29335713c
- SHA512
  
  689ba8bfcec133eb8dd6a811a68de3b1db09942688cb51267a0c1ac2561d99fb9d37831bb5bf1014da6940fb96ef9ea2492126757324b0222397273cf5d3a1a9
- SSDEEP
  
  49152:CilHeAWE7I+blT4vQbxfGPsgJfnNnPCcMVEVaiQrGJnxqu6X5Xg/y9MuX4L7:BZWE7XZTKQbxfGPsg/PVMV2IroXiXg/v
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral21
- Target
  
  c4dccd90c3a007ce989c494caaa4b7f6e9bc2d2c
- Size
  
  2.7MB
- MD5
  
  b667a069b20c4f6da3c0b2edf79608e2
- SHA1
  
  c4dccd90c3a007ce989c494caaa4b7f6e9bc2d2c
- SHA256
  
  252feff9531af45445a74b949cad2a532de2a54831e66278c142f71c7b8c3f6d
- SHA512
  
  59e3ffde0e4878c87296240e0b16f127f2d60a856860b5618167cc0154d391dc51772179f4bf269d0e778c7db24905bae75f2dd7f53b742c24e0f5070036d92d
- SSDEEP
  
  49152:bze1Vqo4Zo1Zj4WlzKWfqniw1XeupuEtkoKrn9lirWcII+oSCVh/+VYGDBID+L:bzE0o1Zj4Wt4n1X3uEtkrzm6com/sK6L
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral22
- Target
  
  cabdd63fc10af9b43539d18cc4f7bd6830a3bfd9
- Size
  
  2.2MB
- MD5
  
  a53575fa56fbf1a7520a04cb5ec8b5a1
- SHA1
  
  cabdd63fc10af9b43539d18cc4f7bd6830a3bfd9
- SHA256
  
  a7bc0994a2d65de2439cb25f7742bfe679ca370b5b90a539e7627fb88acaa545
- SHA512
  
  b7d8d1089f994e6e29313d794c772a70cfa1570080b3232679488bc5efec75afb9bbadce96d13ac0a9c7ba9abd6ca5481d9df326424a605f2597b3311ca3c34b
- SSDEEP
  
  49152:W2WUMAabOxmJvnAox8OeoElGP+pZOOeRqOsfGIg6j4PmrGngzsgkNbDm6TmK7FjO:WZUAiou3oElGwTM5ysPmKgAg+bCJKxjO
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral23
- Target
  
  d27fe181daa9683613fa89b973ac1a904b0efca5
- Size
  
  541KB
- MD5
  
  17ae964fc20b463648c46cc61570f60e
- SHA1
  
  d27fe181daa9683613fa89b973ac1a904b0efca5
- SHA256
  
  2f0aa32c38e9f003006134daec95065e57051ccb0dd94cc9aa49d9f800a702b0
- SHA512
  
  3bc57adbb0b444c59d67ee6649b139a06236114d648040696e8ed6934eefb6a81dc7cca070a060e2bcc152c069cefc00ecd526973d99dc97528d43467c4b3b30
- SSDEEP
  
  12288:MKDsIxOjGGix9nPk3GudqVTOIDwwBAAMOGchL+ImI:1nOBjdnIbBBFjJJ
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral24
- Target
  
  d73f8720922c0bca6b12e1a2e1ce31689e59b50a
- Size
  
  2.7MB
- MD5
  
  cd8a4bf38b1ebac851248ee056d4b7ad
- SHA1
  
  d73f8720922c0bca6b12e1a2e1ce31689e59b50a
- SHA256
  
  29b1ae34b4f8b649c605026019e198f544619963e879bfe61581f67e3f512cad
- SHA512
  
  91045b8190cf626194a70454bc61f64ed1f113cb8b5aa16fdd920071dfb2c6a638513d38d150665727e6d8e562a570eca3fb7f03931431b97c8d7ee7d49d0129
- SSDEEP
  
  49152:TkrnorjkRbYEcfWy6sMa7RolsRqOsfGIg6j4PmrGngzsbdA8oMednZQlHKki2tOw:JebcHJS+5ysPmKgARATn4HKqtOGhR7B9
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral25
- Target
  
  e3b0cb744aa134ff48d69b448b719ba3f12279e8
- Size
  
  1.9MB
- MD5
  
  d6ef4776e12355014f2f4251bd713966
- SHA1
  
  e3b0cb744aa134ff48d69b448b719ba3f12279e8
- SHA256
  
  8705bf5315abdd1991874075ed74c494a75ec423d7d78217f4ee2e5baf88aace
- SHA512
  
  e1ee24f2895e976b33bc3cac367aa80527bed14da305e7acece08175d406b72823935151041f8e7415f1b5c84d8fd1351ab0552dd9e367ed54f2fd2a72f0aece
- SSDEEP
  
  49152:Jkx5BSge4v+a6LnSBS2zog2x1fCj0pkId74VHnwI2UaC7:aPBPGa6LnSc2UgW6ckXVHLJ
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral26
- Target
  
  eccd114fb6d2fc49928d0fe2800bd6235c5be89b
- Size
  
  2.1MB
- MD5
  
  9184581e44b60dbb59c9d06a8706de2f
- SHA1
  
  eccd114fb6d2fc49928d0fe2800bd6235c5be89b
- SHA256
  
  bee3f5522ce98d34199ed6e0d80320860ee2ebdec82fad24134d3875d141d6f1
- SHA512
  
  25fb544a547afe4b1f18a69431c483706d703fec638b5ac475d6cb62cb5c1b0f7748e5b646c8ba420408df0301e7f083895a9673ef0e7214c18242ca1cf218e7
- SSDEEP
  
  49152:MXpmQ33M8ovIpNo8AnNggUO8QQQQ6fuythBYFsFA4Efs4cdgb7J93B0icomKAOgc:MgdIpNo8An5kiEfs4Hb7J9xalqgtjhKF
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral27
- Target
  
  ee5950ed1975ff96b14e116c17b929e70ea93b08
- Size
  
  2.3MB
- MD5
  
  2c5bea4a0e8ebe568211a53e82de9136
- SHA1
  
  ee5950ed1975ff96b14e116c17b929e70ea93b08
- SHA256
  
  25bc16985188d02daf760fef23d5353cfd03aed699407596e46c032f05a5d659
- SHA512
  
  4e9e01baaa2492bc014ba9c8e07fe7c800954e3a9106e3bcc97282e5c6917113003a4a20db4c172c7a8c2e22ab73724e14cc786399acd2740500a1f788b714c5
- SSDEEP
  
  49152:YHSge4v+bGlXMWtjxUcTjQEBUVzksSMjiGMBEIMK/H4gKcvlbE8WPAlR6dsX:CPGbGnjxmOQjiGMhYTcvlbnWPWR6dsX
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral28
- Target
  
  f94f3f868141393ec9df11307eb7eddc6d9b734a
- Size
  
  1.2MB
- MD5
  
  57ea80a371feab800709e5b125e93a06
- SHA1
  
  f94f3f868141393ec9df11307eb7eddc6d9b734a
- SHA256
  
  64b535ae0e7d0f9edfcec31945310ea1c710f1aee18c52ac45c579b5a1ea3dfc
- SHA512
  
  aab66aa2e80a4289aa0fdd1964c60a3649fdf732384f1b888dcb10a6c4d49855f2d087e3f2cad245a7c5686cd6e6135ffc746a8d32613a8f8575b637dde8c1b0
- SSDEEP
  
  24576:IaibmdwiITEEFMqBAH98uswqtfncy82BOOHoOVepxTfzJwldqNfUQNtd:VS6IoE+qBAH9qwq/7XPyxT9EdkfUQNtd
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral29
- Target
  
  fd70959566881b4508b8ee38b639d37f9e96a185
- Size
  
  1.8MB
- MD5
  
  f41a23623617178586efc7213c0f88b9
- SHA1
  
  fd70959566881b4508b8ee38b639d37f9e96a185
- SHA256
  
  8ecb9b0bece0c3ed229e539693b69d9fb9f171cc2a32ba371f0fb9eb9e63f526
- SHA512
  
  e0325ebf50e2b421e50b7376c82ff587127700b14426966b7e1d9e696056e4d686b5a8314a29f15621b451387b481b29c7c3b83a7041235e6ae69202475cce35
- SSDEEP
  
  49152:VhhotlSfNFaEbp5IVWvnAoxgmXJw9vhRpxSKk+0xqsJxuVuUC5:nMS7asyDoamXJw95JSKe8sOVuN
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral30
- Target
  
  fed26acfb86c23f45020918c294477b3b9ac3dc9
- Size
  
  2.1MB
- MD5
  
  fc4019c4e8b591acf9e08a33863ce840
- SHA1
  
  fed26acfb86c23f45020918c294477b3b9ac3dc9
- SHA256
  
  79498727091aedddd0e19d54f6a2b88647bf707b137e3a4f9fc240bf09d6c2ed
- SHA512
  
  aaf7cf295533f6c1c232355b0c73aa86f20f4a88879dfb95e782e3dff13a73d5d5dec543c1c58738fa78eb5322207c000e47ec45052889c204a1badd7b73278f
- SSDEEP
  
  49152:FYOxmEyq85MRl8HIfcmXnO6eAxOBbMLq+RM/A2j0MCHOKVcK+oxR4:uYf85MRFcmXO6eAxPHC8CsxR4
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral31