alienbot

Sharing

General

Target

Downloaded.rar
Size

53.1MB
Sample

241123-m4d7jstlfw
MD5

27280f8e76ebc16e905b2a47d69a7030
SHA1

e5fb912e598844621805e23a6fdce1351a81ed35
SHA256

96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213
SHA512

22ddaa1ec6137657240c2150a24401c442559171405e092c3b201c81748bb8d425552ddb3dd9bf9e867e2154b41f011cca9cc5052336605645de480ac79db364
SSDEEP

786432:7+TYxRGYehyqOheN8sGPoO9zPGYcgHsDqS614JkKC0+eOmh3kWREvdjRuiHmcliB:7D4prOAjGJBMmS61vKP/Om0d82iZ7

Score

10^/10

Malware Config

Extracted

Family

alienbot

http://84.32.214.45

rc4.plain

Extracted

Family

alienbot

http://84.32.214.45

Extracted

Family

octo

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Extracted

Family

octo

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.denizbank.mobildeniz

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

ccom.tmob.denizbank

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.google.android.apps.walletnfcrel

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

finansbank.enpara

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

finansbank.enpara.sirketim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepsubesi

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraatmobil

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

com.tmob.denizbank

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

www.ingdirect.nativeframe

AES_key

Targets

- Target
  
  01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
- Size
  
  1.1MB
- MD5
  
  53138b3f0f98b6433d28b5aef525f7b3
- SHA1
  
  01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
- SHA256
  
  31b0c269aebb2c98f47d73b0224f29a39ee0eac0b0f4989e741acf1e0606124d
- SHA512
  
  2a010c4013891417e9d6f4e8a32d8f20b71f2d5aaf401ea071ad8099270dd0aee29402c6c78862bf1e4ce1c341fa9cc1785fbafd43aee6975e8c052142f74a82
- SSDEEP
  
  24576:9rp4PsCmh+Tsn3m+wK536DCIMjyBugmhUpk3Ka1oob9jU4R7QHoHO2Edq:N6y+wn3mEGij6g5v1LNR7WZ2N
Score

10^/10

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Alienbot family
  alienbot
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Cerberus family
  cerberus
- Cerberus payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3
- Target
  
  197359a4d8548b72c8e14e6d75d612ded5cfc3d7
- Size
  
  1.7MB
- MD5
  
  6c3941514784878a966ccdcad2076464
- SHA1
  
  197359a4d8548b72c8e14e6d75d612ded5cfc3d7
- SHA256
  
  9e24d8cf9c0775f65513de32940d7d508d6806e2185ef05fdc22b1df32e6ee8a
- SHA512
  
  bedaed69b307a18ed0896799d192b0f21ad21c2713c1e17eeb5b664d530cbdeb09ccf08dce7accb8879775a2599bde3e9ad705170cb9bed0b1478f0187839b5c
- SSDEEP
  
  49152:OOyBnSqcYNQerVChxz/Q8QP7u/DKk01j70AM+2ftGDCDQDrQJ8:ZEcKQehW9QbgM1fZMdtGDkQD8K
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral4 behavioral5
- Target
  
  2427241add3123a2e6fba0aa091c487816d9b670
- Size
  
  2.2MB
- MD5
  
  337d933f1a96325b4decf4c1efd80957
- SHA1
  
  2427241add3123a2e6fba0aa091c487816d9b670
- SHA256
  
  4a0ee191e0f6b400106812a55996b4d7848ce9d73d86aed7d58d1ec10cd46d2e
- SHA512
  
  033c88cd5d8801bfd1dbd0307fa71eb906d05a7497089fa27b26c46f73167d8bcad56793f154e3ce155d54d0c4a6c87d906f9ef2fd336ac5930720c869621f1a
- SSDEEP
  
  49152:qElGP+TaA9+wRqOsfGIg6j4PmrGngzsRjOJ21614u+Ii+0Un4mjO6wuOJW99EIpH:qElGgN5ysPmKgARjOJ461hGXUnRjTs89
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral6 behavioral7
- Target
  
  282a7cfccb03ab7ca7fa3eeb9a4cc28e262e2abd
- Size
  
  5.0MB
- MD5
  
  613ea39bc391c96f3af86ce77c9e7614
- SHA1
  
  282a7cfccb03ab7ca7fa3eeb9a4cc28e262e2abd
- SHA256
  
  245b4bab43a0df29bcb30b49b4426e1bcb7eadc9e4c23a8aecce2dbfc64014ae
- SHA512
  
  31c959e88ca8f61dfd2f0a836bd542c1f92731c6c46eb11a2eaa117df79a08f24f15f2b627255722a9b34b94b6372184f1c6504abb92f3270b66eb17f46f361c
- SSDEEP
  
  98304:0SznnPrMK4q1yTA7+McW8o8A0UzCGsIYyGWU6vAubwGDsPamJlb4P72BznF1kiEs:dxhYRfHe6GUYf5ag1m
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral8 behavioral9
- Target
  
  284d74a6fbc2c12745c475bc0d2f24e9b43488fa
- Size
  
  3.6MB
- MD5
  
  de7a38b41da418b842a161d126c1a4c4
- SHA1
  
  284d74a6fbc2c12745c475bc0d2f24e9b43488fa
- SHA256
  
  54c76c307c0e03a81921b4a5b66ce4218f04ed5da80f1ddde4a8b95e484df23f
- SHA512
  
  b6d19aa7a585c7fdc5ce10d1c940c96a4bb013b97db285be14aa90c29890562e398ef5565d176dcb88d61cbfc477df6059f10b3ccdfd1b89e0532107b28f24d8
- SSDEEP
  
  98304:5gOGK4q1yZA7+Mc1cwH/pP72bznFQnKT6Lt+8ZAcnzgePOY8Eg7exNJmtBhpD6gW:5gHTKT6p+8Z7nzgemOg7ex3f
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral10 behavioral11
- Target
  
  3221126c3590df52f238b0dcbfd5e77b226a8a63
- Size
  
  2.2MB
- MD5
  
  d02d3dbc0a1026c5004c7ef271d2547a
- SHA1
  
  3221126c3590df52f238b0dcbfd5e77b226a8a63
- SHA256
  
  ecadc9cdf7e70be4017a06fe6387fbee3b05862b552ada69bc9cbe2c8174f209
- SHA512
  
  2a1db9afa7d339796c04aef2faa296c39e1782d2c2b58d9f49bd6c5d8b90fb89136431328d66d0f8bae8534537ab7c9dfd96aace502ef6d72b6b9e5478ceada0
- SSDEEP
  
  49152:emqgT/t/pDlo3C8QQQQdW8QQQQ70vXYBKUXS8lwEACOlojOet0YR9i8QQQQc9E8Q:e0l/pDQ3hB98E1R69C
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral12 behavioral13
- Target
  
  3f3ab2cd7eea46a0b7061f692401952b6bf4fdbf
- Size
  
  4.2MB
- MD5
  
  5458df0e4701d95ee63723d2d266d670
- SHA1
  
  3f3ab2cd7eea46a0b7061f692401952b6bf4fdbf
- SHA256
  
  ec702df6a7d7c7c8c0b1167049a9d81c3b185e67752d53ab08d2a7b9ddc6a373
- SHA512
  
  b4915771cb8953ac82b6751adae06104e484b6e58bae9f026e475d84316aac970609d3da6925e2a00ae7de1173fe78c63d56100914e7c9aad61bd42060dd620f
- SSDEEP
  
  98304:ELVx5lbHhcUgIo8AHtjQsC2qH9VsvIubwGDsPamJlb4sXbhkSb3xWzSfWxT5zVVF:+gB4ECfpkqxczTA7iB
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral14 behavioral15
- Target
  
  43e48ed5f674dcf241ba8b9456162b97f671f7fc
- Size
  
  2.3MB
- MD5
  
  03fe02d1c77afc416ea7b2cde11d0730
- SHA1
  
  43e48ed5f674dcf241ba8b9456162b97f671f7fc
- SHA256
  
  001c43293f68ebc6a914518f5ef2fce3ec8eccef274f42662a783f0b340a1509
- SHA512
  
  ff6ad234ecd2f9399c647d23a67be8b325e2ba73eb6ee7e533593c6cb33039c7e5a5fcbe717d1a3e0f97ab1d6a5f1459b6f15894f0a837a44360d8a31f0734e5
- SSDEEP
  
  49152:Vc1Jy5LpRQk7pb3HQFBUX+uwsN0H6jECVDPVpN94y+wy:vBpqkBwFBUX+lw0svhY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral16 behavioral17
- Target
  
  616c4ad548e04baba19d12f04a427019c2a7c78a
- Size
  
  1.2MB
- MD5
  
  1c7286487d8b0703694ce16a5ce05bb1
- SHA1
  
  616c4ad548e04baba19d12f04a427019c2a7c78a
- SHA256
  
  1d2376d7bd4afd60ad565b43ff6148c071c9469e09cc79e88c5d3293e0e63f9d
- SHA512
  
  43783cd66577ce5968dc6ab999d0cb897e864bd3f7a2286905a4168f0674be5ebf0fcb05e61f71416e71cef751609c4b01e258b33b5357e1927a3d4340c4b7f3
- SSDEEP
  
  24576:iWx4ZNK4xu9HeSiZML8QXu1RIW3j4GdVHyiMMKEZwo28:iSONK4xu9+HZ5QXOjHBjvwoV
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral18 behavioral19
- Target
  
  74aca9fcfbe1a787b6ffec5e35155d664f5679e6
- Size
  
  2.4MB
- MD5
  
  f6055e5e71cbc725428770c9303c153a
- SHA1
  
  74aca9fcfbe1a787b6ffec5e35155d664f5679e6
- SHA256
  
  576f24b38e97218b1ba8e329800825f0e80d73bce3b9e2cf845562d37ef934ff
- SHA512
  
  df38660fe25f6a7b03ecb1bc212c63893c55a8bb56ba4e3c23418042a1599eec13686e454689de67d4874d69f459484e0b2cacd9f661958ae2feb737961e442f
- SSDEEP
  
  49152:25bKRK1PGjeL0SDGImRG6Ey6wFob+t7d69LfLXzpv7cm:iOD2GIkayfs+XaLjDum
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral20 behavioral21
- Target
  
  753c262257602605e79946ed42fa855da101761d
- Size
  
  2.0MB
- MD5
  
  40265050e0136239ffc1ac9d782e31ae
- SHA1
  
  753c262257602605e79946ed42fa855da101761d
- SHA256
  
  dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6
- SHA512
  
  03512268e0a9440c5f35a5c3b08f97a0c60b4bc5c11fa3cfd843089ad83d049cfb5ee525f00adf0b8334b5b413e23fae0287899f737cc1f9f4473155c85a654b
- SSDEEP
  
  49152:BTT+7AgEUy1I8ehFC1l8+E5RMoznNlJnFm:dT+dEUy1I3FCzE5R/z5c
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral22 behavioral23
- Target
  
  83684d8fa6a73bbbf2e402757e6ccf4b2018c497
- Size
  
  1.8MB
- MD5
  
  8e9fbb517a4b38f631b909c0f05db684
- SHA1
  
  83684d8fa6a73bbbf2e402757e6ccf4b2018c497
- SHA256
  
  05f6ecdd20f0c52c557d96eb5eefdf1d660aa9a68b307616fd0db803bb4690bf
- SHA512
  
  65987ef98193adeb55cda0ca12e17c6979a8ec2c5cbfb51f0fccb872f4648899753b35c1081957cb25edd6cbe43dc270b2565c7a4d69047b76fbddc0f095224c
- SSDEEP
  
  49152:A8QQQQj3tbct/p6WnJ70fcZCl5wlw0bV2eP5Wk9+C+dJ7H4:ZNM/p6WR0fj5we0bEydL+ddY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral24 behavioral25
- Target
  
  84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
- Size
  
  2.2MB
- MD5
  
  081bd06adceac9e3b5b19d9369156634
- SHA1
  
  84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
- SHA256
  
  0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b
- SHA512
  
  77f30b67b577f1fc5c4450b92211c85163eb94e4c6b0a2ed8e2fe4e1436ef1d0ccd115255d71272ca60c6890ce8c0d75aa65ee2eb7c7454b1f3625eebb172eae
- SSDEEP
  
  49152:DwufK3pY9s83fPmN+yOp97eYCyczag2XiZGZbmqQa6qAE4KoSx:DwuUY9sUfPmNfOeYQz/2XiZQ/Q5g
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral26 behavioral27
- Target
  
  865e193b3c83f15cfb0a180dd33affaed8bfab3d
- Size
  
  1.7MB
- MD5
  
  bed61342b7339b40f96172a8f3bf6e9e
- SHA1
  
  865e193b3c83f15cfb0a180dd33affaed8bfab3d
- SHA256
  
  55b92655fd372189cb7ae07dedefa23f7660c0500892150e8c5ffe788c3dc72f
- SHA512
  
  108b86ed363d03c222b7abb8c37cad4a5cff6c57241daa38ada14cec04173d311736b1cadb040beaf065235671e8fcdc40819eebc1168829580e87980da5f2dd
- SSDEEP
  
  49152:D8ow18yYd2Ws57EeC9vbOyLTE4+BPgwOrY:D8oFNdBce9vzLY41rY
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral28 behavioral29
- Target
  
  8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f
- Size
  
  1.8MB
- MD5
  
  f8f55308787894637f25d60b36f9cd85
- SHA1
  
  8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f
- SHA256
  
  a740e47017159d8907da0d9752479ee28e7246104e6332a6f654ccaf846366d9
- SHA512
  
  051d35251a63e0d11b84f45da8fb41e2a7f6c28564ff8b1401d4615bc6976d8694db6ebdcae7c665eb2dd4ad6acc2b6cdb7fe6073d5cde62e883cb3401a0e7a8
- SSDEEP
  
  49152:7Nq2/4HF0X8HT5P4wOamxUGpeatOlvGkJ6g6ZX7Xq:BqHF0X81PPOnOGptkM0
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral30 behavioral31
- Target
  
  950867a96cc81824ec348bc9340f283c139d7832
- Size
  
  1.2MB
- MD5
  
  3f6a33d7c38c11e6d3499d019a4d78d5
- SHA1
  
  950867a96cc81824ec348bc9340f283c139d7832
- SHA256
  
  61109ef1b642603b1724b776ece76b9f2f5ff2511e0613b6f9ec7808b495bbe3
- SHA512
  
  e6f1bb7435de54b0bc8b75ddb4c02c1d50bf2d21f98ddda807479d489628fb907fade81ee6437c00d7b53afe5a5a5148d607d53498220ccccb696fab70faca73
- SSDEEP
  
  24576:+nFDk6De3q6iNavB/+htTvwmlm2lf+i05vk6Y7Hf6J3PMh/00sX9nJ:+ntk6Df6iNo1QrwmYSSvVs/6x0hcpXj
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral32