Extracted

• • Target

    c86b28e1f8d2548fc72deddcf96ff74ffa5b6930a757c2f622023c57629abb0a

  • Size

    9.4MB

  • MD5

    3f0ef006f9e4bedfa2d45c73e184c051

  • SHA1

    c0ccabbb44d51df6fa8dfb27b94b4646e5782711

  • SHA256

    c86b28e1f8d2548fc72deddcf96ff74ffa5b6930a757c2f622023c57629abb0a

  • SHA512

    f5ca8c91f1986cba924f83db456e9f3d30825f812ec42b35ea5caec45674a7dce08fffbd96e27d4907dc3b861b70455828c54539621b47e79326b881262a78af

  • SSDEEP

    98304:94v2IU5tzVKmE8I3XQ5iSRGZtRs156wcBYe33OZq/AXLjrHGYxNSN8LdH:Gv2IU5VUXb3XQrgRMNWOZq2PbgwdH

  Score

  10^/10

  octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto

  • Octo family

    octo

  • Octo payload

  • Checks Android system properties for emulator presence.

    evasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Reads information about phone network operator.

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1