Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

21/01/2025, 10:45

250121-mtqgtsznhq 10

13/12/2024, 22:03

241213-1yg8xa1nck 10

General

  • Target

    4b8d62995ec46c6a3355956f178f81a72875d3024f58055957ccbf67cc187038.bin

  • Size

    4.8MB

  • Sample

    241213-1yg8xa1nck

  • MD5

    c3b13dbbe331e3645b49013c17709f0e

  • SHA1

    b0151c731a589ee966b4f654c1382ede747309c8

  • SHA256

    4b8d62995ec46c6a3355956f178f81a72875d3024f58055957ccbf67cc187038

  • SHA512

    c2e15797b8a7bbebcfaaa69483ec4a32a648a0b0c1e388dc7fc58abe5a4c365b7ef710e191ff4446ca1064e34bef69486c70870ba050009ba6026ac58411b970

  • SSDEEP

    49152:4RsEXJXNKA5o3XmT45iS7xrGTGVfHnEjVKScTMPWoNT5ThPoXLmj54b:4Rs6Nh5o3XZ5iSRG6yVK+3TtFkCj5C

Malware Config

Extracted

Family

octo

C2

https://3e364fc53c09a1e521581f335674157b.online

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.infinigru.police.phishingeyes

    com.cibc.android.mobi

    com.estsoft.alyac

    com.ahnlab.v3mobilesecurity.soda

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Targets

    • Target

      4b8d62995ec46c6a3355956f178f81a72875d3024f58055957ccbf67cc187038.bin

    • Size

      4.8MB

    • MD5

      c3b13dbbe331e3645b49013c17709f0e

    • SHA1

      b0151c731a589ee966b4f654c1382ede747309c8

    • SHA256

      4b8d62995ec46c6a3355956f178f81a72875d3024f58055957ccbf67cc187038

    • SHA512

      c2e15797b8a7bbebcfaaa69483ec4a32a648a0b0c1e388dc7fc58abe5a4c365b7ef710e191ff4446ca1064e34bef69486c70870ba050009ba6026ac58411b970

    • SSDEEP

      49152:4RsEXJXNKA5o3XmT45iS7xrGTGVfHnEjVKScTMPWoNT5ThPoXLmj54b:4Rs6Nh5o3XZ5iSRG6yVK+3TtFkCj5C

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks