Extracted

• • Target

    d22a8fabcf8a104b255dcde4e127191b8834dbbb38602e8dd98ab17368ce9d31

  • Size

    4.9MB

  • MD5

    2d804a7e317e9b0f3ea2e953c458405c

  • SHA1

    fa1fc8d689b9ef52264d703e516c8b22e468931f

  • SHA256

    d22a8fabcf8a104b255dcde4e127191b8834dbbb38602e8dd98ab17368ce9d31

  • SHA512

    6719a5f286b17860a02c6365b441a6ff7d2fa6e4d392dbb5f0ca6c61a4a4082dd0b2c815af1c464b7cba230ff2aa0648b7f026e7270eeb27ddd1b59179ae2b31

  • SSDEEP

    49152:wkARsEXofCK4/j7L45iS7xrGrvsAKqte0jVKScTCIHxJzPgEKfU2RNLKn:CRsXCB/j7c5iSRGJBVKUQzyfU2RNLg

  Score

  10^/10

  octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto

  • Octo family

    octo

  • Octo payload

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Reads information about phone network operator.

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1