Extracted

• • Target

    20a549f1ef09d45e66cd1f3a22554e64e711cd5e83b4819116dd673b54ebed8c

  • Size

    9.3MB

  • MD5

    d019f5e6c5c764e88dbe9e698d3531a9

  • SHA1

    0210da276565c1c7c6e3ea2aad37f09fbe0203a1

  • SHA256

    20a549f1ef09d45e66cd1f3a22554e64e711cd5e83b4819116dd673b54ebed8c

  • SHA512

    02136b38aeb3a3e4d183481fe3c55a9ee6e0cf78a1d57ff6b2f7e2d112917f85d6f66b223997a1bf020c1b765a3d499198edd4ea1004813283f2b88c9f66d74d

  • SSDEEP

    98304:qHRJmSbXKRbBRcQl/j7AVKpL5iSRG8XLC6BN4yyt7A339mW4RsHd:q3Slj7AUZrV+63gjRy

  Score

  10^/10

  octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto

  • Octo family

    octo

  • Octo payload

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Obtains sensitive information copied to the device clipboard

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Queries the mobile country code (MCC)

    discovery

  • Reads information about phone network operator.

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1behavioral2