octo

General

Target

c2ca36526b7b42a17d3a0ca8df2af5b6d03669ba0c1453d962bfabd4cd92e4b3
Size

7.1MB
Sample

250111-rnh8satmck
MD5

15278c6c8cd7ee51397be5ecaa1f7404
SHA1

65a556ab9eab2eea657978dd75127de90e6d2657
SHA256

c2ca36526b7b42a17d3a0ca8df2af5b6d03669ba0c1453d962bfabd4cd92e4b3
SHA512

d9bb1f50b07cca040d9490260971d22429e897e24b6c971142da9e4ded930d6f48a0485fb1d72a9c021325a923b881cc57f8901f2deeb037d4eb47ccc982624f
SSDEEP

98304:/y+q5iSRG9iRskfeM+/kUiQUDLVKgya8j7axcDpI:arrvRpmhFEfUfBj7vi

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://8caf6a13209282f9dadc9eac58c5007e.com

https://63fbf2f62b78cc08552fcd87838b8e53.biz

https://c741e321a625f9195ee4b22f53b8f386.info

https://3e78d460183b1821b74529fb2cba4fe8.shop

https://0d3adb30b93ee3f2a549636269841052.xyz

AES_key

Targets

- Target
  
  c2ca36526b7b42a17d3a0ca8df2af5b6d03669ba0c1453d962bfabd4cd92e4b3
- Size
  
  7.1MB
- MD5
  
  15278c6c8cd7ee51397be5ecaa1f7404
- SHA1
  
  65a556ab9eab2eea657978dd75127de90e6d2657
- SHA256
  
  c2ca36526b7b42a17d3a0ca8df2af5b6d03669ba0c1453d962bfabd4cd92e4b3
- SHA512
  
  d9bb1f50b07cca040d9490260971d22429e897e24b6c971142da9e4ded930d6f48a0485fb1d72a9c021325a923b881cc57f8901f2deeb037d4eb47ccc982624f
- SSDEEP
  
  98304:/y+q5iSRG9iRskfeM+/kUiQUDLVKgya8j7axcDpI:arrvRpmhFEfUfBj7vi
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2