Overview

overview

10

Static

static

6

c2c30838aa...c8.apk

android-9-x86

10

c2c30838aa...c8.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    14-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2c30838aadbab07bc8a960a5af448aa628c394e5ddd109c17e0656b9e7cfac8.apk

  • Size

    1.9MB

  • MD5

    564d5f3b835d933b82f5b712b28769a7

  • SHA1

    1d4427acb6edf0685b17440f3823a73223a81a30

  • SHA256

    c2c30838aadbab07bc8a960a5af448aa628c394e5ddd109c17e0656b9e7cfac8

  • SHA512

    e04a90f0c81a9ddb43b0a774e94f943ec53d1c810aaa431cff6bb78e64829c694333262925616203e11356afd086a679f41d938e14935a87866c65d74d6644c0

  • SSDEEP

    49152:ih5lfQPHAfhoO9sk7f8VnHo9Sr6bWtPPZ+zifTZYPRWcjTk:ihLDZsTVnH+03wzifORWcjY

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valueweaslletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4326

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/.qnt.neoscorp.anxdroid.valueweaslletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_possible/KN.json
    Filesize

    153KB

    MD5

    1e8babf1b54f6062538c0ebeb4fd259e

    SHA1

    15e48f005346b18a4d51cd2b26005337274e1417

    SHA256

    5cb1b0c918db53d421e021c85704973deae612ae9f3c53c139271d4545446f35

    SHA512

    90d284ca3e0542f6e6a4bcc08407a4ca3e60b5357854eb859635b60a0086b93380fc373945d13f24d4354c6772b3ac7cc59d6cd5212705871632064605dd3d5a

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_possible/KN.json
    Filesize

    153KB

    MD5

    4b8bc66f3313405c961fa37df83ef824

    SHA1

    ac072e236507e8a934fb36abf98c3730c17304f7

    SHA256

    d9e6b2eb4d1430d6ad87fd72139d434c31468eb56135a1d185aeefda806f55f2

    SHA512

    75e4155291dda18ab762cdba1ba684430169a166ab2653de41e2a689e305eae05a7e2a68b1864e6cc1f4f4805206b9cb199e754ec0ab07f4280a70491ebc5e64

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_possible/KN.json
    Filesize

    450KB

    MD5

    89243960818c1c09c1cb24b04f67faec

    SHA1

    593160660db3c7042ecea68687b63a454d19e440

    SHA256

    c305a073d24953c41b175ef45d02e03f73419e6809a7ab1b0f774550f768fb73

    SHA512

    52ae77c8985026d89ed84601e9a6e072f0556839e207866f9e053068858e68be9a814d2ebf7095c2e0814252edeea4715557818e029ee76fe1eec575f7aa8601

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    52B

    MD5

    1aa065c86a0670c06bf4071720a5c185

    SHA1

    6841da91088d045423bb2ae88e14006ee5ea856f

    SHA256

    4a45dd8ee1eaa819565456db75ca24fd7c2e0fff7db515e9d3e35e3549a19039

    SHA512

    b025602d6d190f6b2c1c0bc78b0ec15e5a77b125e4152136c7ed8f47fcdf468fb890b1230b713f7ac01e3de7ba6d26237b5454a002648229a151f6017aaa9005

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    70B

    MD5

    f6f777596d094ee95bce64c2f00a275b

    SHA1

    242dc7f73e49f6f1ab57f0773e87074a4aa08ebe

    SHA256

    25d0d1fc3c40ed68c93f149ff63e2cd4127ea9283b2e5cce11ac03222df5ca74

    SHA512

    667526187393700f15180d260dfe69e801163e08834d890a278729225349e6059917d201694f7abfd14eca0f7f39886e00aed4aad2b1dfac28d10779f4ff7c7d

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    55B

    MD5

    2c966a24f89175dd436a3ed9178198b6

    SHA1

    22cfc2f8edcacad2943033b2fdbeeeb719a0baaa

    SHA256

    c975960fcef7f464b913e15d2ae935da98d2e04f1966b592789df83e2d1420d2

    SHA512

    ec4961340d8e4da2d263c341eb03b09d1604a1a630dc00ba179f7578f615199f277060bb83bbd66a0fa72b79bd334f14ef4d00775191c0c34752b93374df51fb

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    45B

    MD5

    c288709fff841735ea07c6790596d287

    SHA1

    05d62b735497391641344a97e9aa76bb886d7104

    SHA256

    04f401dc511e223c8500268906d28c96c20f2cbacbf2ec788c982df97e164c15

    SHA512

    65ed566ba2c8da9098fd514d99688ec91918812a756af6c702953075e6016ecc088c3462849fc65aca9175d59d79732168fa14fc4e076fba386c7cbb353ca3f9

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    70B

    MD5

    0a599f48718c4213a327670b8ae4c1c1

    SHA1

    6f65a564c84086ccb65f2716809f2beec91b274c

    SHA256

    a26cd70a5059a25f18996f874b9fe87497b8193ad1c8ec324a778526695cec1a

    SHA512

    990273b69693821a5cb3aceb11a96bb102146f99d886cb5defb1a1f93b97f91240d0d2a739acd863bc40890429bcd79bec4f149aa571d9902370eedbf5d127e1

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    45B

    MD5

    1204118169a5b80b82330afeb4258157

    SHA1

    f1d3afac035fa35a473f3f78567eaaf0bba05a25

    SHA256

    0491c20a02c9eec5811bb5f2e6f0a7decb57d64b654b8d2ca28e660f23435b89

    SHA512

    2aba405d23bcc6ef84095d361637c4f720974add1ce42b3efffc55bebe25f0c885aebb22b730aedd42dd58dbdad934e9eb6c0544aa6acf275fffb8072b1189b6

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    79B

    MD5

    9466e3313eec365c95ca335e93ba0190

    SHA1

    b547565c2e65163f23c053f913591d2254b3b09c

    SHA256

    46fae3732983311d8b83feb8aaf8b373fda7a982c31ade2e5794aaa0de2740a1

    SHA512

    0827597063c788f0a0bbe0c1dce94f5c33f3da93364edff017278530cc4a1e0628b04e5772986c8518fd8a3b02e87f8f2d8951dd54168f5d0273ec866995cc16

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    490B

    MD5

    8d24ea978d7c1ec0ca6ba5b80f1e20d1

    SHA1

    3d9f0b363df619ec633c8d8b21db1b5c81a0cd64

    SHA256

    61112a712bdb796e4985de6058cc1f1ab11a1a9b87064039ffc4e754af7caa8b

    SHA512

    2e720bcae8476c974c9e3f290ab6778f09c60e49ed8d2d80e2134924d52f1050cee1f3e25d4faa0b439d8b38900692dbf3dc6f222ffb1454078bdb664b21a519

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    7b735e832c999a8025cdd1c109a054ef

    SHA1

    64e97068ce5fac6a0fd0aed7368dcb6dcae5e203

    SHA256

    bff61982d80e5500020b4c659efcc366abc30a1743e964e2299a591232a677cf

    SHA512

    6ba582f871a94e3e70f0b1cf6a4716a29a984bf9b0a048804a9819a873b7c5518e8a5654ee431ab8f5dbf3470c50e8d8252086af50a579a671438263491ccd67

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    214B

    MD5

    adcd8f67b9f0633971a48d080167874c

    SHA1

    dffc83df2eaaccfaaf677a23cf3c5a6e5b147979

    SHA256

    2c61b6f5337227513dc17eda0bc5752d4abac749e7939e3ba7e8c49decf28c57

    SHA512

    79c3a9e6fe5772c4385f50fb578d1c6ecebafa66f3852af55b03799e2ba8f9d3482965c0832c0cb7a59637f859e77027db40f16bc9f1c69a5dcdf2ba10a0ab3f

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    53B

    MD5

    27a6eea92bdf8538422df11bc3ec452f

    SHA1

    9f7df2a1002356ac2c6358542f7e0ee71cb02b95

    SHA256

    fed58b6bfff72b82de33579f2c9026d19b164be66899de93449c937e73edbfe0

    SHA512

    8445dced8fbb34423c8c6438cc96b53593ccc77913881b8ecdd4ad7b41f0c37b3f41e75e9eb736749570cec11280b711f945eaba2b1dc1a8e8c592c11e719c51

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    1099223cbf8e9f80bc01a77f72eae7dc

    SHA1

    051e885a5fb0303ea06c1e436bed55b70274680b

    SHA256

    53bc6923152f37596e4f5d0a866cd2a9805108c0fc5044ce2365c654e55bf14f

    SHA512

    dfc55d23176d1a661b83602cf2ee7064304498205fe0edb75c912bf34b2c0b3d3e4967a7fad25770a84018dbf9bf720c326e4774d93ef583bc6dbbf8b9086eb5

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    54B

    MD5

    3cfbfe6be6217cfc3a351da21f32af4a

    SHA1

    4689ae7747656e5142e58b43b6340ed83ad9380a

    SHA256

    b0ae37bb3d1107b73635d6fe01f8e474b3f484bbbb4b6b9c31bf291aa06a3ea9

    SHA512

    682f002530f57e6323fcca312dde5f157d27c328e551eb837d60ef08ff8e2ced033959ec53f8dc3ecc1c3ae85247c162aa99afc69f725378f629581bcebee9da

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    7383436df3eacba40fda3ebbf888cdcf

    SHA1

    c5d022294d4bb6bad4e0f1ae1bed4073f677aff2

    SHA256

    bfd6cb575f80135ca3a464e75a0ffb2ba162a5e7de5e4fd9c5eb55b1f3fc0371

    SHA512

    984c636096800a2d2ed0f4d0cf013d3347a149047515aef39fd22a222d3e9686e3a0d6a4f51ff7d1478c9bf0c280ac94b3115ec93800523440f15ff36789c2c8

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    60B

    MD5

    be653b2efad16bd71c63a261ec7a7230

    SHA1

    0eb82d03747b8458038c3c946dae2329dca573e4

    SHA256

    1dbd442659b2179a3aed3ef7f3beee7256568d9edd4400e0bcbb2bfd8d2f0346

    SHA512

    8ca12976fd2653e67a0fcd6f9e446eb6fb8cf47e480a26f07cdc9c84a3e05a5925f6256f431adc2c525978db022476e0a332401328e097498a0088cca7ef6921

    Download Submit