octo

General

Target

8c58aee3ae9f47c08c8788d0a76491ddc60231c07f6cb128f09ec4468ad24a27.bin
Size

2.4MB
Sample

250114-1x1c4a1mgz
MD5

f81cfa12b529ab7c6b28f16fed8b015b
SHA1

1b11a3b5a54e06df0278c1f23b26997c5e5dcabf
SHA256

8c58aee3ae9f47c08c8788d0a76491ddc60231c07f6cb128f09ec4468ad24a27
SHA512

3628dd71bd410a93c69fcba330eb14c58a2aaf89cf897bc03d87dee5294723ae2ce64e533cc4bfd4fea745578fc35fa6f11d263513f716a8ef22389dbc64bb50
SSDEEP

49152:Ubq9YF0IbFwr8Lxl4GJwMzP8Zz/UB55tksQogQdsBnRRJSCrq:78RjxlLJwG8Tw5LQogIsBTJ3m

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://91.202.233.164/NzcxZWQ4MWEzZjRk/

https://694b64c9229d92124125w2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d921s23532adsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c99d921s3532sw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d9e2adsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c922153256dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d954362sw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229151312dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229135131dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d94663sw2.com/NzcxZWQ4MWEzZjRk/

rc4.plain

Extracted

Family

octo

C2

https://91.202.233.164/NzcxZWQ4MWEzZjRk/

https://694b64c9229d92124125w2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d921s23532adsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c99d921s3532sw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d9e2adsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c922153256dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d954362sw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229151312dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229135131dsw2.com/NzcxZWQ4MWEzZjRk/

https://694b64c9229d94663sw2.com/NzcxZWQ4MWEzZjRk/

AES_key

Targets

- Target
  
  8c58aee3ae9f47c08c8788d0a76491ddc60231c07f6cb128f09ec4468ad24a27.bin
- Size
  
  2.4MB
- MD5
  
  f81cfa12b529ab7c6b28f16fed8b015b
- SHA1
  
  1b11a3b5a54e06df0278c1f23b26997c5e5dcabf
- SHA256
  
  8c58aee3ae9f47c08c8788d0a76491ddc60231c07f6cb128f09ec4468ad24a27
- SHA512
  
  3628dd71bd410a93c69fcba330eb14c58a2aaf89cf897bc03d87dee5294723ae2ce64e533cc4bfd4fea745578fc35fa6f11d263513f716a8ef22389dbc64bb50
- SSDEEP
  
  49152:Ubq9YF0IbFwr8Lxl4GJwMzP8Zz/UB55tksQogQdsBnRRJSCrq:78RjxlLJwG8Tw5LQogIsBTJ3m
Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Octo payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Requests modifying system settings.
  evasion
behavioral1 behavioral2