Overview

overview

10

Static

static

6

29e6483331...d9.apk

android-9-x86

10

29e6483331...d9.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    14-01-2025 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29e64833310d3aa6798b2d549484585341882ab5359bbe3134cc6fe4fd5f37d9.apk

  • Size

    1.2MB

  • MD5

    21700a2517e64c0c311772f09a6eafa9

  • SHA1

    6ac772a5ba166403322b29293130d4fc53b51d94

  • SHA256

    29e64833310d3aa6798b2d549484585341882ab5359bbe3134cc6fe4fd5f37d9

  • SHA512

    3c75566964caa4b3586c3dcd6fde86d53b6b7ac7014609063791b33d3f9ebfe9d0d7626a94a5e2f293c7980d5d56f5c47c298a66f5df60a90b794a681311596e

  • SSDEEP

    24576:1IsBzEgaLFg9MZ1032l8arpWnHVg79mVz0UXFyH+PZ+x6qPzUS:1bBzhaL69e103GpW1U9myEFNZqgS

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valueweaslletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4511

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/.qnt.neoscorp.anxdroid.valueweaslletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_client/LkUnha.json
    Filesize

    153KB

    MD5

    ab74fdf6263169c1dc94f9b7b622beb1

    SHA1

    ebb04a3c731df5e751908423315894090cdf59a0

    SHA256

    9deaade3aca4ad424cc8f0992122d31e87565e7ece824aa4e01a242bb085003a

    SHA512

    5a730ff92e7f557c627095ecbad3011db32ef6b37900c3ba2e662181d6528cbc8faef4ba98733e1331c986c053f918832b926eb15cc0139e7d8fdf3bad8a7560

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_client/LkUnha.json
    Filesize

    153KB

    MD5

    b6b3bdd2a4f1aad350123d374d24b07a

    SHA1

    964d3c08e47c8dbe4c9c83a48d2107aa9c5fe56b

    SHA256

    e7ebf6166f679393d6341fe39ea50eddebf95de82ca54d56001db3386246c0b0

    SHA512

    dde4e674bdd882875a8d572fa9b006fd22e3bba6af1302ac4c7519b2eb2262cd7931f17aabb92502c2f32cc1fbd2a26b1dc528b3874ddfbaeb4b64782542cf77

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_client/LkUnha.json
    Filesize

    450KB

    MD5

    89243960818c1c09c1cb24b04f67faec

    SHA1

    593160660db3c7042ecea68687b63a454d19e440

    SHA256

    c305a073d24953c41b175ef45d02e03f73419e6809a7ab1b0f774550f768fb73

    SHA512

    52ae77c8985026d89ed84601e9a6e072f0556839e207866f9e053068858e68be9a814d2ebf7095c2e0814252edeea4715557818e029ee76fe1eec575f7aa8601

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    70B

    MD5

    3a4aa1125aa7f5891c9e71690411966a

    SHA1

    ce5b36b6b41588f4b0337489f972c0ebc23a1c1a

    SHA256

    62bfd26c28c1b99ecfa369f07ca78ef3734ce7c630dff302957c6b61f49d75e3

    SHA512

    4b16f9857c5407adedd31ef4644d09d63c7023b0197fb4105483307550e785289d3da4ea71295114db68becc104f9136f02ed8628c1fee6c8571a12af88f923b

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    2942cf764ed80a106e4fcb7c21611112

    SHA1

    fe9c893a0631b951cf3210fa05de0a7382394f25

    SHA256

    d845e9895e49b0f992c79b5b8d131f13e13909adce6bd6420c32b6847468da7c

    SHA512

    a3e5ef690ccd49a5e1eec51e6d8e7281738363812a1b02a8e5b451f03b8058fc6e60f8c6de8400feb3b1721c4a4b1c9f714e49220ce15e0484f062fa1c94dea6

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    60B

    MD5

    187dad17094858e828863a1987b89900

    SHA1

    bd284fd864a7299e0ebfccf5247947fcb8d22ce8

    SHA256

    b8df95f9fba0936d112a31393042e95eec4e205b4b7af7ed6cc7c6017696c19b

    SHA512

    b0f5ae183260be5fc8510fe44b2b75b2b20ad662c3e4f00bafce8295e3bc007940d5f10c92aa57c21342cac38c4fb93cc6fdf1525b40c9ffc9ddb0fc8ae2e40d

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    84B

    MD5

    9709acdbfcf601001f908e89f5fd5d24

    SHA1

    565f85503f48473725d8e7846e3d5bab2b939500

    SHA256

    1b3aac0bf28ccf8c7d2424961a2c55e3affc540b3b29cb4888b6892f0fdb1a1d

    SHA512

    0b6d15fd3e4c458714400a80846252bdf7ab0bf4a6b346d27436a12c35858063db18c72b3164aebb10698467bb5a5e45fb1d0490665fa63482a131652262409b

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    214B

    MD5

    c53c8dfd03da06835eeede83aeae0c54

    SHA1

    f17baad453b94e12a7ef4636148061ab6187c883

    SHA256

    53b5bebd6691ee07500907ad10d0ad1e241a122a86d81953a293dec6ff4b8cdb

    SHA512

    52f63a3d220534c78fe20dc69402d01df316c54e9a45a992a5fffabd68f206621d1b89ff3a91338f14c94402db9d0b1267a3c1856d3e78c8bd970f1da4d6f26e

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    54B

    MD5

    7c05dcf738752ab4f55a740eff8f9468

    SHA1

    4bed3042b813856a50d25b933e01566e3b49c439

    SHA256

    5e2de41fbe19d7463cc0627d79c68d10d8550c110d56f44686d2761215866ea8

    SHA512

    2c8e50616ab3deaba0fa441e46997542466586c7edb2c8b96300e3201af1957271dd4ffedf0b7f9ded9b5d2096f07a0c157bbb5666d44f51e60a8fa82eb9ec55

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    bdf74ab323a66c566e958f54c408669d

    SHA1

    c916226d871768010d4dcb9e76ede383368fe1e3

    SHA256

    31f0941b7029108d51e4fbf0f7e4475a48821343f54a01841df79192ad332cbd

    SHA512

    3db9ed8a4cb7d70172e712839dbf96e4d45965a63bc5127f8f6b5631720e38609defb6668cacc2e42b5d4af047a8d8c09e0ce9da01f24a521ece12a237141a83

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    60B

    MD5

    66fcbac9ebebf868c513b34efd14a30d

    SHA1

    64a0e080f99b9c9823674ed5682bfc53a0239b7c

    SHA256

    5df2890e9ee7ec03b2b5682722e79a17e1fe614908ec9f112357060dc942ba67

    SHA512

    a3f7ed8b0aafcaf263e7962a249f39c7fe135d119767ee3c5376324ac1772df7d36f9afcf98405d905f497b0950c5df4c47fd11359efbc909b42a14689e8de22

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    490B

    MD5

    be959db4a301f4ef31fbf621a014bf41

    SHA1

    f51282c80e2c1789ba93f41bc3f453adc1afe7a9

    SHA256

    5e6726eeecd4adebcdf32f9f470c59d564ef1ed1cf27ede73f5fdfd08de686e0

    SHA512

    45a7a2db31e2d0327cb301a37950a25f951692ea5340ddccdd714df7e12886f764a967628e62d785c86af994f0be54e97f287ebf482f4cfc20ef78aa54812ad8

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    70B

    MD5

    618ec4fb4b9dde4e982b3c75d7c9ef34

    SHA1

    415d5c92462a74a0a40c8c601de674e4e59dc832

    SHA256

    be0c1ecf0d323cb45cf46f2e412395288a65068378c7b18ef24fda1a56ac35d4

    SHA512

    e80af1face49910768be3b6e45d58bb3f794aa2111b1a45a192a37a5c8765948ba26c094d56bea05bd2ca57aa41aa08570a040a5ca258459623602b6c40419d3

    Download Submit