Overview

overview

10

Static

static

6

c63f28e953...3a.apk

android-9-x86

10

c63f28e953...3a.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20/01/2025, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c63f28e9537a3e5fd5398170239388a632671359bf8bcb7335b20ca7d3dfa03a.apk

  • Size

    1.6MB

  • MD5

    151e8ef3c71c66cf6260d07ddbd2b75f

  • SHA1

    1a9f779bb2b9fd945c459073b35534c4d2a7764a

  • SHA256

    c63f28e9537a3e5fd5398170239388a632671359bf8bcb7335b20ca7d3dfa03a

  • SHA512

    6f31c90d4d674a50afd297e79e4135d1d22557aa4c668cff8172bb098049b9c1393a562482f42d5905e8590919471e521e7f523a25b3cb8973e499c243b934fb

  • SSDEEP

    49152:F41YFpgk9QZq98vn/3TZ8Ib6Di68HIgM2JX:689QZq9en/jKE6B8w2JX

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • co.learnol.bksfz
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4581

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/co.learnol.bksfz/.qco.learnol.bksfz
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/co.learnol.bksfz/app_aware/SsU.json
    Filesize

    153KB

    MD5

    f5d780737df1869d75268e146e720e7d

    SHA1

    7fd4a68c64fee9e286c174845ca4b7c166d7d176

    SHA256

    addffe986fdea65a5cba707cb9e893f542d8174443be67cb3232f7d946d9add2

    SHA512

    c1da1fb4920a8afff24a4296044545916213ab3f14b3a1e14072a857e752b786460f86bc90d935bc456b6c1574be66752676379924cdc4ead36cb46e1d95c628

    Download Submit

  • /data/user/0/co.learnol.bksfz/app_aware/SsU.json
    Filesize

    153KB

    MD5

    00f283792d3409f38e819cabfe496e45

    SHA1

    72ac72c2d0a159381b3a56d0d8ef6b0890ba10ad

    SHA256

    1fe3bf5f8ab3cd12fdaf8941039e9a2e8717940d82db6a44c91021fbb478e34c

    SHA512

    c24d6dc931915ac0ba948d0637b90b0b446e8baf58110c2ff63092676fa398c5c8c16705fa0836d791889e23e3a68f848ec139082d103f0164a7dab0ab3857c5

    Download Submit

  • /data/user/0/co.learnol.bksfz/app_aware/SsU.json
    Filesize

    450KB

    MD5

    a26559217d84c32c2c8a0bb59f1ce1d8

    SHA1

    f0ea68ad2bd177d8a4216b21db87500f5e0d25ee

    SHA256

    2e51decdc36ac38ab36758a65dc87817eb319eff59b95f9c36abef0805671224

    SHA512

    cea40a37df07feba39b6b106c9a9741b4b026da56af50b63352c440c4388c4be83c5477eab690a8c33735201ed3e1f2eac344b3262036c2a4f948154132f759a

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    466B

    MD5

    ec63a359fa7cced9c80a57361eea0eda

    SHA1

    2633f715ca51eae6a5bc936dcd070ca948e82b0a

    SHA256

    c99a60e7c034de4a4e3e54a218e97b41f5dcb4d873e9b015fe4c8303a78a0ad0

    SHA512

    ec5b9c54d70a4b76f71b4a1c08a76938269ab357c819e7c5308f81b859f1991ab4b832cb4f27d53ce286f334af8a04f27315899146489b815ef6ea5da18218c5

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    45B

    MD5

    a9e5d1750a4f764a6a323ea080fa3107

    SHA1

    a755c1c2da5ce2bf7651a797b56f5f0d4baa6bb2

    SHA256

    f79a1e25fee4b747d84bfaf521eb4c03cca6ab36db38b8b9f2b8ff750e42d8e8

    SHA512

    e69440ac9d3c3f867823218f9d6edf093830dd14a86983920c16c96916c59d628a5b7d320f6815b52e96945e5aa3e5eb22e8771356275dd73bc29cf6cd0f0296

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    66B

    MD5

    365845c1b036495d6a420c5a4256210d

    SHA1

    eb41ef81dda3572099866b2c36269871a71050f2

    SHA256

    7f77e290e78a0430ab950eb66af41e8c36c9b4120facaf330ac608faf3b6ed54

    SHA512

    4cb6be857d81075a5b24622fec1fd2b9fe80bbb5964311c2b2d843a7b3654035130a96e4eadc22f49482148a1109eec14fadee74aa64c3906f54b9c3eeb1aeda

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    45B

    MD5

    ffa101369f984afc29d8d24945adb29c

    SHA1

    e7957a47baa34425a099e005ffbeb7dd310768c7

    SHA256

    ab9ec85abcc726dbf7dcd01d84b17913819d0258508c61ffd9c15107de19b724

    SHA512

    9a152023c108c5997a5f515b3010cf66c358a123454db091460fb94071851e1d2a3e8178015f8685c4b42fee4c88e82793b263b6800d9b11348bad44038248b8

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    84B

    MD5

    54d815686cbca0e8043ee4c675007e4e

    SHA1

    9b8bf0d884367ce8bb0e3d0f7ccc3a87d11e593c

    SHA256

    5ff8e3f62523be8573ead5848062662ca8cc173852356a12ebd74d4dc58d9e23

    SHA512

    f2482491db3cface77f3ca7b47651ee11934bbc555aab7bd5946226cc559e246bcd743aea46bf9ee561f59b83b097a1946d418d471f58d1bcf476694a3472c6a

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    63B

    MD5

    7ab3b7d66462be4fbe4ae9f54489d45e

    SHA1

    cdb4e45955bfaced6650fa198a61b869c7506bef

    SHA256

    186b3e110ee5805bce6fe0c86a6dffc09722ccb6a6920b4bce10e7a6ae8bca7a

    SHA512

    d09b3af1434eaab60d6985bc0f2533bac6d173c38cbc5e295ba7f98595ea8f964fbf96a706b271baa586b32bf534b13ed9127f357da75fe83e987c4c9c2a0118

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    68B

    MD5

    484415550c43dad736e47337adc3094c

    SHA1

    6afc8352175e99a14cddcb0c1b48be4760addda0

    SHA256

    0b70c7c1efe777420064b743cd374c1069b0274ca28ef2a80331ec4438da4a1a

    SHA512

    864ffefe82845459055f25fe9efdc5958d5c64e34c2f182a89181481c405f62ec5929d66396a700289ee6c9c6a83f2ff6c0217615458ea74f0133fbca4bb4892

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    68B

    MD5

    e684e0fb14ba6cda99df0d8625bd93b0

    SHA1

    43ac6a50b1aec88172bad70e3f5f522c7c35a25d

    SHA256

    647d72a3d329d5dee20ccbedb00bdda46c8dd7cbf2785ece7d669c802c393be7

    SHA512

    c547ca180f9eaf5e51e91de1a298478072f30f52de3b7b679fd74c596d33c6ad824d06bfeb6d61d0046ec7d82ea7f902001624099f4583f0ca3d6fe84cf479c9

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    230B

    MD5

    1e82c76d17da4b15c6282e8928821e87

    SHA1

    89413a371e9fc0a45f3115dabdfc409bcfcc9da1

    SHA256

    bbc2be51e0dc5d4f82f4651ef3011d063fae785fa60fc739a53ec883d3973427

    SHA512

    5a121ef20678ec9bf59e5d7bba7b5b0c3a798b9a905e0661a3da19da45a91b43762780a33b2b92044a2fbd3e0cb086798e309c093db22939d018322166398798

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    54B

    MD5

    4750fd6011ed4741a7cb472ecd53d00d

    SHA1

    923ff19a63317c3df43963991cf5e6fdf21d5d04

    SHA256

    284bd660ec6d0877b3a8da2229821da6a79a3d4fbd5927dd64e2077177770778

    SHA512

    45add3d76931e8f36d8093751aad73ab8f846f1aca9ed3db02dc921908ac15fc85aa2d82d6e3cd6324f083d66c7fdb11b52cdd517783b808e2b9fd53fd409a5c

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    63B

    MD5

    03b77fce8a1ec70e140d09eb4953c919

    SHA1

    c71f85390b14ac765fd937f8f733cedd2452780c

    SHA256

    c38aa4fa70e2e803f98f6ec4245b29fb40cd6720b2d58bebb7e2e4baf9c6a8b3

    SHA512

    fc2cf103999c9bf295f557c94de77fe99f166196fe84b088ef54466e499e9f5f70f94be437e3541f79eef71b298a06e71bc22d8a28c62c423a820b18963b3f67

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    45B

    MD5

    b633f1ee01358ed6ffdb7d0d00f7a0a8

    SHA1

    fc72d5411c6873fa85097ab29e9aa409a0f329b3

    SHA256

    a2760bf4d5bdf10ac70efb19220b85b86ff96c6129be94989db32edea629b981

    SHA512

    4098ac475fa4b6587d803f6e1f3318f7c98933d53f470b90c5a2d543500d2bcfc358a2ee12796fd2923f69ccc24cf4a8101ccd74782206fd153686a176394e93

    Download Submit

  • /data/user/0/co.learnol.bksfz/kl.txt
    Filesize

    63B

    MD5

    a2d377ab2a7483e76e11163c206545ef

    SHA1

    5328cba75c70c490ea2168b02000b0419ee062c3

    SHA256

    c31918cbb238cde7c809bd32e7d26f6c418d054c30ab739875b4f6a36dfdd587

    SHA512

    76c9b7f7c1f203428a3dd15306195a374495992c681ceacca07671f67f5d0d0c1c7ee3acd49376cfbe0ab24a98090896003bc5c6b42ed2e2a6a932cb8e5616bf

    Download Submit