Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

6235a9ccff...ca.apk

android-9-x86

6235a9ccff...ca.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20/01/2025, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6235a9ccff039afdda03bcdc239cfda551b72b92e58d175169ba3c5d97665eca.apk

  • Size

    1.8MB

  • MD5

    18276cc2ab8e6b2645c68b920e87da70

  • SHA1

    8ce2b5b42c46b09cc29f4c1baa839e7ba24ec1eb

  • SHA256

    6235a9ccff039afdda03bcdc239cfda551b72b92e58d175169ba3c5d97665eca

  • SHA512

    cded42fbc274e404c5a4af5ba42066269ef60f2b1f0efad44caaa8c96a5ec4fe5dfd0bfbeb3c7d76a02a6893ae536477885be447fcdb33675c412276d1cf213a

  • SSDEEP

    49152:MIjYVUr0BuwrH1hCERy0MqGH4/rr9M9GraOS1aeRTv33xvdusdvQyJrL:MI8Buw7ntMqGH4u9Gra9vvR8cQoL

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valueweaslletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4772

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/.qnt.neoscorp.anxdroid.valueweaslletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_future/DRNMr.json
    Filesize

    153KB

    MD5

    cec1f7d1a4f4a9564a49fba7ebf30579

    SHA1

    666d3199b59e70aff88e433f3d4ec66cb22d084a

    SHA256

    fe5b9c7886f67f81bc031422fb8fbe4b5b3b0c33afe170679c1c459129a8612a

    SHA512

    d771ec209be03b2656e3a3c1caf003dee7bce8a7f00377746e126e10fc06978bbc208131365eeab674183f2b2af35c00a893014727a4fbdd7461090bba0f4dd3

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_future/DRNMr.json
    Filesize

    153KB

    MD5

    2f2b16a3a1563e8a1c62a7d365655cfe

    SHA1

    a974660f455dca5ed92d206b5a373888424e0d26

    SHA256

    280974d24b787daa59740e9c53b7097e49d6791b2db65fb6a4bb3b51426da7b9

    SHA512

    b506394cc30d11262df22423f96a7ad18019f67f8c8c8e7ad1151e2f71528ac68c3352b6d9f71302aa121aef24a3b3a995cda565f696e6e4d4c1ae5c47901810

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/app_future/DRNMr.json
    Filesize

    450KB

    MD5

    89243960818c1c09c1cb24b04f67faec

    SHA1

    593160660db3c7042ecea68687b63a454d19e440

    SHA256

    c305a073d24953c41b175ef45d02e03f73419e6809a7ab1b0f774550f768fb73

    SHA512

    52ae77c8985026d89ed84601e9a6e072f0556839e207866f9e053068858e68be9a814d2ebf7095c2e0814252edeea4715557818e029ee76fe1eec575f7aa8601

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    66B

    MD5

    5f289f8f1793fb3654c09a5a26b79c04

    SHA1

    fb80e97587db69f71bfb39f27a3889c7cbf427b4

    SHA256

    965b1d8260586499cca3568fac28efd8714a27ae36b4340360f481502ac9a826

    SHA512

    a087d00cd41bc001faaed7bf5085245e44b13a3f5b8f70b2fbeba205afadb0aac05a437c1ae0e16d7d5e782e0b326b7a56d8c082f8dc6746cdd4fd9da39b9820

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    84B

    MD5

    ac2d2c77b6ce0a711ccbc60669f8cf24

    SHA1

    e19b05ca9e2af357fda030deb1967432b5fd2c02

    SHA256

    8bd4f1e8be99a277545ee18f0a60035147ee9ec447c92042f9d92e2b329846c9

    SHA512

    3267b2026b0a0b0a2a618a2d1182cabf5ca5e2ed68914534d93de69422bc947f0d9b7a651d89f6477287df2f9bd50f893a3292900fab195c624e10f023997036

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    68B

    MD5

    d808ed3748d97d935966860f388348bd

    SHA1

    9f5f68861dbcc06fe93db26c58d84b53b95dac4a

    SHA256

    fb08fde67761a2562481a788c84751ddf739235796722338445f55fc73825ea4

    SHA512

    dd50775b875bb42d3fa0d8fe1e68dc6e28eba47ed66c4541150d3c30ef1f0340f4da8176efc4ba9d4061731e166b9ea3f9428c30fa2ffbd60604b64e7382a88f

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    230B

    MD5

    21e592ccbe76c9eeb7a410edcf05c8be

    SHA1

    c8ae81e2964a68e0a5ca0c928c98c57fd06953f0

    SHA256

    7a4aa8bc9e66638835390c9af0abae5de04de9b7ea13ade748400da1f0c8bb18

    SHA512

    072ebefecb35b57ac2f55a351b496c830b50eed84632838cd1b115b024efb0aa662ef4270ca335a547cf3c9dcdcc118f78fbda5a5ddd84af01f336c65db5ae22

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    54B

    MD5

    be4381039400708987ae9c64a0d3b9c7

    SHA1

    9249675f919b4715d0c92c52d0e580af5c2a7530

    SHA256

    7032920af010900ee2939062b26f0965b2053cee84e06af5b50324f11ce145cb

    SHA512

    c9303bdb67f75c55eb77ea79c04f9f7754295556a3f6bddd0f3490130e00b8dd79c7039d1801106cc7342d9b56f576c1f5adfd62bdf6ab363d6192431aa43fe9

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    63B

    MD5

    844a518bccff61ff4580316ee22a0951

    SHA1

    4a572c262c9f65e4fb7bade0af047cbb876d7fb6

    SHA256

    8e87f40fe617f733ce64f02fcb1af5aa723bf887e88b81b7bfc6a3449e9d151b

    SHA512

    abdea5b23e73e4d9872e18df24859e62d6d8a377a3d430d6d4feaf1675a8170d46822ac702bf06d0a9042aae7fc45beb6a67e68921dded8d486e32bce14252ad

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    45B

    MD5

    c61ef9f8a04f4f926e99e2ce028c54f0

    SHA1

    23d815755b84b8a227e9a00e0c33d8cd47e1b343

    SHA256

    e8d9dd774cc6ee473ac9e9562537c3d6ed909d5ae664948713fa1b51a87d58ac

    SHA512

    2b4cd2d6ad04e405865836ae3eed6c7f290879ac88f60426217f0b900bd773491bbf9a3dc8c814847caf3bbcd77fad2d316307fe4ff0f0bf0d15351f774efce3

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    466B

    MD5

    cc0949db53709fa0e0f0a33433659380

    SHA1

    23befcde1ff5b4e10cf941e7135098c6c6f796a6

    SHA256

    5bd96736b77bc28dc3814e25959915ec77cfc7d29034c68a66c3918211265b65

    SHA512

    ca57427d122e445944166ec3277d27bc14523491ece3f0be467f268bb6bd846a261b472b9066bb856a4f1e91a6fc7986de41c66f492c2d9cf9a5e4eed97036e0

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valueweaslletsd.sole/kl.txt
    Filesize

    45B

    MD5

    7c583d7629db51d10ada8323c5b5964b

    SHA1

    81dcf36e74cf50dc94a8304262ae1ce67cc9aa26

    SHA256

    c383aa7ed659e879f626e4cc9ca235de6c5a9bad618870dc785c1cbc4af9d895

    SHA512

    1f2f3aa9623e519cb916396c05b7488cc7949125c68c611ab5635d04eacca8b19b83baf080979856db3f9967e17ea7efe5d45a3754751779dcea41b510532bfe

    Download Submit