Extracted

• • Target

    08478c94df97cf5240855d2104e3ea383aeb9a7e750730a6ffcf4dd5868c55a1

  • Size

    7.7MB

  • MD5

    ca4de35f2f56cff2b39a73b87aa2a936

  • SHA1

    73b060c80d61150aa0e5d9b1496069c185b2ba58

  • SHA256

    08478c94df97cf5240855d2104e3ea383aeb9a7e750730a6ffcf4dd5868c55a1

  • SHA512

    70e753417983106ae1542900b307668399df328d470deb9aecc4cdfdc4cf138ffd4c5a67d9c778130be169448cc060f17c95e27733355cafa8c3af279fb685e6

  • SSDEEP

    98304:jasM4sdjVKL8ub+j7O5iSRGdqfGw0kRsqO4vylamAg0:GsMbUb6j7Or3f/RK4b

  Score

  10^/10

  octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto

  • Octo family

    octo

  • Octo payload

  • Checks Android system properties for emulator presence.

    defense_evasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Reads information about phone network operator.

    discovery
  behavioral1behavioral2