octo

General

Target

Chrome.apk
Size

341KB
Sample

250125-je8hbasnd1
MD5

f48258156865b253724ee9da2ab7a6fe
SHA1

1ca685977957f4d458743b932f51cc708f500d90
SHA256

fd1b4b38899ce7f0c377df7e37a4d15c8e6d6f17c35873804bf93390bbc2c131
SHA512

970c800eda8c4e53855ce55211e4a28baf77cdf4504227d21d43896e0988a90a2b8967e9d2521aa253e5747efbc8daf8e262fbbbd78f1978261a84a02cd7ef76
SSDEEP

6144:wWwmF53L8XYh/YK1+T4aP2UwzzsWoilnY6Rg0XaXNUnrUB/EuGn:+m/3IX/9Tstz4xilDg0qXNaUBn4

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://ravovifroz.xyz/Yjk5MjI3MDljYThi/

https://xervilbraz.xyz/Yjk5MjI3MDljYThi/

https://zoxapirvet.xyz/Yjk5MjI3MDljYThi/

https://draxonovse.xyz/Yjk5MjI3MDljYThi/

https://quvralexa.xyz/Yjk5MjI3MDljYThi/

https://vorklixur.xyz/Yjk5MjI3MDljYThi/

https://felmarixu.xyz/Yjk5MjI3MDljYThi/

https://zopalikza.xyz/Yjk5MjI3MDljYThi/

https://qurovikra.xyz/Yjk5MjI3MDljYThi/

https://veltrixor.xyz/Yjk5MjI3MDljYThi/

https://jovynexa.xyz/Yjk5MjI3MDljYThi/

https://kraxilzen.xyz/Yjk5MjI3MDljYThi/

https://lorvexas.xyz/Yjk5MjI3MDljYThi/

https://zaromixu.xyz/Yjk5MjI3MDljYThi/

AES_key

Targets

- Target
  
  Chrome.apk
- Size
  
  341KB
- MD5
  
  f48258156865b253724ee9da2ab7a6fe
- SHA1
  
  1ca685977957f4d458743b932f51cc708f500d90
- SHA256
  
  fd1b4b38899ce7f0c377df7e37a4d15c8e6d6f17c35873804bf93390bbc2c131
- SHA512
  
  970c800eda8c4e53855ce55211e4a28baf77cdf4504227d21d43896e0988a90a2b8967e9d2521aa253e5747efbc8daf8e262fbbbd78f1978261a84a02cd7ef76
- SSDEEP
  
  6144:wWwmF53L8XYh/YK1+T4aP2UwzzsWoilnY6Rg0XaXNUnrUB/EuGn:+m/3IX/9Tstz4xilDg0qXNaUBn4
Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo family
  octo
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
- Requests modifying system settings.
  defense_evasion
behavioral1 behavioral2