Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

da6333788c...a4.apk

android-9-x86

10

da6333788c...a4.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    06/02/2025, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da6333788cc7a50b02def4842b22c3087fe54da4199e975694cca88369c744a4.apk

  • Size

    1.8MB

  • MD5

    5e30e770ec3c6eabfabce48e56fc0a7b

  • SHA1

    40f4cdef86ba4f1403c41f29938637b358abf22b

  • SHA256

    da6333788cc7a50b02def4842b22c3087fe54da4199e975694cca88369c744a4

  • SHA512

    efb867716b8a6b1c57d94beb8a6fae16ebe2056f14d997827a4ec35f953f9e9d49edb221f5af82deceef83ffdce3d6502ec0f168b14b403b11d140e28641d3ed

  • SSDEEP

    49152:E1PS3NaPrnXmYzPrtwdeTgzWWjQJj/n4V4xZFw0U+azq0KN0:E1PSsjXmYzjSsczPjy/nUoU+N+

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/
rc4.plain

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.horse.excite
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4632

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.horse.excite/.qcom.horse.excite
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.horse.excite/app_desk/ZlIH.json
    Filesize

    153KB

    MD5

    d4283a7c2003b227b484e57568f98596

    SHA1

    93698a1eb6c59c75daaf947378a68d47e931004e

    SHA256

    b28785df73e188f3321922fccd81c63fe512303f9ac0ab058645dd080537c609

    SHA512

    b295b079df9ff89c2a0a3ad553a9bdcd9c3d586daf8371393a77970025c3dffac413c0d280585ad2d61caabb4b773c5b085d145a92af8e303c49d762b9de1bad

    Download Submit

  • /data/user/0/com.horse.excite/app_desk/ZlIH.json
    Filesize

    153KB

    MD5

    ab37bd4ebe6fdfaad32cac20adf95a0c

    SHA1

    4917fcd4c71d672a6afdc0500f2dcc8de1179ed0

    SHA256

    54bff3c10082f9c1f5c9a0a01e9d08cb3fde586e36a6151392d8e75f9b431b15

    SHA512

    563d7ae4f23b6dab7eb006c0474612aef6207a41dbef6b6da07e494d03f092429b320a2d0d0a5a310b6247b99437e2517d449f916f97605bb148b99ee759df9f

    Download Submit

  • /data/user/0/com.horse.excite/app_desk/ZlIH.json
    Filesize

    450KB

    MD5

    d17c9eaf047f12587a745dd4dfc86c6b

    SHA1

    1597a85a3611cd55ee7bd09ccff2948ef52bd0b3

    SHA256

    2ab433a9038142521524acbdf734c97119a7f9c6593c3d811f5dace240e0e9d9

    SHA512

    6cab4b59656fe8a1cc8bf9ad8ddeb1beda9c134081bed321964cdb150c79f3ec41ae74a283c69168d1b187dd2384ee86a1284a7c6ed8fde8e4504f98d8131256

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    58B

    MD5

    0c6a6aed427b49e368229deb8d2a4145

    SHA1

    df9faf2c69ea0cb5140b11baa34dcc65a2247de3

    SHA256

    d00b29528f8e626f9d40ffba896fd7696acfb07eff7e7ee64e9108f8ff2c4ab4

    SHA512

    93ff6168e3f2430816519b0b9580516fa5d5319e06f827fe18722f56218012e007e43bb8ab786ae77b032dd3f1a285d7b1c8a99b06ab536913755410ed07a566

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    45B

    MD5

    22d9f1d2fd044e3e6bc62d377c6d8169

    SHA1

    e1158af2d7ebf8eb474073d54dcbfd4979c9ced9

    SHA256

    e6feccea2c280386c7bf44c33779c4415f542cf4350a3b79c44a4339c2a84593

    SHA512

    474ad5533dadcddd01b92400ce0934377e826751da1c81a475f78aee529afc2117b68cc34adb483a21e9c8481650cf167fe0635618e53e2713487bd4575490c4

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    66B

    MD5

    cf737217cdcfcf0522f0a76aaad1321f

    SHA1

    2eb5602f37d6eb728ca190bbdd501548398599f2

    SHA256

    6fdd6f9bd89e7885c93b453977eb144bcb9af10d7d2ad694f800cc1601262071

    SHA512

    cd49a0ef3203323e5004af46603ae2084e12ab3ae41b89259f12de6c96ed40163a6d25a7ecd0c1ffb0bf03c0a7eb0d6acc67a887d07a837db23435fee0065771

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    84B

    MD5

    0acf7e52d90b6360a0158d340b87e7d7

    SHA1

    31a34c9c122e426234807e03f80569c68b817477

    SHA256

    89744ea56df8f6e2883d1b22db34de32a568b9c5f8e846003a4d3a844be93f5e

    SHA512

    d90b471c72c54d2a5f8c0e3a97843aedf7483e5386ff812dfaff8c0e0c6e494bbc2f0ed72ebbfebb19e7ee32045f5c28a04321916903af71a53c88bd676730aa

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    63B

    MD5

    b159a39c46cf92d29f81e8f6fb35117d

    SHA1

    78329e0ab6a286e34f73208bec084f282ca4a8a9

    SHA256

    0d3c724e8882e8901924732655d47492849a01ccd8de34801782a249a269ca6e

    SHA512

    621bed54a4b8af9d4ae4cb92065cda4eaaca7309ce08778dc843194a635892b6200e7ed27811a17842566907e1234e231770d28efaa37df867642c9826543a74

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    58B

    MD5

    a6bf839ed10cf8a4c60f9ac0899ec4e4

    SHA1

    d11d67aade5108640ac9dfee62a5d23387d1c2c4

    SHA256

    737f23a0164f47239deda3508573a2c485c0138bb7772075e42edabb21a6ba0f

    SHA512

    0518da7a4de3f4f0842a19058d77461fc63fd3ac686be0b7300a53fb268a54809d7e8901544da21c1444c3250a9fe4763062659b9994c461ef348ed0207166b7

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    230B

    MD5

    3c9a10a6fac8dd5b3d180145aeba2c4e

    SHA1

    078724cf1d0be8eaccd3f55ed0a1748feb43f266

    SHA256

    86f3aee22fda3afbdbb86a6bd00806d15a2f6712b70ee9c651b718b668714f74

    SHA512

    0177366712eeeed506da5007f2e1d7e9ff0306f1e5b3a2291fd12c2829fad6ceb1c93d316a034ac7067969b0e533231ff2c8f8019d15ba0cc787b2dd4412622b

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    45B

    MD5

    350170b2bc1c4438311fa26eb1c22982

    SHA1

    e35299c1942491990c4c849eb85e9bc278376bec

    SHA256

    10fa0b2e6185e1f057a43a1df2cd84e15ac4c7201efdd4c5377dfc21207afef2

    SHA512

    d13450b038911f68423fc68f1b69942d49c8e3126ce968bb275cde577ddb3adde34ca05c6943a5951826829085b7e2f210c127a9b0f6be9b471ab09223c64176

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    63B

    MD5

    71b8d30b9a038bdbc21f3a0b2c0e165b

    SHA1

    a0376b03d5d69794469753c8be5a3ea030cfd2cf

    SHA256

    dc3121fb88d5c90de3770ab3a0499c7bc7b5ff574785c2b52928f04f971f9608

    SHA512

    08594e7d7bda2a4fdb5b051a1fe1a51782f5d48bcb1fae3539e43b3a8860d90da27b0b28dad7582ddeaacace083eeae60e1f558eee6919b733ead486ce70eea2

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    45B

    MD5

    63dce5d704f489ce2130ed109670b7e0

    SHA1

    e6674ea6c962777d3a57e71b94098a96d3d134ad

    SHA256

    3772e039f559184e239a4c365420cf1ca45e882a5504acde0d68b85e3e4bdd3f

    SHA512

    15e60660a3b951b3d43702ce560c4a54202d0a517dbe4db3531551674fb3c8b068ea7e29e9e1d344b73b285501efa8ee986552ed1f471546c9c4fda25fe7339d

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    466B

    MD5

    7c1706bc40820005c44a94d4fc84c9aa

    SHA1

    0b5545e4e38b754e38dae4d6c645ca865d37d0ff

    SHA256

    14bffa8eb1a681b7ec933600024f50a0129d3ed28bc14ae8679a58296cc5ea23

    SHA512

    430a7a5e06acc640dd5edfdce030931513ded5af0d4231f75fe97a28d1b258887851651f2eb6a4fe97a422d3ef7e7fea4b6ca5611e8ed529b70b4da0ea24f959

    Download Submit

  • /data/user/0/com.horse.excite/kl.txt
    Filesize

    63B

    MD5

    9c642eae519f7084a628c62fef3539a5

    SHA1

    e32800cf364f47f6a65b70bd85a9b113578f77f1

    SHA256

    a303863f67bc4053883ffd9e0a1755ba697af14e92928b1499f4738e4ed555f7

    SHA512

    16fe423fd167d8b4d3b7e426123c853adb6abd4e2a44c6c3c50459a896bbbcdafe15bcb383900ffd507f143abd87ba4e87e870ce0642f9b8c47691cd4c1607b3

    Download Submit