Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

85fb335bf1...28.apk

android-9-x86

10

85fb335bf1...28.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    164s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    08/02/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85fb335bf1f054742552a8626b099601695d49e0043f9244b9be3861f3e79c28.apk

  • Size

    1.7MB

  • MD5

    48781c68afdd665d7f1749a33d9538ea

  • SHA1

    44328cc7cac9af18872772b1b1ba3c7ced7c3474

  • SHA256

    85fb335bf1f054742552a8626b099601695d49e0043f9244b9be3861f3e79c28

  • SHA512

    ac8cf6d37be84181cd7a5fe0612b86aa2182e49213b07eaf48054c3caf895a5850bf79a59835ce0a1404ab4891847b02fe6a03fe890e92591d4fa28d0e795e99

  • SSDEEP

    49152:7iUNm79lPgXO119G12BLIOUn6O7j6XzO7P+vuS5qpeBB98ls:7iUNINgwRUTj6AP+rcYy6

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://kuscanbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanyasamrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscangozlemnotlari.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvetabiatdostlugu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanfotografsanati.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhikayelerkulubu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbakimvesaglik.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhobiaktiviteleri.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogalhabitat.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbeslenmebilgisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscancografikeziler.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarveozelbakim.xyz/MzhiMTg0NTAwOTY5S/

https://kuscansevenlerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanegitimvedanisman.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanturleriarastirma.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarincennetbahcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogayakasayolu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarinhikayeleridunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarvesanatbaglantisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogaldenge.xyz/MzhiMTg0NTAwOTY5S/
rc4.plain

Extracted

Family

octo

C2

https://kuscanbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanyasamrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscangozlemnotlari.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvetabiatdostlugu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanfotografsanati.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhikayelerkulubu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbakimvesaglik.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhobiaktiviteleri.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogalhabitat.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbeslenmebilgisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscancografikeziler.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarveozelbakim.xyz/MzhiMTg0NTAwOTY5S/

https://kuscansevenlerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanegitimvedanisman.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanturleriarastirma.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarincennetbahcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogayakasayolu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarinhikayeleridunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarvesanatbaglantisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogaldenge.xyz/MzhiMTg0NTAwOTY5S/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.bleak.size
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5101

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bleak.size/.qcom.bleak.size
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.bleak.size/app_glory/odiydG.json
    Filesize

    153KB

    MD5

    01c44cb793b1b227604fbae5c357e22a

    SHA1

    b95db65e679533f494b1a08de0db8f4850cc60a7

    SHA256

    3386e7079143d9005a5d577f5d3ede924da22ee96406d9f327b0c7ab90a15ce1

    SHA512

    96644bb287679e7f2d76a2eafb14cc8997c173123f28e46572498b90ef4ab62a9fb22df8b8b7ebd14f42d2d3976be4b85c87c3715b5952dd0726f5ca5df5c95f

    Download Submit

  • /data/data/com.bleak.size/app_glory/odiydG.json
    Filesize

    153KB

    MD5

    4f62467b9a938fa08bc0361fe0f030b4

    SHA1

    3f834c11478356d0363fadb9c05f9a74faadf20a

    SHA256

    e4ae75429c5c7ee0657e67a2de471c57a4afd60b2a13436552d0fed47efd30da

    SHA512

    1d43bcc647968613025f0e5f9fd2f56cdf78946e376945e33af80a4f2623772570b7d9dd6c733302f034067ae5c7a74c1e30343d9e26fb6e912bf73200194470

    Download Submit

  • /data/data/com.bleak.size/kl.txt
    Filesize

    230B

    MD5

    d12981204ef3c0109ebfc3e09bd9b24b

    SHA1

    3271eb4ec6b732e61a0fde6fe45978fa51ac49dd

    SHA256

    03897e10269c0e43fe0befbb2d1f2a21530b9297696a38c68201c49cbe473c24

    SHA512

    92d3e76322798ff2c8da0d83e52b8a8635e0516ae03eefa22ff185b4c5f084a3c117a10db62545794a8cbb2c9459946dde3fd9c0fbe5564fe7ec747e9889b1c7

    Download Submit

  • /data/data/com.bleak.size/kl.txt
    Filesize

    45B

    MD5

    4dd0cda6d9e05e49ee90fa90917289fc

    SHA1

    17fcec85698ddfae267b24b18e947f5ecd9ea3c5

    SHA256

    73f4ef02bb86eae4e61b43efaf74d593c5e5b8f0e2dc96fa9ba17a10c8d52f02

    SHA512

    3178da7128889094b86d6ba066193ff1acbe2a079b697580ed65986b6297439adf510347a9dfea3bfb9625ee93ddf222fcba382495be824ea802b36db3f73fdd

    Download Submit

  • /data/data/com.bleak.size/kl.txt
    Filesize

    63B

    MD5

    8ced1ca792293536ee9111baada63e1f

    SHA1

    ae5e3e774392915427435f5ea691778822eb9966

    SHA256

    7e32d956ce54dad4c0446fd3ba7dc53e9ffdde6a8fecebe601fcf84b4db01cef

    SHA512

    198107cb09fbba67de468f70818c64c5029d8d4babe9426c8d81ea948d85e12c1b07c147fe3678215ef75860e24a8bbbf66763cd456687e0663db00f6449678f

    Download Submit

  • /data/data/com.bleak.size/kl.txt
    Filesize

    45B

    MD5

    d9695e9568e5ad04e9f8da80bf887aae

    SHA1

    8c1259af00343931fcbd21ba68c1990ffd998e32

    SHA256

    609d0d758c2e31502c66b385802a1fcf8d1c0a891ceb4aed85c65d35c17bd5ae

    SHA512

    c346e6318f297f2b65110f1e1cde3c467d2b0346493aa3ee32dbb46f6d098f9bebca8d49b909032d24151559a3c4da4b2ddad86a883d6499752a6960ec219877

    Download Submit

  • /data/data/com.bleak.size/kl.txt
    Filesize

    423B

    MD5

    034bc28a35adc6b62323f69afae26fe8

    SHA1

    9db7d1ec1fa1be358ea9b2e62a9eec53e72c3bf4

    SHA256

    f52b55ad011d2b93207c82fbbb785d8aa89069a519dcdfe1d6d8ffc9db0f67fa

    SHA512

    0eed39ddec9e42afa77c20e8424f43ecf8e4781ecfde57871eae3866da452fb354e28e5eb7bb9b0cd4735414b86dd0e6f9309f724850fbbe042371393fd9c8f8

    Download Submit

  • /data/user/0/com.bleak.size/app_glory/odiydG.json
    Filesize

    450KB

    MD5

    00d8cf989913a216824da2edf8740725

    SHA1

    31465d1352dd00c622ddea32281441141e1eaf42

    SHA256

    093ee81b16ef7b5c316f31562952f008cb598d810f93f0d9e2a2551f4c7f0754

    SHA512

    6b409208f150a81167642f9c36937c04ee81a99bd19c2db90db0db84967ed9f04138540ba583032efa0e5580d628a038f3a5a602b7a892b22e6aff6e9eae657e

    Download Submit