Overview

overview

10

Static

static

6

62cee2ecb2...b1.apk

android-9-x86

10

62cee2ecb2...b1.apk

android-13-x64

10

Resubmissions

13/04/2025, 01:53

250413-cazlaawpt6 10

12/04/2025, 22:05

250412-1zhwtssvcv 10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    12/04/2025, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62cee2ecb2088a4263680cc10224347c8675d922c4e5bc62ab1b09ec371545b1.apk

  • Size

    2.8MB

  • MD5

    8042dc545786a0941521b95699e42e2f

  • SHA1

    9296f8b32e970a426ca801de24faca80ce28f542

  • SHA256

    62cee2ecb2088a4263680cc10224347c8675d922c4e5bc62ab1b09ec371545b1

  • SHA512

    40c1fbbbe5e0a3e0d19dda0a674e87b8aa6825872f352d7ce8b9b66dfbe48611f19f9c1affe9cd8d78a319e1268cda6483eabc10e7589e425f3506068d463a7b

  • SSDEEP

    49152:ULsK1fhxdb87B8if7TeDrGLwnogyJBxNwIe7zoMCdbGdIHO6nhmc:ULsKL6Gif7TeMAsx+Ie/onKWu6nwc

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.118.53/ZjJhMzFlZmQ3MjUy/

rc4.plain

Extracted

Family

octo

C2

https://196.251.118.53/ZjJhMzFlZmQ3MjUy/

https://196.251.118.53/zjjhmzflzmq3mjuy/ZjJhMzFlZmQ3MjUy/

https://196.251.118.53/zjjhmzflzmq3mjuy/zdllodgzmzq5mmuymami/ZjJhMzFlZmQ3MjUy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • ehd.rrlafcz13
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4436

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/ehd.rrlafcz13/.qehd.rrlafcz13
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/ehd.rrlafcz13/app_mph_dex/classes.dex
    Filesize

    449KB

    MD5

    d7ccb358ba726ca704e9708c5075afcf

    SHA1

    3163b95af7609efed9825941917a91634332d58c

    SHA256

    48650104206d21d6c57544b53fad326b5d04d7949fefe1e0759f4c28eb9ab506

    SHA512

    df687c68146fbb11baa8cd4fd8c51f951fb6d3fcf2a646a86968215cb9be190e3a6a8a0c40e77c19a85c2e05fa8623599e0e9ba2e3981a16fece7e3aa1ce4c68

    Download Submit

  • /data/user/0/ehd.rrlafcz13/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    369B

    MD5

    2ec184b320aff0337e70ca6ab2925640

    SHA1

    bd63385bce4761bb434b9b7c2a21750855b0c3a5

    SHA256

    0f122c51d7dda9e61981fc7d93c32136dab366c428eeadeb69ef196cb1d520d8

    SHA512

    19dd0133c5a65dbd25b5ff266eb94621eb1885ce3e1e94332ad6d011bb1f155ce43ec704efec5cf5a57177200609cc2248bdadd5a582701c1142a6de41fbdf72

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    68B

    MD5

    10c937db3f5b3b2ae5c25268df02e676

    SHA1

    de4988fff916ea9dee7d4993ce03d16b3fb40775

    SHA256

    2ce02dcf44b89be9c5b0bfec409ec11e92b80568aac50d79383c867df86d4988

    SHA512

    aa52d9c3f3cb86b4d1330a053e851d438ee291625f44f407543ba9db2f20c5d771e89380e427bd56cec8c0996ed2d9eff4c05d03b15fbfbe662221f630491f3e

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    60B

    MD5

    9010b8a2ff29e3a44bc9af8905a473a7

    SHA1

    fadabc5cefaf7dbb84b008e17083e07772f09ba9

    SHA256

    1db54ff0988f5025ff4a81741bfc45c9af99d63901cf0d81449487228d595299

    SHA512

    26c72ae23e9eb188399de6fb5bbcdcc83de78d85ffd6590d6dfd5e819c9b21f12b80d6c58587121ab3bf89086f61c07f67581ccb20aa6551d70fdcc2585cdd23

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    84B

    MD5

    450033592f31ca08208599835a1c5714

    SHA1

    3c5edc5e59408a1137e4a0cd4d7b11c7cea637a0

    SHA256

    86778b5fb30a22c9d27b5e422aa70e1d16238cb17cab9323319d57fff8659efd

    SHA512

    5ad366abb78e8f5e256e4bf4944ef88fa82172620fcdddfd2f5dabccfe12e0a647a1d69678e5ef3fdf1fefd6d0a3b1bd27124b8cfe0730c4ec49fe73872844a6

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    214B

    MD5

    27b593a29814b984b2332461ef614787

    SHA1

    3ef591833a331244bba823818976bc6850d976c3

    SHA256

    2d2ed5e8566a27fc1e70f01d9798a81951102f1bc26666e426e735f14866035c

    SHA512

    3fac8a9d83709553e8716ceacaba94cab91424670f9601db2921eb87b5f9e91e0a9ed4003ca8c36857cb919bec4b60f9af0ae71097fe8f85c5672324b4e8a686

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    54B

    MD5

    c5ed032400d8dda545ad236cfbaa1845

    SHA1

    7a0216b362ef6bafda4447c3ecc888cb0fc75695

    SHA256

    df0bc8020531be65522d7d956a4c4a58fa9fcd2a5babc856275f48267edc2e84

    SHA512

    e644ac5bc20d72e45c72e2c106857b8dce61196801faf125f96d5694a33bbe4039359aa3b1f789b73fb4f70114969119815cea309b967b74f78e11dea04e7577

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    68B

    MD5

    c172c0822c0679f6e6e6511a50bd33c8

    SHA1

    cd8b263f24388f9718092c5cddb52957805e532e

    SHA256

    fd010b4e1bfb9c4e9fe643a15a9c5b4b2343e2f5aa17d4e980e40f0db6873da6

    SHA512

    b333e9423402064185a964a919e49894e72ec6209152b4e3f20dad573d8b76ebe4951a643697ffba28ef634051ee6cef8d0ef55ddd6f082684856ad7c31641c8

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    60B

    MD5

    20add66763a7fb549cd9fcab0cca56a4

    SHA1

    e1058eb87999245a77bfb987fbc76fb01f0d5188

    SHA256

    06ea92727126c6e68430dd6e354004f02e3fd3e6b9a1ee9448171e767779a4f8

    SHA512

    b0ee8776b303fa5fa9f6cfe51988de1cdbbbf4a7f0374bd0682a9f736b9ba92ab2317ebe3f14318ba7d96c4a1b1590b012eb3e5b1ca063b14354ea43b4e59552

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    490B

    MD5

    a1fcd17fdbfb093b5fc6d6c95f491668

    SHA1

    d089860e066ab020ebe3281e83bf6a6f2e8be9b7

    SHA256

    980b38633dd8d93af4c900ebdfac85d1061e70829e8e3c0766a1a9d9ae2e083d

    SHA512

    338e531e484c09d4ee750cc8533775324fd54c235d6d7b31b5becc23cdff42fae245754530270a49613948ef6e2a428692e7722c6b2e9d1a426209034a48c1d7

    Download Submit

  • /data/user/0/ehd.rrlafcz13/kl.txt
    Filesize

    70B

    MD5

    877f240f80c9fa841f810f82d7e95885

    SHA1

    888e1593fb3636e2280c6d07c8717ee3939290d4

    SHA256

    fbec8cf21e365ec2eada00cf5371b4b767ac03f331ade79b8a8f8b4ca2acbc88

    SHA512

    b0c3332a07b9ade5815247a4bd09033e7e7e2225d7f7aaec0b342d1b51a70b383017ede3b0f133db48f14740df9cfdab299877d89f7ced05400289972ed56bf7

    Download Submit