spynote | b6cbc9b7c4fbcf57a4d03acb39d6a7cadd9b6206ca810fdae7e4b896c3c3b6aa | Triage

Sharing

General

Target

b6cbc9b7c4fbcf57a4d03acb39d6a7cadd9b6206ca810fdae7e4b896c3c3b6aa.bin
Size

760KB
Sample

240218-1xjeksfd45
MD5

27112924a97085b147a3f4fcdedd80ff
SHA1

841089dd5c52e9cb2d2b05fbc7e47776291356ac
SHA256

b6cbc9b7c4fbcf57a4d03acb39d6a7cadd9b6206ca810fdae7e4b896c3c3b6aa
SHA512

80212086a3ec58a049f01687ae54c992b405c9829c347c1f376dfbc64efdb47161801e1de52fc5f3084701c77316cfc2032648ff4a60eb2711794c77b96b848c
SSDEEP

12288:ntHB0a1a8LrerxjsQWq205WmpYshXZPbGwidNpgpgh:ntWa1a2erSQWq205WmD9idNpSy

Score

10^/10

spynote android banker

Malware Config

Extracted

Family

spynote

C2

4.tcp.eu.ngrok.io:17618

Targets

- Target
  
  b6cbc9b7c4fbcf57a4d03acb39d6a7cadd9b6206ca810fdae7e4b896c3c3b6aa.bin
- Size
  
  760KB
- MD5
  
  27112924a97085b147a3f4fcdedd80ff
- SHA1
  
  841089dd5c52e9cb2d2b05fbc7e47776291356ac
- SHA256
  
  b6cbc9b7c4fbcf57a4d03acb39d6a7cadd9b6206ca810fdae7e4b896c3c3b6aa
- SHA512
  
  80212086a3ec58a049f01687ae54c992b405c9829c347c1f376dfbc64efdb47161801e1de52fc5f3084701c77316cfc2032648ff4a60eb2711794c77b96b848c
- SSDEEP
  
  12288:ntHB0a1a8LrerxjsQWq205WmpYshXZPbGwidNpgpgh:ntWa1a2erSQWq205WmD9idNpSy
Score

8^/10

banker
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker
- Requests enabling of the accessibility settings.
- Tries to add a device administrator.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3