spynote | 31c497e628352b99dbe93c25cd16d0191560667700979ca81ee6a118956db13d | Triage

Sharing

General

Target

31c497e628352b99dbe93c25cd16d0191560667700979ca81ee6a118956db13d.bin
Size

4.8MB
Sample

241009-1wzp6svfkq
MD5

4076c6401e4fd111d477e961374577a1
SHA1

a83b06eb149bc9186d64adff68b6dad6777b8b50
SHA256

31c497e628352b99dbe93c25cd16d0191560667700979ca81ee6a118956db13d
SHA512

de1dbfa5b741dfbaf69d8ec1083f34b6f88479521f5ca3bfa453d3b87291dfe235a1f0b1296c2eb03a2bcbd2000b550b8351f920f8c178dbe6674b9f0379f842
SSDEEP

98304:MUIWRcD7OCHonrE19txlRb4i7NOtL7VxLTTJ7ExGrn2IM3TEvFFidRR+UJk7:AD7WICqUtLzLTTGQRgGFidR497

Score

10^/10

spynote android banker collection credential_access evasion execution impact infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  31c497e628352b99dbe93c25cd16d0191560667700979ca81ee6a118956db13d.bin
- Size
  
  4.8MB
- MD5
  
  4076c6401e4fd111d477e961374577a1
- SHA1
  
  a83b06eb149bc9186d64adff68b6dad6777b8b50
- SHA256
  
  31c497e628352b99dbe93c25cd16d0191560667700979ca81ee6a118956db13d
- SHA512
  
  de1dbfa5b741dfbaf69d8ec1083f34b6f88479521f5ca3bfa453d3b87291dfe235a1f0b1296c2eb03a2bcbd2000b550b8351f920f8c178dbe6674b9f0379f842
- SSDEEP
  
  98304:MUIWRcD7OCHonrE19txlRb4i7NOtL7VxLTTJ7ExGrn2IM3TEvFFidRR+UJk7:AD7WICqUtLzLTTGQRgGFidR497
Score

10^/10

spynote banker collection credential_access evasion execution impact infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessevasionexecutionimpactinfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessevasionexecutionimpactinfostealerpersistencerattrojan

behavioral3

spynotebankercollectioncredential_accessevasionexecutionimpactinfostealerpersistencerattrojan