spynote | 3f63e11ecdaa1766bce584010ed06331bca8ffd38a0c0bb78f37b12be14907a0 | Triage

Sharing

General

Target

3f63e11ecdaa1766bce584010ed06331bca8ffd38a0c0bb78f37b12be14907a0.bin
Size

3.6MB
Sample

241013-1x5mta1cra
MD5

33abc1924d33bf6901f6212e58b6e9d9
SHA1

61cd01ffd6b44a1c38cc1190905b0d8c97e28906
SHA256

3f63e11ecdaa1766bce584010ed06331bca8ffd38a0c0bb78f37b12be14907a0
SHA512

813c9e67fa6b95ea6d3f7ef3d8b97fcf37399210a2471a44037ef772af469fe6b49eaed5b64d10f06976fc4413c152c8f9934a6e7711e501f31f47e69dc624fe
SSDEEP

49152:feYqdSzdGG/QTOo0cgXmzVFhUZU0QGlbiCah6ea4bNZveW/K3h8hK07YeOxou:gSzBYTl0tXmzVztGle6ea4Zg4r7YDou

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

209.126.80.197:9039

Targets

- Target
  
  3f63e11ecdaa1766bce584010ed06331bca8ffd38a0c0bb78f37b12be14907a0.bin
- Size
  
  3.6MB
- MD5
  
  33abc1924d33bf6901f6212e58b6e9d9
- SHA1
  
  61cd01ffd6b44a1c38cc1190905b0d8c97e28906
- SHA256
  
  3f63e11ecdaa1766bce584010ed06331bca8ffd38a0c0bb78f37b12be14907a0
- SHA512
  
  813c9e67fa6b95ea6d3f7ef3d8b97fcf37399210a2471a44037ef772af469fe6b49eaed5b64d10f06976fc4413c152c8f9934a6e7711e501f31f47e69dc624fe
- SSDEEP
  
  49152:feYqdSzdGG/QTOo0cgXmzVFhUZU0QGlbiCah6ea4bNZveW/K3h8hK07YeOxou:gSzBYTl0tXmzVztGle6ea4Zg4r7YDou
Score

8^/10

banker collection credential_access discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan