neshta | 7c9e308edff467528d167d0e4dfb7e17e61ba96ad413041b66c243869ef18721

Sharing

Copy URL

Twitter E-mail

General

Target

SpyNote v7.0‌‌.zip
Size

20.6MB
Sample

241220-qx6vrsxnhm
MD5

63abbd78db324c7abc21dc92aee41b00
SHA1

b9bc0a052b5f6d3ec339b824c67b9e9de97fc6e9
SHA256

7c9e308edff467528d167d0e4dfb7e17e61ba96ad413041b66c243869ef18721
SHA512

8e9b185df25be1f2202fe083833dc171aa6c5ec2a54203e0c7d13c87588bb5dad13ba783f23d9097a654a22a59a20ddc9683ef58731a2c4d05b41aaacc8d0496
SSDEEP

393216:iLYBnW9gu2LXzeDpkJU165/LqQ5pxCcYInXVZCkr6020tFcXQPgEEN:iLYg9gZGGJUI5/LzPYjkr60YgPgEa

Score

10^/10

Malware Config

Extracted

Family

spynote

[SPY_NOTE_HOST_OK]:[SPY_NOTE_PORT_OK]

Targets

- Target
  
  SpyNote v7.0‌‌.zip
- Size
  
  20.6MB
- MD5
  
  63abbd78db324c7abc21dc92aee41b00
- SHA1
  
  b9bc0a052b5f6d3ec339b824c67b9e9de97fc6e9
- SHA256
  
  7c9e308edff467528d167d0e4dfb7e17e61ba96ad413041b66c243869ef18721
- SHA512
  
  8e9b185df25be1f2202fe083833dc171aa6c5ec2a54203e0c7d13c87588bb5dad13ba783f23d9097a654a22a59a20ddc9683ef58731a2c4d05b41aaacc8d0496
- SSDEEP
  
  393216:iLYBnW9gu2LXzeDpkJU165/LqQ5pxCcYInXVZCkr6020tFcXQPgEEN:iLYg9gZGGJUI5/LzPYjkr60YgPgEa
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1
- Target
  
  Software Usage Tutorial/DefenderControl.7z
- Size
  
  494KB
- MD5
  
  118233a92e7e62658ac601b02f9f3c7b
- SHA1
  
  e0b7ccb384ec3daff55cdef70364bb57934dfc4c
- SHA256
  
  e56dc7603a16fc75622ff97f35b1b8a66a554cfe05c0022b61887f3a6874e284
- SHA512
  
  a6bafb444f561c5b3f92114f865976311cb5ed1b3ccec215e2780d255383c424aaadb0af93854b0b3d843435c4b94eaadb621391d5a63f968dfecc2e9b88f2c5
- SSDEEP
  
  12288:ppTGizva32uzU7SOvi56/Nu90uRKGyburq6f1dAYkyV:PTGSambQ56/OXI+rBdAtyV
Score

1^/10
behavioral2
- Target
  
  DefenderControl.exe
- Size
  
  823KB
- MD5
  
  879e3d30cc1392370ab0eec1601aa1b6
- SHA1
  
  c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
- SHA256
  
  704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
- SHA512
  
  71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
- SSDEEP
  
  12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Score

3^/10

discovery
behavioral3
- Target
  
  SpyNote v7.0‌‌/AxInterop.WMPLib.dll
- Size
  
  52KB
- MD5
  
  7825f8fb198952b28e7722e326aa30a1
- SHA1
  
  a4fb88bb7c28516521e350b22867b2c399885c08
- SHA256
  
  a6a9a04b3a9efecc269626fbef345936af9bb50fd4ff86280d14ffcf2e11e56f
- SHA512
  
  6371aa75b70c451f15c3faed4f2b7ddad192c60f285e338aa5bc6cebbe821f9b60fffee94f4307ddc73a7bfa652648e22ed86e28d684bc8fe1e105a05660f0ec
- SSDEEP
  
  768:mTiglqcPGmH+BSITBFo+iRdbBFS1WSbfi5qlD+P2mHvaVhXUWdYQXnI:9gvH+oETfiRnFS1WSbfi5qlsaV2WGII
Score

1^/10
behavioral4
- Target
  
  SpyNote v7.0‌‌/CoreAudioApi.dll
- Size
  
  24KB
- MD5
  
  6a009b7c4b252788d80d4e40adcf51ce
- SHA1
  
  9302cd4f00fa70b768feec2a49505052cd4bd13e
- SHA256
  
  df6115987161ee1238f9564bd10c998d9016f582e5b7b9d23d21a74d6955bdd3
- SHA512
  
  7a27bc38249b293fbfb9389cac3365bf64e9536281c347939192e6b151b4e574bd9743df81721dc4e6beca0ab0a5784436b7f7bff780fdddef4c7c26b02cc354
- SSDEEP
  
  384:JGuIVn86+5zUH4RmcBoZhn9ipvNeFSAucqmPBJGbsw3uiIx5L5gV:CVn86YzgoW0VNeFS0Tbw3up5tgV
Score

1^/10
behavioral5
- Target
  
  SpyNote v7.0‌‌/Interop.WMPLib.dll
- Size
  
  323KB
- MD5
  
  19631c716272ad5b03d2026572608287
- SHA1
  
  057fdc53449360aa154493e36a059d62f4aafb69
- SHA256
  
  099d6dc78473cbb491a3edc97e3f518a19e69a251c52eaaa7c5ac336dbccae53
- SHA512
  
  5eeeea59dffc594d0b62692887a5bc8151c794e59b9618652b084f2c4ea62368075e29aa0e76130f8a6a39be5a19e26c3b01238ac7baaac894574ff2bfb4314f
- SSDEEP
  
  6144:HsJi3gtWLExqLsY9jAaRgHuF07yp4f29sTahwXeVELC5IvmN8jqxAnOlUbSJY/Wl:HsJi3gtWLExqLsY9jAaRgHuF07yp4f2V
Score

1^/10
behavioral6
- Target
  
  SpyNote v7.0‌‌/Resources/Clint.jar
- Size
  
  7KB
- MD5
  
  20d9f58f0e462afdd0abe7727ea2c68f
- SHA1
  
  0de13284b40d40a2442ec067636da6d54ba14a54
- SHA256
  
  84810014bdca1b1715e0b1ca2b267c806a259bcdc554d8d9202cab1ae114d20b
- SHA512
  
  808d9314bc9ac6a074c455a1c4ce4a3be9faa9f04066427db4580c43b5e3d6c826e6c4d3d08d75a09ca6c56eec4adaaab448d38aff04668ab0510e425c8054d0
- SSDEEP
  
  192:lbEPFY6oa9iDw8BkNcGzvpFF/mUSmlAXy:KWGMk8BkNcGFFlN
Score

1^/10
behavioral7
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/GeoIP/GeoIP.dat
- Size
  
  1.1MB
- MD5
  
  2fbec46d430f57befcde85b86c68b36e
- SHA1
  
  3ff9829e3242deb69a7fde0832b7d9345b925afc
- SHA256
  
  681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a
- SHA512
  
  42036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6
- SSDEEP
  
  24576:3nHFtqj0+DZBNJvOL1h5NsVOQu7MgAsrmPQbdclxkghoIes:3ltqjRDZZehvsVOQu7MgOPkKSghks
Score

3^/10
behavioral8
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/OBU.inf
- Size
  
  532B
- MD5
  
  eea9f16ae9c1fc464ff9b4f27cffc955
- SHA1
  
  8387e8d2457f915fd33d2bc8bc73f600896abf69
- SHA256
  
  0e65512580c0bfc396d2136e8986074c0738e1a3d62c29868bdcfb71ed95e99c
- SHA512
  
  545fbf639d00b225c1cc08c0eaaa620572a332f3bf3130a19541e599d54593f463256212cf00a12f997a5c268e829e97d2a5d2b262d15a6d80316dcd0a77774f
Score

1^/10
behavioral9
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/Build.exe
- Size
  
  59KB
- MD5
  
  f677ccdd8c0da08290256c7b0571d95e
- SHA1
  
  e1117cf8d51ca270104da6a8d0769f1e2da4aef3
- SHA256
  
  29039451fb5617504c67396056a08ea3cc44faaba71a1c181fe62086e533a261
- SHA512
  
  25677c0c4a8a7287df275b2ef1819e533d96f52b4592c45c4cae08e372ebd09dcb4c689ddf7ecc8d70445f614493840b581bab80a8f1957c96bc59a3b55001db
- SSDEEP
  
  768:IydG14mNbAEJeXSZncqHqGhMBHjFcHTI19hCkCLIh5YcLIF:bwim6E4XSdHthAZk8hCjWVIF
Score

1^/10
behavioral10
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/Build.exe.config
- Size
  
  183B
- MD5
  
  7bf4cb07f3f43950ec16c725875db5d7
- SHA1
  
  cab771a1842c00d05cdb887b275e3222913c0bca
- SHA256
  
  e5f963910c600e004514fd78a239337ec3538e0eecc47d0829321b9327cc4a0c
- SHA512
  
  116cd1cbdafe9a8ddb0dfc633f745597d99c52d99791f000354faed6017d77bdf4005c36e63f82b9250e2bf3658229cadd4b39c0128c3150a262314c8600c80d
Score

3^/10

discovery
behavioral11
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/apktool.zip
- Size
  
  8.6MB
- MD5
  
  604ab3c9829f3f9f89c11cb39ee444db
- SHA1
  
  b2bac6f9d3dd9837ae8f593e63706280c2be945d
- SHA256
  
  3910604a99275579f07313caee2b3f04915999245a40772eeb942088d60c410b
- SHA512
  
  5de6594071f9e711c578081c8b3a175b3b36ce25e5577b724b41f0388ec24e1f575f6a63cb455593109575d78ea921443e29cc64564573dfce9482b2d3dc8831
- SSDEEP
  
  196608:DddtxPFyJqinxYndWH1yBEPF4vUqvvDYIObO5gB:D7bynxYnMHcBNvUqvvDY4gB
Score

1^/10
behavioral12
- Target
  
  apktool/apktool.bat
- Size
  
  135B
- MD5
  
  b02966b106045115fa8ef94a4e67537b
- SHA1
  
  f901df8bbfe8fe50e560e625a27da1c6c4f0e9b3
- SHA256
  
  3d8108beb40535e68e7f6421a4309408ea5efab91707fa25d862154e3cc9b6df
- SHA512
  
  6274a4568285c74985b095d1dd5649044b61cb7c372dc4653c62a2b92833df477f5a5453be0e598622918b4e6c27064a57e5fba1a657dd064e6d9598fe2f94cc
Score

1^/10
behavioral13
- Target
  
  apktool/apktool.jar
- Size
  
  8.9MB
- MD5
  
  a15507953bd9b89c2d6570f46fb1f774
- SHA1
  
  261a8e68c72b0ebf70894c40b3c35176a66d86fe
- SHA256
  
  0e543660bf2d16fe7c543d4034ef505a6ddccb883416c8aa68d1a1d779b057f2
- SHA512
  
  eb519a94a4aecc1358f4a1cc84e03c772d8b59edf8b5e37956a756f0cc2673c5d9d976ad6796543db74cf187763077b4bbcd0519e7f7be845c0e9874d4862353
- SSDEEP
  
  196608:lIkbXnl3I3rmGQFTbuGzuJVzNfaTWkxQcGhiO:lIw+mGyTNzuJNkTWk0
Score

1^/10
behavioral14
- Target
  
  apktool/signapk.jar
- Size
  
  7KB
- MD5
  
  aec6985fe2314e4d032ba6d192ac4163
- SHA1
  
  b16f006e7bf509add528f4b9a075ca373d531203
- SHA256
  
  b17534e89a5b58d5e343ba54a49da579cf9213988f4beeae24fe4582a0c226bb
- SHA512
  
  5347fb296f87fb71046e0fd261a495485254ed7bd6d68da3aebb346267e5bc14ad8a89aa5496b31b2bf0da35b8c7c4cbbf71ace977443f09ecdbe50e1288bcea
- SSDEEP
  
  192:20AfGZ6TJSM/+Lz2dBM8ZRSvdrGanQRSHFzJ:dj6tof2nMySvldT
Score

1^/10
behavioral15
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/Payload/stub.apk
- Size
  
  730KB
- MD5
  
  0c0290abde03555f3c66c81eba860a3d
- SHA1
  
  939a8e6d0ed4bd8c9f491405ecf069df7bddb7cc
- SHA256
  
  7b20a276931c8625b39ebc46017c7e4d4a7bdf319b9f451231d777b078b0cd6a
- SHA512
  
  441922d41856ec246d1cb29e3b290b62b2d3bc4ca54f896af1df72263e67a320f1b3b85f4d5bd129fa32b4633a1b9f74a63783791f1ea1cb1ca97a8a26b8ea48
- SSDEEP
  
  12288:CJc+EIBvAvcKIth8eGz3zaR9QHqd8gmw+/goe13VvqX:CJc+EIO0K4KeGTzaR+imz/goeHvqX
Score

3^/10
behavioral16
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/PlayerJava/PlayerJava.jar
- Size
  
  3KB
- MD5
  
  d9c23d7574c0d886321dcd029e463f2c
- SHA1
  
  7fad47eb6860a01325c6d526a43d9bbadb66aff7
- SHA256
  
  e22d8a06415f21b900a9a079a6a7928d6c84d2cf33aa07c6ad385dfbbfcd55ed
- SHA512
  
  c32c019fb0bacbd70441cf3ed769bfde9597389f840ff8511db36586756382ef22bd163a7b7cb9e258a4b7a896e5d1a606d92513a141cb2e3c6e421a66ecb316
Score

1^/10
behavioral17
- Target
  
  platform-tools/AdbWinApi.dll
- Size
  
  95KB
- MD5
  
  ed5a809dc0024d83cbab4fb9933d598d
- SHA1
  
  0bc5a82327f8641d9287101e4cc7041af20bad57
- SHA256
  
  d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
- SHA512
  
  1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17
- SSDEEP
  
  1536:Jwqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCP:JwqD3L8Tezq0et+ui1y
Score

3^/10

discovery
behavioral18
- Target
  
  platform-tools/AdbWinUsbApi.dll
- Size
  
  61KB
- MD5
  
  0e24119daf1909e398fa1850b6112077
- SHA1
  
  293eedadb3172e756a421790d551e407457e0a8c
- SHA256
  
  25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97
- SHA512
  
  9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43
- SSDEEP
  
  1536:l72doFmOiHizFbPlspcsbj5ZsP+YeTs1p:lSSfN9+YeTs1p
Score

3^/10

discovery
behavioral19
- Target
  
  platform-tools/adb.exe
- Size
  
  1.7MB
- MD5
  
  884242fb6cbbec1f7711b946ef669e0e
- SHA1
  
  7b2bc3c03909e705da759b7c21907683db668cc5
- SHA256
  
  65210cb4139672b53acaa2222b1005d036b0b02c437aa47e0e7b616fab0e2f6f
- SHA512
  
  c73ed5875dd0a3f0c400794a10336b00602950fa3ff6fb99ce9a772681fb8c5237c5c3cba2d0b7d254e497383d634d3a97342039cc40d295f262c583d0839768
- SSDEEP
  
  49152:WyM2dKh9Z/8qaQqBwYNapOdJmUUXPB2DhmRz:dZsh9Z/8pQqBwYNapOdJmUUBRz
Score

3^/10

discovery
behavioral20
- Target
  
  platform-tools/api/annotations.zip
- Size
  
  137KB
- MD5
  
  767207f7e9ace1ce2404cf79b0c517b4
- SHA1
  
  54e400ef13cf260c26e3d5321a602fdac852fbc1
- SHA256
  
  0f1ed8e39779276acaab4034c0d7df58edb8b9d6b54f5c2417bdbb15cc13834a
- SHA512
  
  28d95dcfc4d9d6dfaf4ff741663137ed06145520099da561948a3cb189f6ef8d3be47b8a8017a6288826e8430c63a14d6715d48da65d48b51f6d85e0350a293a
- SSDEEP
  
  3072:VFT0UTRAIMowVWVm0/iQC+9G5DGDqqJNgtJvnfa8DeM8fH2t+B:T0UlAIMpW7KQC+AhydNgtJa8DR8ff
Score

1^/10
behavioral21
- Target
  
  SpyNote v7.0‌‌/Resources/Imports/platform-tools/plwin.exe
- Size
  
  25KB
- MD5
  
  9aadaec3eccf406b2591e32c438a67a4
- SHA1
  
  fb971b1687400fcedf5ac4a36f45ead3b54d14e3
- SHA256
  
  268fa687554273029bf87668367b4084d4928de6b2a4cf4fbcd52e944d0efe16
- SHA512
  
  cba31ace6459a83dca18a486fc7a06da50419442d92e25e2661fdc101542b49ae3778fe197b6409396b7093747c67316917760de8576d351cd37e51e3dda9d3d
- SSDEEP
  
  768:Q3ULAwpnEUaSCMc/o6/d5cfsEAIHtYcFmVc6K:eULAwcSCMcdWfsQfmVcl
Score

1^/10
behavioral22
- Target
  
  SpyNote v7.0‌‌/SpyNote v7.0‌‌.exe
- Size
  
  2.6MB
- MD5
  
  a8ebac97b36b859428d6eb96f1b39ab9
- SHA1
  
  bfa65f35f19d3cfdab70a9f7d2e2c017d60c5b44
- SHA256
  
  cb7d211955a21b258aef51606c6d7e8a73031a415e5beaf7dac761952abc1850
- SHA512
  
  513a7ec21e320e07b7c4448cea91e0191a44f7c057433ae4ff3fa0bf919bfe02c751c444465517fc793f010d48610323dc9dbe84b76845fb1268ac4a714457c2
- SSDEEP
  
  49152:APqEhMfuAA1c/0r+EqQT6ruzg34SqY7yPyOWp1lk+136PSb1dKKuT0A:0hMWT60r+FxVqY2PynC1rT0A
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral23
- Target
  
  SpyNote v7.0‌‌/ico.Scr
- Size
  
  236KB
- MD5
  
  4abcadf52f11d5db53bd15b30e0e7e70
- SHA1
  
  25b0ffaae418147757a285bbb133b1d5126680fc
- SHA256
  
  e97beacff7ed7401d4a0563c06af3f25047775948b2ed2796ae7a8711d3350d3
- SHA512
  
  996e3dfef22a358ee5a1b4c4bdc75507f683c06a22e507e7289dcff0eb0143adaacc70b518fdf8bc32625b624d4887a64c579e8eacee853222aee992543eb6d9
- SSDEEP
  
  3072:GVr3lajQFISWejg61Pzjj43o5GYi5h6A/QBaRd9TrxTzY:GVr3YceSW8gybiYiivudP
Score

10^/10

discovery evasion execution trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral24
- Target
  
  SpyNote v7.0‌‌/signapk.jar
- Size
  
  7KB
- MD5
  
  aec6985fe2314e4d032ba6d192ac4163
- SHA1
  
  b16f006e7bf509add528f4b9a075ca373d531203
- SHA256
  
  b17534e89a5b58d5e343ba54a49da579cf9213988f4beeae24fe4582a0c226bb
- SHA512
  
  5347fb296f87fb71046e0fd261a495485254ed7bd6d68da3aebb346267e5bc14ad8a89aa5496b31b2bf0da35b8c7c4cbbf71ace977443f09ecdbe50e1288bcea
- SSDEEP
  
  192:20AfGZ6TJSM/+Lz2dBM8ZRSvdrGanQRSHFzJ:dj6tof2nMySvldT
Score

1^/10
behavioral25
- Target
  
  软件使用教程/DefenderControl.7z
- Size
  
  494KB
- MD5
  
  118233a92e7e62658ac601b02f9f3c7b
- SHA1
  
  e0b7ccb384ec3daff55cdef70364bb57934dfc4c
- SHA256
  
  e56dc7603a16fc75622ff97f35b1b8a66a554cfe05c0022b61887f3a6874e284
- SHA512
  
  a6bafb444f561c5b3f92114f865976311cb5ed1b3ccec215e2780d255383c424aaadb0af93854b0b3d843435c4b94eaadb621391d5a63f968dfecc2e9b88f2c5
- SSDEEP
  
  12288:ppTGizva32uzU7SOvi56/Nu90uRKGyburq6f1dAYkyV:PTGSambQ56/OXI+rBdAtyV
Score

1^/10
behavioral26
- Target
  
  软件使用教程/DefenderControl.exe
- Size
  
  823KB
- MD5
  
  879e3d30cc1392370ab0eec1601aa1b6
- SHA1
  
  c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
- SHA256
  
  704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
- SHA512
  
  71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
- SSDEEP
  
  12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Score

3^/10

discovery
behavioral27