Overview

overview

10

Static

static

6

df6c5de429...68.apk

android-9-x86

10

df6c5de429...68.apk

android-10-x64

10

df6c5de429...68.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    06-01-2025 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df6c5de429c82205e3c94f3eec7380df362da34661743bfbbd2a9c1a4329b468.apk

  • Size

    548KB

  • MD5

    cc154f54e862716c2583dc155d10e688

  • SHA1

    f5c03f4862deab696db889b8ae0594dbc5669ab3

  • SHA256

    df6c5de429c82205e3c94f3eec7380df362da34661743bfbbd2a9c1a4329b468

  • SHA512

    a4b23b5a8ac23972192b565883e50361f18457e22a229ecddca1cd278beba43def4298451bf16d98ccf7cd650c680adee24187801f4840807f540f24be895c30

  • SSDEEP

    12288:ETmpFtvngMZsL5Yc6tuxkoHaBxqc7w64njg43AROUAjJgkSma:gItfgMZuO3F7hogiWma

Score
10/10
spynotebankerdiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.xcom.psi.been
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4350
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xcom.psi.been/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xcom.psi.been/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4375

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xcom.psi.been/app_mph_dex/classes.dex
    Filesize

    572KB

    MD5

    6a14a925e66ea2bd0eef9960b31d2799

    SHA1

    91b1188362e0911e85a7eb45b8b4d16c9c6e36ac

    SHA256

    09bf4abe365efdfc9c262d24c65ff24f5ed80fbafd4cf2cb5f3d0a9a791a1a2a

    SHA512

    d8d04ad8c5a3fa280e8c7584126f2e4b58cf172b5f139e6c80eb7d66a9c262c83de2a466ca101e7460a6bac9bca421ad66fb498ad533ff6da1ce1a0709f6a3b2

    Download Submit

  • /data/user/0/com.xcom.psi.been/app_mph_dex/classes.dex
    Filesize

    572KB

    MD5

    fa09ca46ed8250cf41a4364608f6eaf8

    SHA1

    4f238c99ba69ab11c43e35bfd650c37df486d2ad

    SHA256

    45ab6baba081734d4c9ed556097b2e91bfe3c47fd12bbf3463ff7fdbd56b689c

    SHA512

    e8aaf6ee2a869d078f5979c3a4a377e793e0eee6f40269b385825a57c682bbf714995ecee22b81bcb09f5d27df9a551f8f03ca30a732570bf45df37877a8a616

    Download Submit