spynote | df6c5de429c82205e3c94f3eec7380df362da34661743bfbbd2a9c1a4329b468

Analysis

max time kernel
149s
max time network
149s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
06-01-2025 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df6c5de429c82205e3c94f3eec7380df362da34661743bfbbd2a9c1a4329b468.apk
Size

548KB
MD5

cc154f54e862716c2583dc155d10e688
SHA1

f5c03f4862deab696db889b8ae0594dbc5669ab3
SHA256

df6c5de429c82205e3c94f3eec7380df362da34661743bfbbd2a9c1a4329b468
SHA512

a4b23b5a8ac23972192b565883e50361f18457e22a229ecddca1cd278beba43def4298451bf16d98ccf7cd650c680adee24187801f4840807f540f24be895c30
SSDEEP

12288:ETmpFtvngMZsL5Yc6tuxkoHaBxqc7w64njg43AROUAjJgkSma:gItfgMZuO3F7hogiWma

Score

10^/10

spynote banker discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_spynote

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.xcom.psi.been/app_mph_dex/classes.dex	4949	com.xcom.psi.been
/data/user/0/com.xcom.psi.been/app_mph_dex/classes.dex	4949	com.xcom.psi.been

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.xcom.psi.been

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xcom.psi.been

com.xcom.psi.been
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4949

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xcom.psi.been/app_mph_dex/classes.dex

Filesize
572KB

MD5
6a14a925e66ea2bd0eef9960b31d2799

SHA1
91b1188362e0911e85a7eb45b8b4d16c9c6e36ac

SHA256
09bf4abe365efdfc9c262d24c65ff24f5ed80fbafd4cf2cb5f3d0a9a791a1a2a

SHA512
d8d04ad8c5a3fa280e8c7584126f2e4b58cf172b5f139e6c80eb7d66a9c262c83de2a466ca101e7460a6bac9bca421ad66fb498ad533ff6da1ce1a0709f6a3b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads