spynote | 5f82b4aa9a0c62cf559d2543b7e2041c542703eabc7d0ed51bfcdadf631c96d6 | Triage

Sharing

General

Target

5f82b4aa9a0c62cf559d2543b7e2041c542703eabc7d0ed51bfcdadf631c96d6.bin
Size

4.6MB
Sample

250107-15pxbs1mb1
MD5

444b954ed79a16ba3c68b9c2fd832619
SHA1

a6d9cb66e3df96d1d5e00e53c6b513f484169246
SHA256

5f82b4aa9a0c62cf559d2543b7e2041c542703eabc7d0ed51bfcdadf631c96d6
SHA512

e3bef6bc725f3050574b8242473703862c79dbdc27b353acf36bd7288b361a9cadeda8a4cf71e4581c07ae96d48ec1cfe41b6f5c68bdb48be033f07bf2cc57b0
SSDEEP

98304:6/+LUzWRxDJ7XupFEVGAX0tUHXQ6kKSb9Jdj1wjcnLe4kSU1:6/+VDJLYzDVb9Jdj1fLe456

Score

10^/10

spynote android banker collection credential_access evasion execution infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  5f82b4aa9a0c62cf559d2543b7e2041c542703eabc7d0ed51bfcdadf631c96d6.bin
- Size
  
  4.6MB
- MD5
  
  444b954ed79a16ba3c68b9c2fd832619
- SHA1
  
  a6d9cb66e3df96d1d5e00e53c6b513f484169246
- SHA256
  
  5f82b4aa9a0c62cf559d2543b7e2041c542703eabc7d0ed51bfcdadf631c96d6
- SHA512
  
  e3bef6bc725f3050574b8242473703862c79dbdc27b353acf36bd7288b361a9cadeda8a4cf71e4581c07ae96d48ec1cfe41b6f5c68bdb48be033f07bf2cc57b0
- SSDEEP
  
  98304:6/+LUzWRxDJ7XupFEVGAX0tUHXQ6kKSb9Jdj1wjcnLe4kSU1:6/+VDJLYzDVb9Jdj1fLe456
Score

10^/10

spynote banker collection credential_access evasion execution infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessevasionexecutioninfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessevasionexecutioninfostealerpersistencerattrojan