spynote | 47db8b5f7980d7ba2c5b22a04f17bc3375dd088f6f4e131f6671753b65f1eba5 | Triage

Sharing

General

Target

47db8b5f7980d7ba2c5b22a04f17bc3375dd088f6f4e131f6671753b65f1eba5.bin
Size

4.0MB
Sample

250111-1x5mtatpej
MD5

2b663d5c389033d168a4c2e9ddc5c9c2
SHA1

25b9f76da86ffbfeb809da1b485070db154ce11b
SHA256

47db8b5f7980d7ba2c5b22a04f17bc3375dd088f6f4e131f6671753b65f1eba5
SHA512

c1ee5d406ce098497ca8af8ea7343ed89f0df8ae0ad6c60db2f192ca31c33d736458f53f23a90739770d92ab7f6656a4f1c4f9b425585d15a974d527d8e98497
SSDEEP

98304:I/8QSkVBM3BokvfzVmz9zBwNwUTs0txRT5k:mrSkVBMxT0zA//Hdk

Score

10^/10

spynote android banker collection credential_access discovery evasion execution infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  47db8b5f7980d7ba2c5b22a04f17bc3375dd088f6f4e131f6671753b65f1eba5.bin
- Size
  
  4.0MB
- MD5
  
  2b663d5c389033d168a4c2e9ddc5c9c2
- SHA1
  
  25b9f76da86ffbfeb809da1b485070db154ce11b
- SHA256
  
  47db8b5f7980d7ba2c5b22a04f17bc3375dd088f6f4e131f6671753b65f1eba5
- SHA512
  
  c1ee5d406ce098497ca8af8ea7343ed89f0df8ae0ad6c60db2f192ca31c33d736458f53f23a90739770d92ab7f6656a4f1c4f9b425585d15a974d527d8e98497
- SSDEEP
  
  98304:I/8QSkVBM3BokvfzVmz9zBwNwUTs0txRT5k:mrSkVBMxT0zA//Hdk
Score

10^/10

spynote banker collection credential_access discovery evasion execution infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencerattrojan

behavioral3

spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencerattrojan