spynote | 2a33c6347c4b4c95e2437075a025a8b9337291d48500224b954e32cb395df678 | Triage

Resubmissions

24-01-2025 19:11

250124-xwferatlgy 10

24-01-2025 17:18

250124-vveqqazrbp 10

Sharing

General

Target

ELECTRICITY Bill.-__.apk
Size

4.6MB
Sample

250124-vveqqazrbp
MD5

1a615c0aebf2d958181b727de8815736
SHA1

54800a51c1ebc3aa4cdbe37b7b3cbc9314bdb22a
SHA256

2a33c6347c4b4c95e2437075a025a8b9337291d48500224b954e32cb395df678
SHA512

bb0c3dcefb04a64d0d08f4f36cf381c226c6577db49f98246394624b9b958d4c1dfd7a6b20938dd6af562b5eb61dab9dc03db1f980f113b44e1a0af2f8166fa5
SSDEEP

98304:sUAWRjSD2kDiHAkLk4t6TVOHrcuVorbgxoJhEhkNUGBQp:rSD2kDvSk4IpOHrchbgkEhkvw

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  ELECTRICITY Bill.-__.apk
- Size
  
  4.6MB
- MD5
  
  1a615c0aebf2d958181b727de8815736
- SHA1
  
  54800a51c1ebc3aa4cdbe37b7b3cbc9314bdb22a
- SHA256
  
  2a33c6347c4b4c95e2437075a025a8b9337291d48500224b954e32cb395df678
- SHA512
  
  bb0c3dcefb04a64d0d08f4f36cf381c226c6577db49f98246394624b9b958d4c1dfd7a6b20938dd6af562b5eb61dab9dc03db1f980f113b44e1a0af2f8166fa5
- SSDEEP
  
  98304:sUAWRjSD2kDiHAkLk4t6TVOHrcuVorbgxoJhEhkNUGBQp:rSD2kDvSk4IpOHrchbgkEhkvw
Score

10^/10

spynote banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencerattrojan