spynote | 5fd377d9b1e4ab33de695fc80b956f5f00b94b7347c6259ba0a1983fb308cfe4 | Triage

Sharing

General

Target

5fd377d9b1e4ab33de695fc80b956f5f00b94b7347c6259ba0a1983fb308cfe4.bin
Size

4.5MB
Sample

250212-1ykc9sypam
MD5

429b0b247f3df5d5964a86a0b91bf3dd
SHA1

3f47af171af0cbc4c9b06bacd31b06c098eaf4bd
SHA256

5fd377d9b1e4ab33de695fc80b956f5f00b94b7347c6259ba0a1983fb308cfe4
SHA512

ae41597e729558af6d7d93d32a754c576448243c3d6106c33457e310272f19fc9dfadf1b561e214d416de039f6f083dc00ec61e6bbc9285944bee1ae3c08a350
SSDEEP

98304:9Ub3SihZoo+ruOqVuq/qIEdrbfJ7rDWRXGBQlcc:w3Si74uZFqIEDr7yac

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  5fd377d9b1e4ab33de695fc80b956f5f00b94b7347c6259ba0a1983fb308cfe4.bin
- Size
  
  4.5MB
- MD5
  
  429b0b247f3df5d5964a86a0b91bf3dd
- SHA1
  
  3f47af171af0cbc4c9b06bacd31b06c098eaf4bd
- SHA256
  
  5fd377d9b1e4ab33de695fc80b956f5f00b94b7347c6259ba0a1983fb308cfe4
- SHA512
  
  ae41597e729558af6d7d93d32a754c576448243c3d6106c33457e310272f19fc9dfadf1b561e214d416de039f6f083dc00ec61e6bbc9285944bee1ae3c08a350
- SSDEEP
  
  98304:9Ub3SihZoo+ruOqVuq/qIEdrbfJ7rDWRXGBQlcc:w3Si74uZFqIEDr7yac
Score

10^/10

spynote banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencerattrojan