spynote | 666aaba2f9a4c375e62fd2d2edebf9fb8506b6e6283f00a76e5a16bc52e61df0 | Triage

Sharing

General

Target

client.apk
Size

760KB
Sample

250220-p3xzdaxls7
MD5

59941c64d6f701ce86f5d2e73a30437b
SHA1

bc334835ffa822a295e903e3d5db8914578f3aa4
SHA256

666aaba2f9a4c375e62fd2d2edebf9fb8506b6e6283f00a76e5a16bc52e61df0
SHA512

3443ebdb410e6ee55f0518945917b36019962439b596027cdb7999db2027d63540a5917890a46d3fb75d205870f667040e7c9262e75f14fdcffa5dd5c12c28ed
SSDEEP

12288:3pbbna1a8LVewTSRSzXD5WmpYshXZPbGwidNpg2W:3pva1aKew2SzXD5WmD9idNpm

Score

10^/10

spynote android banker defense_evasion discovery persistence

Malware Config

Extracted

Family

spynote

C2

6.tcp.eu.ngrok.io:15208

Targets

- Target
  
  client.apk
- Size
  
  760KB
- MD5
  
  59941c64d6f701ce86f5d2e73a30437b
- SHA1
  
  bc334835ffa822a295e903e3d5db8914578f3aa4
- SHA256
  
  666aaba2f9a4c375e62fd2d2edebf9fb8506b6e6283f00a76e5a16bc52e61df0
- SHA512
  
  3443ebdb410e6ee55f0518945917b36019962439b596027cdb7999db2027d63540a5917890a46d3fb75d205870f667040e7c9262e75f14fdcffa5dd5c12c28ed
- SSDEEP
  
  12288:3pbbna1a8LVewTSRSzXD5WmpYshXZPbGwidNpg2W:3pva1aKew2SzXD5WmD9idNpm
Score

7^/10

banker defense_evasion discovery persistence
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Foreground Persistence

Credential Access

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bankerdefense_evasiondiscoverypersistence