spynote | c112ec95d43e10d0d8e82095d5b0f249721e01d7d90c4b8e09f55cd2dd1c756d | Triage

Sharing

General

Target

c112ec95d43e10d0d8e82095d5b0f249721e01d7d90c4b8e09f55cd2dd1c756d.bin
Size

4.8MB
Sample

250327-15s9ra1my2
MD5

73974d4f4e1be170abb6b2005609756b
SHA1

c607a6830cc3e7d993bf1d607bde61e558b761fe
SHA256

c112ec95d43e10d0d8e82095d5b0f249721e01d7d90c4b8e09f55cd2dd1c756d
SHA512

b4b6be04c2852208c5a8e97eabb6aa8ffbc7c3421dfde5029a7043a6ee489d1ad7112fdc071a7080a2b10a9db4e199cce86055ccef2ec83e284042aac5552933
SSDEEP

98304:PUrEAw/hYnrfUlJwsq15CulNwjsj01UuYjNLffD0WRSUL:Yw/yfUzq13UAj01uffDw2

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan

Malware Config

Targets

- Target
  
  c112ec95d43e10d0d8e82095d5b0f249721e01d7d90c4b8e09f55cd2dd1c756d.bin
- Size
  
  4.8MB
- MD5
  
  73974d4f4e1be170abb6b2005609756b
- SHA1
  
  c607a6830cc3e7d993bf1d607bde61e558b761fe
- SHA256
  
  c112ec95d43e10d0d8e82095d5b0f249721e01d7d90c4b8e09f55cd2dd1c756d
- SHA512
  
  b4b6be04c2852208c5a8e97eabb6aa8ffbc7c3421dfde5029a7043a6ee489d1ad7112fdc071a7080a2b10a9db4e199cce86055ccef2ec83e284042aac5552933
- SSDEEP
  
  98304:PUrEAw/hYnrfUlJwsq15CulNwjsj01UuYjNLffD0WRSUL:Yw/yfUzq13UAj01uffDw2
Score

10^/10

spynote banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencerattrojan