spynote | f46e7f5e5b8a4d3be663d7177bce9577b219903c57f9a4e43c6bd01874d95091 | Triage

Sharing

General

Target

malware.apk
Size

6.2MB
Sample

250401-fj44xatwby
MD5

e5559a01c06fe5bfed0b767a44f6d1a0
SHA1

be5e5faf7ec29543043fa1d54df4d8ddc579b3e0
SHA256

f46e7f5e5b8a4d3be663d7177bce9577b219903c57f9a4e43c6bd01874d95091
SHA512

a39ef856130a7bb61d70e78d1659a65de8634f80a4eb0e6b6017258b4ec8fc35693c6122e538e3c85d2b5c67cfbfcd20a822ea315fbaf8d0b9ea434ff656aec6
SSDEEP

98304:NmfrbusKCjJwV5PaJNT7kZp6TMPmEwqvpJv4wdWzO03cY6Qi3X/cp84s2auqtpbN:vsKgwV5PRZp6Whw+AQn3Xkp84sMMT4Nk

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

spynote

C2

62.146.233.100:3343

Targets

- Target
  
  malware.apk
- Size
  
  6.2MB
- MD5
  
  e5559a01c06fe5bfed0b767a44f6d1a0
- SHA1
  
  be5e5faf7ec29543043fa1d54df4d8ddc579b3e0
- SHA256
  
  f46e7f5e5b8a4d3be663d7177bce9577b219903c57f9a4e43c6bd01874d95091
- SHA512
  
  a39ef856130a7bb61d70e78d1659a65de8634f80a4eb0e6b6017258b4ec8fc35693c6122e538e3c85d2b5c67cfbfcd20a822ea315fbaf8d0b9ea434ff656aec6
- SSDEEP
  
  98304:NmfrbusKCjJwV5PaJNT7kZp6TMPmEwqvpJv4wdWzO03cY6Qi3X/cp84s2auqtpbN:vsKgwV5PRZp6Whw+AQn3Xkp84sMMT4Nk
Score

10^/10

spynote banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Spynote family
  spynote
- Spynote payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Tasks

static1

behavioral1

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

behavioral2

spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan