MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SpyNote

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e
SHA3-384 hash:	8decca43501b90fdef2a8583ae3b1120f0ff32596d6724d96307e63160d8305f530ecfa5bec0a9cef0e2dcbe544e9b19
SHA1 hash:	28f90d85bea9dcec6c246d2e1e0d81d20d84bdfd
MD5 hash:	874a2d006e3df683e3d84a0b6ffa7427
humanhash:	nuts-triple-batman-vermont
File name:	apk005.apk
Download:	download sample
Signature	SpyNote Create hunting rule
File size:	700'688 bytes
First seen:	2024-11-22 08:03:27 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	12288:DphYy/p6FOjENqxpXPcRZY90ipEKbM/qd6IusT3cgtN0Fvm16Rq212gXH:NhYKkYdpEomqd6IHT3SFvm1GNjXH
TLSH	T155E423C7B342D8A6DDB7803A8928838765337C760D22BB9739D6B36E55727C13707A48
TrID	60.6% (.APK) Android Package (27000/1/5) 30.3% (.JAR) Java Archive (13500/1/2) 8.9% (.ZIP) ZIP compressed archive (4000/1)
Magika	apk
Reporter	Joker
Tags:	android apk malware signed Spynote

Code Signing Certificate

Organisation:	google play
Issuer:	google play
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-07-16T23:26:53Z
Valid to:	4110-02-25T23:26:53Z
Serial number:	170ded5b
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	5e53c7c31452cbd63cc00d814ee75dd44010db01a5118c0a605487d15d63a1d2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Android.SpyMax.12.origin.23509.25011.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

android spymax

Link:

https://www.filescan.io/uploads/67403afb17cb31fee30bc7b8/reports/81290a24-efe4-4447-b177-c0f8cc29073c/overview

Result

Link:

https://incinerator.cloud/#/public/report/874a2d006e3df683e3d84a0b6ffa7427/detail

Application Permissions

read SMS or MMS (READ_SMS)

read contact data (READ_CONTACTS)

read external storage contents (READ_EXTERNAL_STORAGE)

read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)

list accounts (GET_ACCOUNTS)

take pictures and videos (CAMERA)

display system-level alerts (SYSTEM_ALERT_WINDOW)

record audio (RECORD_AUDIO)

coarse (network-based) location (ACCESS_COARSE_LOCATION)

fine (GPS) location (ACCESS_FINE_LOCATION)

read phone state and identity (READ_PHONE_STATE)

write contact data (WRITE_CONTACTS)

Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)

directly call phone numbers (CALL_PHONE)

automatically start at boot (RECEIVE_BOOT_COMPLETED)

full Internet access (INTERNET)

prevent phone from sleeping (WAKE_LOCK)

set alarm in alarm clock (SET_ALARM)

view network status (ACCESS_NETWORK_STATE)

view Wi-Fi status (ACCESS_WIFI_STATE)

change Wi-Fi status (CHANGE_WIFI_STATE)

set wallpaper (SET_WALLPAPER)

Score:

100%

Verdict:

Malware

File Type:

APK

Link:

https://malprob.io/report/758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e/

Threat name:

Android.Trojan.SpyNote

Status:

Malicious

First seen:

2024-11-19 19:00:49 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 38 (28.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=owgl65adn3trquypngpte644t24dh5xszjevospnoykgitmyvr7a._file

Result

Malware family:

spynote

Score:

10/10

Tags:

family:spynote android collection credential_access evasion persistence stealth trojan

Link:

https://tria.ge/reports/241122-jx9s4asrbk/

Behaviour

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests enabling of the accessibility settings.

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Malware Config

C2 Extraction:

qqqk-23745.portmap.host:23745

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bdf7f023-11a5-4e2f-966b-13042d1e4db9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

SpyNote

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Spynote_craxsrat_strings Create hunting rule
Author:	Alberto Segura
Description:	Detects Spynote Android Malware

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SpyNote

apk 758cbf74036ee718530f699f327b9c9eb833f6f2ca495749ed7614644d98ac7e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3299270/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample