MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SpyNote

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15
SHA3-384 hash:	95412b1cdf3b8e2b7791873001b2cf38a39f33084d2170dab9067a628f28638f71757a574ed9258d488f280e585a836b
SHA1 hash:	f4f27d86869feba6d71857b9f6eb30e6763f2d89
MD5 hash:	0826938525ff0f4f400488819d1e7dc7
humanhash:	august-eight-alpha-cold
File name:	playstoreupdate.apk
Download:	download sample
Signature	SpyNote Create hunting rule
File size:	6'280'813 bytes
First seen:	2024-12-19 13:29:23 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr
TLSH	T1C3560133EA04D69FC5AAC3B76A270CA56A073F44C6436BDB0954367E2D765DC0EC4A8C
TrID	39.4% (.APK) Android Package (27000/1/5) 19.7% (.JAR) Java Archive (13500/1/2) 19.7% (.ZAN) BlueEyes Animation (13500/1/4) 15.3% (.SH3D) Sweet Home 3D design (generic) (10500/1/3) 5.8% (.ZIP) ZIP compressed archive (4000/1)
Magika	apk
Reporter	JAMESWT_WT
Tags:	apk signed Spynote

Code Signing Certificate

Organisation:	Android
Issuer:	Android
Algorithm:	sha1WithRSAEncryption
Valid from:	2008-02-29T01:33:46Z
Valid to:	2035-07-17T01:33:46Z
Serial number:	936eacbe07f201df
Intelligence:	1699 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Android.Inmobi-1.UNOFFICIAL

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67641fdc7b5c523262506a28/reports/95da8a86-5e2a-45d5-bd60-ff76d718ba06/overview

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

Score:

100%

Verdict:

Malware

File Type:

APK

Link:

https://malprob.io/report/7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15/

Threat name:

Android.Trojan.Generic

Status:

Suspicious

First seen:

2024-12-15 22:41:58 UTC

File Type:

Binary (Archive)

Extracted files:

435

AV detection:

6 of 22 (27.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5bm4r37w73y4ga6cfg3i2wooexduawuc732zcratfht6lnunqkq._file

Result

Malware family:

spynote

Score:

10/10

Tags:

family:spynote android banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Link:

https://tria.ge/reports/241219-qrs2qatrdp/

Behaviour

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Acquires the wake lock

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Spynote

Spynote family

Spynote payload

Malware Config

C2 Extraction:

178.255.218.228:8005

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9a0d8ce4-01ca-4c27-bb84-ac2bb96db786

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

SpyNote

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Packer_Android Create hunting rule
Author:	R3R0K
Description:	Android.Packer_Android

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SpyNote

apk 7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3357785/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample