MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SpyNote

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8
SHA3-384 hash:	39cd3a50c9b213444e3ac553708fffae432d0e6981ced93699ae02e12ea27b7f558a054d8ef9b78bfd8a00252b69871a
SHA1 hash:	c540a01133931ad7d46f8832d3993ccfa309969e
MD5 hash:	f01ab033ea66ca873eac16a16209758b
humanhash:	timing-zulu-georgia-floor
File name:	signed10317c.apk
Download:	download sample
Signature	SpyNote Create hunting rule
File size:	1'304'363 bytes
First seen:	2023-04-17 15:11:00 UTC
Last seen:	2025-03-24 04:12:02 UTC
File type:	apk
MIME type:	application/zip
ssdeep	24576:49OFQ/ZDkvoyOf3VhTtrg21hqTYSwd1EbCZHIHfWBiU:496Q/ZQh6VhTtn7qcQcRBiU
TLSH	T194552247B7429287DD73C539A6F653F59A76AC904F9747836A09B31C88BB2D04F02ACC
TrID	57.0% (.APK) Android Package (38500/1/9) 20.0% (.JAR) Java Archive (13500/1/2) 15.5% (.SH3D) Sweet Home 3D design (generic) (10500/1/3) 5.9% (.ZIP) ZIP compressed archive (4000/1) 1.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	ozuma5119
Tags:	android apk signed Spynote

Code Signing Certificate

Organisation:	Android
Issuer:	Android
Algorithm:	sha1WithRSAEncryption
Valid from:	2008-02-29T01:33:46Z
Valid to:	2035-07-17T01:33:46Z
Serial number:	936eacbe07f201df
Intelligence:	1711 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Android.SpyMax.20.origin.26936.26055.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

android bankbot spynote

Link:

https://www.filescan.io/uploads/643d618746e0911fda9eb394/reports/b76bf53d-6f0e-4d6a-ba7b-8ac7ed402972/overview

Result

Link:

https://incinerator.cloud/#/public/report/f01ab033ea66ca873eac16a16209758b/detail

Application Permissions

read external storage contents (READ_EXTERNAL_STORAGE)

read/modify/delete external storage contents (WRITE_EXTERNAL_STORAGE)

display system-level alerts (SYSTEM_ALERT_WINDOW)

read phone state and identity (READ_PHONE_STATE)

Allows an application to request installing packages. (REQUEST_INSTALL_PACKAGES)

send SMS messages (SEND_SMS)

intercept outgoing calls (PROCESS_OUTGOING_CALLS)

read SMS or MMS (READ_SMS)

read contact data (READ_CONTACTS)

list accounts (GET_ACCOUNTS)

take pictures and videos (CAMERA)

record audio (RECORD_AUDIO)

coarse (network-based) location (ACCESS_COARSE_LOCATION)

fine (GPS) location (ACCESS_FINE_LOCATION)

directly call phone numbers (CALL_PHONE)

automatically start at boot (RECEIVE_BOOT_COMPLETED)

full Internet access (INTERNET)

prevent phone from sleeping (WAKE_LOCK)

set alarm in alarm clock (SET_ALARM)

view network status (ACCESS_NETWORK_STATE)

view Wi-Fi status (ACCESS_WIFI_STATE)

change Wi-Fi status (CHANGE_WIFI_STATE)

set wallpaper (SET_WALLPAPER)

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1215313

Signature

Antivirus / Scanner detection for submitted sample

Contains a screen recorder (to take screenshot)

Drops a new APK file

Monitors outgoing Phone calls

Multi AV Scanner detection for submitted file

Removes its application launcher (likely to stay hidden)

Requests to ignore battery optimizations

Uses accessibility services (likely to control other applications)

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8/

Threat name:

Android.Trojan.SpyNote

Status:

Malicious

First seen:

2023-04-17 02:34:18 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qqjhd2k6tleof4sgaq5flu5ui4hiyvhwkktkslrmzfrnwvyw7sua._file

Result

Malware family:

spynote

Score:

10/10

Tags:

family:spynote android evasion

Link:

https://tria.ge/reports/230417-skleeaeg25/

Behaviour

Removes a system notification.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock.

Makes use of the framework's Accessibility service.

Malware Config

C2 Extraction:

45.76.52.179:7771

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.06

Link:

https://yomi.yoroi.company/submissions/841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SpyNote

apk 841271e95e9ac8e2f246043a55d3b4470e8c54f652a6a92e2cc962db5716fca8

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample