MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SpyNote

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e
SHA3-384 hash:	5039867aa86376e201af2c1aa9e8152e347798b6f9a43e2cb6ee03ccb6ca1a8fa59aad7b856e3456f10e5785dac666c2
SHA1 hash:	9d28946e983ffd822ada31cdcdd4e4826e90601e
MD5 hash:	aab37e8b19fc0e9e353826fc10cb05e5
humanhash:	burger-dakota-four-violet
File name:	Nubank.apk
Download:	download sample
Signature	SpyNote Create hunting rule
File size:	1'362'326 bytes
First seen:	2023-04-21 15:26:14 UTC
Last seen:	Never
File type:	apk
MIME type:	application/zip
ssdeep	24576:BU5foaB8Enn+o03RkcVp+fAv3UoiiTz05AYyp14m:MVy6+t3RkcVp0Gmin05cpSm
TLSH	T1C3550107EB56D896E9F3833A66759635A02B4DB82703D1D77D98FA7C243B2C00362ED4
TrID	57.0% (.APK) Android Package (38500/1/9) 20.0% (.JAR) Java Archive (13500/1/2) 15.5% (.SH3D) Sweet Home 3D design (generic) (10500/1/3) 5.9% (.ZIP) ZIP compressed archive (4000/1) 1.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	Anonymous
Tags:	android apk banker signed Spynote

Code Signing Certificate

Organisation:	Android
Issuer:	Android
Algorithm:	sha1WithRSAEncryption
Valid from:	2008-02-29T01:33:46Z
Valid to:	2035-07-17T01:33:46Z
Serial number:	936eacbe07f201df
Intelligence:	1699 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Android.SpyMax.193.1224.10474.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

spyware

Link:

https://www.filescan.io/uploads/6442ab48f2acc4ba529d04e5/reports/b8c28435-a886-42d0-8840-417ba3b6c51b/overview

Result

Link:

https://incinerator.cloud/#/public/report/aab37e8b19fc0e9e353826fc10cb05e5/detail

Application Permissions

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e

Result

Threat name:

SpyNote

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1218744

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Contains a screen recorder (to take screenshot)

Detected SpyNote

May wipe phone data

Monitors outgoing Phone calls

Removes its application launcher (likely to stay hidden)

Requests to ignore battery optimizations

Starts/registers a service/receiver on screen off

Tries to detect Android x86

Tries to detect the analysis device (e.g. the Android emulator)

Uses accessibility services (likely to control other applications)

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e/

Threat name:

Android.Trojan.SpyNote

Status:

Malicious

First seen:

2023-04-21 15:03:52 UTC

File Type:

Binary (Archive)

Extracted files:

140

AV detection:

9 of 22 (40.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rq3fxvmo32zmuny6vvpcqnio43cibj47kwgzm7wl55jf5hy5pm7a._file

Result

Malware family:

spynote

Score:

10/10

Tags:

family:spynote android banker evasion

Link:

https://tria.ge/reports/230421-svrn6sac4z/

Behaviour

Removes a system notification.

Legitimate hosting services abused for malware hosting/C2

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Malware Config

C2 Extraction:

1.tcp.sa.ngrok.io:26109

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

SpyNote

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SpyNote

apk 8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e

(this sample)

https://twitter.com/0x6rsk/status/1649423985313038338

URLhaus

https://urlhaus.abuse.ch/url/2615498/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample