SpyNote | Threat Level: high | Type: RAT

Cryptographic Identifiers

SHA25694480b31e4ceb20ea71197b8689412cf583f01c408efdda954dff73ed7018c07
MD5e71f2fd1d9fc127eb08f3b9fbabc9c6a
File Typeapk
Size1273.8 KB
First Seen2023-04-26
File Name7-Eleven8_en.apk
Tagsapk, Spynote

Malware Family: SpyNote

SpyNote, Android RAT'tır.

TypeRAT
Programming LanguageJava
Target PlatformAndroid
C2 ProtocolTCP
PurposeAndroid RAT
First Seen Year2019
AliasesCypherRAT

Threat Indicators (IOC)

  • SHA256: 94480b31e4ceb20ea71197b8689412cf583f01c408efdda954dff73ed7018c07
  • MD5: e71f2fd1d9fc127eb08f3b9fbabc9c6a

You can verify all hash values of this sample on VirusTotal.

System Cleanup Guide

  1. Disconnect the system from the network — unplug ethernet, disable Wi-Fi
  2. Terminate suspicious processes from Task Manager
  3. Run a full system scan with Malwarebytes or Kaspersky
  4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run kayıtlarını kontrol edin
  5. Review newly created tasks in Task Scheduler
  6. Change all your account passwords from a clean device
  7. Gerekirse Windows'u yeniden yükleyin ve verilerinizi temiz bir yedeğe geri alın

YARA Rule Hints

rule SpyNote_SHA256 {
    meta:
        description = "SpyNote sample: 94480b31e4ceb20e"
        threat_level = "high"
        first_seen = "2023-04-26"
    condition:
        hash.sha256(0, filesize) == "94480b31e4ceb20ea71197b8689412cf583f01c408efdda954dff73ed7018c07"
}

SpyNote — Malware Profile

SpyNote Android RAT (SpyMax/CypherRAT). com.clean.exchanges.xyz sahte kripto. Genymotion vbox86p emulator tespiti. Telegram C2.

Malware Type
RAT
Programming Language
Java
C2 Protocol
TCP
Target Systems
Android
Also Known As (AKA)
CypherRAT

Technical Details

Java/Kotlin (Android), bcast receiver persistence, SMS/contact stealer, camera/mic erisim, location tracking, keylogger (Accessibility Service), remote shell, screen record, banking app overlay

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (2 indicators)

IOC — SpyNote
# SHA256 94480b31e4ceb20ea71197b8689412cf583f01c408efdda954dff73ed7018c07 # MD5 e71f2fd1d9fc127eb08f3b9fbabc9c6a
TypeValueNote
sha256 94480b31e4ceb20ea71197b8689412cf583f01c408efdda954dff73ed7018c07 Sample:SpyNote
md5 e71f2fd1d9fc127eb08f3b9fbabc9c6a Sample:SpyNote

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
everspy.ru domain — TCP inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
spynoteratmalwarehighsha256hash-analizi