ermac | 16d5b53c646a760a91b2663ec75035d4a999d4440fbc52e8a96d292d5bee947a | Triage

Submit
Reports

Overview

overview

Static

static

GoogleMaps.apk

android-10-x64

GoogleMaps.apk

android-11-x64

GoogleMaps.apk

android-9-x86

Resubmissions

15-05-2023 13:44

230515-q16n6sea6x 10

02-08-2022 06:20

220802-g3t9gsbgh3 10

Sharing

General

Target

GoogleMaps.apk
Size

907KB
Sample

230515-q16n6sea6x
MD5

ea449f22d8dd8d8fe8732dd96d69cb99
SHA1

d0656d504fabddb0bccc284976120e1a8299dcde
SHA256

16d5b53c646a760a91b2663ec75035d4a999d4440fbc52e8a96d292d5bee947a
SHA512

0da0a54de3cc28d3d8f8e44748aa2359f048f4c21d319fb2941bd2b4866bb53abdd857b5f27a346daa5b7f79b9a68af89baff598133fb8fe0c1633a820328fe7
SSDEEP

24576:OlFD/teGNYj4ETDPHKDz82qBwWsmEg/WMsa:KzNYjVHqDSsmEg/WA

Score

10^/10

ermac android banker evasion infostealer ransomware stealth trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

GoogleMaps.apk

Resource

android-x64-20220823-en

ermac banker infostealer ransomware trojan

android-10-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

GoogleMaps.apk

Resource

android-x64-arm64-20220823-en

ermac banker evasion infostealer ransomware stealth trojan

android-11-x64

9 signatures

150 seconds

Behavioral task

behavioral3

Sample

GoogleMaps.apk

Resource

android-x86-arm-20220823-en

ermac banker evasion infostealer ransomware stealth trojan

android-9-x86

8 signatures

150 seconds

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.121:3435

AES_key

AES_key

Targets

- Target
  
  GoogleMaps.apk
- Size
  
  907KB
- MD5
  
  ea449f22d8dd8d8fe8732dd96d69cb99
- SHA1
  
  d0656d504fabddb0bccc284976120e1a8299dcde
- SHA256
  
  16d5b53c646a760a91b2663ec75035d4a999d4440fbc52e8a96d292d5bee947a
- SHA512
  
  0da0a54de3cc28d3d8f8e44748aa2359f048f4c21d319fb2941bd2b4866bb53abdd857b5f27a346daa5b7f79b9a68af89baff598133fb8fe0c1633a820328fe7
- SSDEEP
  
  24576:OlFD/teGNYj4ETDPHKDz82qBwWsmEg/WMsa:KzNYjVHqDSsmEg/WA
Score

10^/10

ermac banker infostealer ransomware trojan evasion stealth
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Queries the unique device ID (IMEI, MEID, IMSI).
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

ermacbankerinfostealerransomwaretrojan

behavioral2

ermacbankerevasioninfostealerransomwarestealthtrojan

behavioral3

ermacbankerevasioninfostealerransomwarestealthtrojan

© 2018-2025

Terms | Privacy