ermac | 73d121b346a55550b35afdb1b3828d0474981afa0efa8a48332147c520c5707f | Triage

Sharing

General

Target

73d121b346a55550b35afdb1b3828d0474981afa0efa8a48332147c520c5707f.bin
Size

1.9MB
Sample

230807-zan6waag2x
MD5

a5b3d8f5cdd23539d15999eb42db04a3
SHA1

d0e67af1c5c53a905c4b585d07463357d4c2e62a
SHA256

73d121b346a55550b35afdb1b3828d0474981afa0efa8a48332147c520c5707f
SHA512

b7f451135ecb549ee0a21e30d62b09710c23090ae99fa67d495349d649b9032836a2d4874cd9c08c111a32f8745457b7594b0a3bafbdebfcdab6ff1c3756d9e9
SSDEEP

49152:LNfbRndNMaoiAzvqHR4fG6SbSzpa8bFOGqb:JDRjMaoBz2BbT8Ls

Score

10^/10

ermac android banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.148:3434

AES_key

AES_key

Targets

- Target
  
  73d121b346a55550b35afdb1b3828d0474981afa0efa8a48332147c520c5707f.bin
- Size
  
  1.9MB
- MD5
  
  a5b3d8f5cdd23539d15999eb42db04a3
- SHA1
  
  d0e67af1c5c53a905c4b585d07463357d4c2e62a
- SHA256
  
  73d121b346a55550b35afdb1b3828d0474981afa0efa8a48332147c520c5707f
- SHA512
  
  b7f451135ecb549ee0a21e30d62b09710c23090ae99fa67d495349d649b9032836a2d4874cd9c08c111a32f8745457b7594b0a3bafbdebfcdab6ff1c3756d9e9
- SSDEEP
  
  49152:LNfbRndNMaoiAzvqHR4fG6SbSzpa8bFOGqb:JDRjMaoBz2BbT8Ls
Score

10^/10

ermac banker evasion infostealer ransomware trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Ermac2 payload
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Queries the unique device ID (IMEI, MEID, IMSI).
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  createjs-2015.11.26.min.js
- Size
  
  186KB
- MD5
  
  1205efae277bfd4bfe5c75dbd1dfade1
- SHA1
  
  9160eadae861580ff961ddb1b365d16fe6bcfdcc
- SHA256
  
  d4267b6065b7a533bcb376478dc335444fc8d4019b1de2787e88fc488c95787a
- SHA512
  
  1a919cf78d197faeee50bb5b17298804acd7aea9f6c5ac6242ff62ab991cd06d1ad7f299d7052b58d654678f7f61172b8e63c4329f52eacbcaa97677d6954004
- SSDEEP
  
  1536:H4fYm38CwnLjOv+pWKE554MPTCBNmCuyE2aSXK53ptxBjESleWmePKeMcZ6i7VOL:sf1tMM2BNmBXtxBjESlF0t
Score

1^/10
behavioral4 behavioral5
- Target
  
  vpaid_html_template.html
- Size
  
  16KB
- MD5
  
  7d7cb3d6c22da954fccb084f6c18ee01
- SHA1
  
  529871b15146f802c1c1fe2342b31db9e328bb7b
- SHA256
  
  05cb7160ec6766397cacbfc5d57373edbcb028917d81e2f2d748e27086db23cf
- SHA512
  
  a73d034079dba15d38bd14ddb81afd8af51b31a5c80cd83346556e7ca7f2ec927511ec3c151abf7cdc108ac4671b7623066e0375b30536e1503125354fa1a15b
- SSDEEP
  
  192:mrLYJFkVvGFQshArPtP842+Lw1wOEeR6kad8bWXSrJEBOn8TsjNC4ck8aanlDTtI:8U42Fn9qW4+EQNuSXIlodo4
Score

1^/10
behavioral6 behavioral7
- Target
  
  webClipper.js
- Size
  
  14KB
- MD5
  
  d6b2fd4e3b6d19d03d953651bf20307d
- SHA1
  
  f390fe2bf68b626caba2c170646ffba2712fa456
- SHA256
  
  45d4279ef1c80ee5298d92bc6100496005e214873f9009397f609cde426aaf12
- SHA512
  
  8ab487a95f4de005d0516aceaa75d1e4150d6cb06e9b9d168a9d35547f62461a2520f46d2c43b1b87b7d0787be70fbcf7db3e3d44b1c802ec30c81a9d1907115
- SSDEEP
  
  192:rSpXZhkiH3dECDJd+GnnQwwHiUw8p78CyiiajhXan4f3fjwYd2amP6DmWatUZOb:odXdFPkb3rj0amP6DmWatUZOb
Score

1^/10
behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ermacbankerevasioninfostealerransomwaretrojan

behavioral2

ermacbankerinfostealerransomwaretrojan

behavioral3

ermacbankerevasioninfostealerransomwaretrojan

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9