ermac | b625765ce751d3a56674fee9215ba69777a3e7ab37e6cbcf418c918de423c0a3 | Triage

Sharing

General

Target

b625765ce751d3a56674fee9215ba69777a3e7ab37e6cbcf418c918de423c0a3.bin
Size

3.7MB
Sample

230911-1xr2qabg29
MD5

fd9bc14fdfc21de632d363a80b4a69b3
SHA1

4b7207e591ec14e255ff6e4615226d6bdf5fb9d1
SHA256

b625765ce751d3a56674fee9215ba69777a3e7ab37e6cbcf418c918de423c0a3
SHA512

c862f82b29ec22969de6990fd4925795efd8dc597a0c1112856c904480e1604948f807d0e4e5f531bdd7c457cad609af9c671a0075b8e8c85904c9aee0016764
SSDEEP

98304:sUrHmTErDuO/KaWKRN7r311AjSNSjJ7Xs0PF5kSQPFfEJ/g9uMkNsy:sUaIVN7r3118S4jJXsAF5SPFMpB

Score

10^/10

ermac android banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

C2

http://176.111.174.191:3434

AES_key

AES_key

Targets

- Target
  
  b625765ce751d3a56674fee9215ba69777a3e7ab37e6cbcf418c918de423c0a3.bin
- Size
  
  3.7MB
- MD5
  
  fd9bc14fdfc21de632d363a80b4a69b3
- SHA1
  
  4b7207e591ec14e255ff6e4615226d6bdf5fb9d1
- SHA256
  
  b625765ce751d3a56674fee9215ba69777a3e7ab37e6cbcf418c918de423c0a3
- SHA512
  
  c862f82b29ec22969de6990fd4925795efd8dc597a0c1112856c904480e1604948f807d0e4e5f531bdd7c457cad609af9c671a0075b8e8c85904c9aee0016764
- SSDEEP
  
  98304:sUrHmTErDuO/KaWKRN7r311AjSNSjJ7Xs0PF5kSQPFfEJ/g9uMkNsy:sUaIVN7r3118S4jJXsAF5SPFMpB
Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Ermac2 payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Queries the unique device ID (IMEI, MEID, IMSI).
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  ap.data
- Size
  
  2KB
- MD5
  
  f3a1627fe912c49ecdcd4ab92a5d6bc8
- SHA1
  
  83594f213015203ff4366f47d0df73fd6ceb875e
- SHA256
  
  c0f9ff255860cb0a73367c2dcc52676858a7e8d2bd97a1c6884a8344fc2ed699
- SHA512
  
  48f17c16fdf748f56301a17b95c95a80e387804a8a0062f344c736f8e4521ff3bc4de7e80b2d32c4d607a945459f66d698a4552cfcf8d1ca08042906e9e351d2
Score

3^/10
behavioral4 behavioral5
- Target
  
  base_fragment.sh
- Size
  
  161B
- MD5
  
  5b293a8112b38e1222fd981265e12dd3
- SHA1
  
  a888f14ac2b39c90b68f194e3a69e0754f1a78fc
- SHA256
  
  0980057dba7e8a8d76f5137a5c69a6e9b08f8903cfb2c2921c603b9f1233c544
- SHA512
  
  606e6aa3bac1e39548e84d8f11f8e4ce23106ef0044b5f358f30b4f2a5b49ad5805464b804dfd19bfa34b37b76d1d5a8dd4223bab483cf5e9e953d387e69a4ec
Score

3^/10
behavioral6 behavioral7
- Target
  
  base_vertex.sh
- Size
  
  188B
- MD5
  
  8ca61f9c38649d70235b0d9b9fd2d8e4
- SHA1
  
  4c3d34710f1d951ac371f88657cab92977da8b32
- SHA256
  
  87fd875bdcb0e0ef9a91a350dd536066a86b22d6b16cd1d7398639040c5619d8
- SHA512
  
  f137b0df7b7511d0b73c9cc67ca1b1b76dfc333199f598c22e8e6e651f4d180daa1fcb39c3d857ef907b1052508d7e125c8a2dae9527cffcfc120b97edc78fcf
Score

3^/10
behavioral8 behavioral9
- Target
  
  behavior.js
- Size
  
  3KB
- MD5
  
  4d408c09ad7286563d2ed734386e4554
- SHA1
  
  45cc03177a7b8777eeb60cda9b58f5a8c36a6bde
- SHA256
  
  5f81b43a9b564aecd701298ab51b2ab1be59b1d16efd772371d0717e9f0df335
- SHA512
  
  12d50a9e5472d0c452295c58830e959a61e5fc0e5f13ae43b2b6d6c9697e7e542ff649324056f1ff747b1ffafe06857e1159bd8bdf3722b7ab5f0655cf1aa354
Score

1^/10
behavioral10 behavioral11
- Target
  
  crossing_nigth_bk.data
- Size
  
  18KB
- MD5
  
  09060cab74b015ed5e135cb25d2772b8
- SHA1
  
  7f61ef164901411972a6c08e75171049415644d4
- SHA256
  
  3dce6d890a489f87ab0637c8a4172a095c09e52367398bec192b348958810af8
- SHA512
  
  1d8ea652efeaa10dcdea8f258d398d35aba97ed5da70985ffbab6fb12f5058150802f37dff24805c2388e3cbab0e77a7c152e018e8b056fe16628f304d7b60b1
- SSDEEP
  
  24:dJLYWuqylnv/pe3a0nkJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJO:d74vOl84h
Score

3^/10
behavioral12 behavioral13
- Target
  
  mic.js
- Size
  
  1KB
- MD5
  
  dfec937620b369b6522fe5274f27db84
- SHA1
  
  accaa526de65d3eb58aa2a3daceef9fb5d20d8f3
- SHA256
  
  453431aca1c4332751db2538f313045ec6306991802b7303d6c2f25726313ceb
- SHA512
  
  17dd6d25cfa53c84dd85e39dd5914333db4dd32c1c7a6c2429360a3d65aa09d46afb0327b962db7fda225acd0ee846eacdbc311a1c17e0e05da699691417df0b
Score

1^/10
behavioral14 behavioral15
- Target
  
  mspjs_v2.js
- Size
  
  5KB
- MD5
  
  9fde93413fb335e8d288c33e9e161914
- SHA1
  
  cdecca5ae92e324f893a21986b58eaec7320f34c
- SHA256
  
  6bc7264bb97c82431db02957e72c28bbb99e5cacb3be7415a97be08736aec4ef
- SHA512
  
  9474bda468b9cf74bb6d129af26661b9995262e30d37ae259c84c7ada0ece09bc1dc7e342a89cf941b30d98e88d9ac1db539ae03fb50692b8b33626f027a638a
- SSDEEP
  
  96:amMEhveoIynQ0iJZJceMnhfQUjOCh1XJZQyhBvbTCx0VxyjQO2ayNThy0SCC:25/XqjjjOChWyDvbux0TyjQGyNTpSCC
Score

1^/10
behavioral16 behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ermacbankerevasioninfostealerransomwarestealthtrojan

behavioral2

ermacbankerevasioninfostealerransomwarestealthtrojan

behavioral3

ermacbankerevasioninfostealerransomwarestealthtrojan

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17