ermac | a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce

Resubmissions

11-10-2023 14:52

231011-r8rewsec7t 10

02-10-2023 22:00

231002-1w26asgf88 10

Analysis

max time kernel
524031s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
11-10-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.apk
Size

2.7MB
MD5

de425288564e500a76a3e6cb7d00b451
SHA1

dadea7112c2d89b4a9846cbc75fcba7e37df7953
SHA256

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce
SHA512

d206d73d1a4cd627402574acd686a6692263c2fd2aebae744d064d8f1cfcfea298ed68f31fccb772ad244f88a5431fed3b6cf1ac0fac48d8c1616002e7f5e8e1
SSDEEP

49152:UzTnQSQG66mqg8cZgzhTytYQCFHnrN1lue8Iwex0GQl6fr9iHDS:UzTnV66uZyTyinnrfluNFemIfJiHG

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4487-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json	4487	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4487

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
3KB

MD5
ae484771d12a68862e8398c5a7321e12

SHA1
98d0a2116755681d4b27e8d25ac09e59e86065cf

SHA256
9af07355d134592545b641d3a3d2300c237e3dd6549d0cbcc8e45baab809366b

SHA512
95318f772e2ba5b7e7fcf908c376c991ae0bb98c42a2d5490bff64c34a267c514a4d7f352867df6c14b8422852f776c478facfcd81394659e21c8b72d63af493

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
3KB

MD5
681b950ae83cee9c2320f82f5e16f1ba

SHA1
d85e57c271d287a3868bb92b25d27cbda68b98b4

SHA256
b03559fb1cd085e084f49e6cda88ec5ba586f39a0fecae96f2ff863c1ef75220

SHA512
a78589ebf61982f4632702048ed9bd16c471d61589abe52f25531d9f49cac326218abcc4d878516b680da1523799870fb09647515b89775690e4cdc7fc158cab

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
0d7011aae5c495eb21bc14fb36274b37

SHA1
1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9

SHA256
ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd

SHA512
16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
76da66ec311b117dd6dc9847d23c2306

SHA1
1d22fa205027f21d2f528ef32e377d6c20a15bbb

SHA256
9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85

SHA512
73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
1.5MB

MD5
ad90592ba1bd967fb65ef9eb4cbcb6e1

SHA1
a12ca9423455034bca28396a4067783e33818c55

SHA256
baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908

SHA512
d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
a536667396f103801f44b142442a057a

SHA1
324e15446ecb6079b2e856f85b6dc0387d96d215

SHA256
9154f560eafcca400e9a4e54b76329d7834dcf658854dff935f96507681fe85e

SHA512
e9739a8c436bd766856d40fab9489db3d0dfaa4b583ce0204a1dcf1c3d626348dcf5a9d716a5138b8ac7e3799ecf704928354eca950d686b018ba0d8b80b5670

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
f58cfdccbd5a2eefde5bf2ad01d1deb5

SHA1
6a4c439f12fed9f19792a9246ec20be8413b827c

SHA256
296f4adbd851ee8724d4d87883817cb08c8ae5bbb6c8dc4ffbc3d6ffc2773887

SHA512
c6371b8261412fc36addf7712816c898f5290377c090b46c5e4fa6044209665900562b1d788f6b59fcbc1c067758d36758448a4d15df22f4de9bb14e479369ac

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
4071e3ea4505c31cb26e7f1a1b863184

SHA1
691bdb4f51bca1a957f99e62047e0f00c0ea47a6

SHA256
5becc4f1d2ed9501d93c5dcabd6237ad52551c74010041f334717274150fc39b

SHA512
2f830a261760e9aa2e090c35150565b3a7df6726d735db75a57ff0079eb6e91446ec79eb1ba98bb8debfab8477f34d819769d2776893ef88b40dc6c17cfa2f08

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
4f67e4b7a1e4c79c50b48a7a6ab80874

SHA1
d338e24f63de3075e81adce00970cbe0215a1a12

SHA256
9cdafcf11f2ad6a502104adbb1b828ec06c9c7e38091512bb653d83f3eb35926

SHA512
a60a329711cb522c376ac17afa3719c71c21daa80d71271e1dae4bb3dfdc844da343ae45cb5b14fdf7449475646e827b028507ec4a7f651935b885e69ad1909c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads