ermac

General

Target

e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697.bin
Size

834KB
Sample

240322-1xj14sca8y
MD5

26b69ebed3da9b0d12119907c8b7d659
SHA1

f7c2a4c353bdadf54acfcda67d69ad3ca177bf8a
SHA256

e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697
SHA512

92d1950288a751b6a68b54f9440b47402ac5d7d35288f44fd8298bb3198435a6016ab138860998b5aa97a9c9439061be5587d95b9b4efb6c8dcc0232f636108f
SSDEEP

12288:Qy6qFRJ/SJpLWYAHJxCNX5xKNLzb5IcJ9USdhBQBeraUdNdzgh6ujN+:l6+RSpLWYAHuNXLKNH9IcPUShBoer7i+

Score

10^/10

Malware Config

Extracted

Family

ermac

C2

http://85.209.11.108:3434

AES_key

Targets

- Target
  
  e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697.bin
- Size
  
  834KB
- MD5
  
  26b69ebed3da9b0d12119907c8b7d659
- SHA1
  
  f7c2a4c353bdadf54acfcda67d69ad3ca177bf8a
- SHA256
  
  e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697
- SHA512
  
  92d1950288a751b6a68b54f9440b47402ac5d7d35288f44fd8298bb3198435a6016ab138860998b5aa97a9c9439061be5587d95b9b4efb6c8dcc0232f636108f
- SSDEEP
  
  12288:Qy6qFRJ/SJpLWYAHJxCNX5xKNLzb5IcJ9USdhBQBeraUdNdzgh6ujN+:l6+RSpLWYAHuNXLKNH9IcPUShBoer7i+
Score

10^/10

ermac banker collection discovery evasion infostealer persistence stealth trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Acquires the wake lock
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3