ermac | 4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704 | Triage

Sharing

General

Target

4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704.bin
Size

1.4MB
Sample

240322-1ywfjahe53
MD5

4eeefae90ae2b2e32da24cbcf1eef056
SHA1

5c25136ac3e5cb2f94cb65beda2d0906a10b1264
SHA256

4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704
SHA512

843282ae5af99ae750113f10062d6767b7e6a3b7cd7a3d8424e633855dceb15023c6fc1a6bc88e8c32bea5c36e00a5276c550055d73d72b962eaf80901d37b99
SSDEEP

24576:eM0Bb9zsil6DUOecV8Ads2TnfvI+jp3VWm4SpOKTRHZN/rBNF3:z0BZzs2JMyAW2D3I+ZVUK1HbjBn3

Score

10^/10

ermac hook android banker collection discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

Extracted

Family

hook

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

Targets

- Target
  
  4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704.bin
- Size
  
  1.4MB
- MD5
  
  4eeefae90ae2b2e32da24cbcf1eef056
- SHA1
  
  5c25136ac3e5cb2f94cb65beda2d0906a10b1264
- SHA256
  
  4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704
- SHA512
  
  843282ae5af99ae750113f10062d6767b7e6a3b7cd7a3d8424e633855dceb15023c6fc1a6bc88e8c32bea5c36e00a5276c550055d73d72b962eaf80901d37b99
- SSDEEP
  
  24576:eM0Bb9zsil6DUOecV8Ads2TnfvI+jp3VWm4SpOKTRHZN/rBNF3:z0BZzs2JMyAW2D3I+ZVUK1HbjBn3
Score

10^/10

ermac hook banker collection discovery evasion infostealer persistence rat trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Ermac2 payload
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Reads information about phone network operator.
  discovery
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

ermachookbankercollectiondiscoveryevasioninfostealerpersistencerattrojan

behavioral2

ermachookbankercollectiondiscoveryevasioninfostealerpersistencerattrojan

behavioral3

ermachookbankercollectionevasioninfostealerpersistencerattrojan