Extracted

• • Target

    5d794e937ca1530895f464d0a59eebc89e44cef3228064457907fe38fc25f113.bin

  • Size

    994KB

  • MD5

    bb27cbe830eb2ded66922b81bbe0e132

  • SHA1

    ab29b24e8d2f0fda9b7a584295c119b7a298bdbf

  • SHA256

    5d794e937ca1530895f464d0a59eebc89e44cef3228064457907fe38fc25f113

  • SHA512

    36afd927b3c183350ed55cb0b679ee9f634f581422e6aff225387e4cbc01ca357f0b76cf87406e678402c7e905e82de0dd13c53d84eca2b8f752137cff8cc4be

  • SSDEEP

    24576:KME4F5tivtIIwnD/h5AIaxC6CwCJCFCyCzCCClCWCkgSDUEW2:/f/2twD5CrDJM8b27c3hgSS2

  Score

  10^/10

  ermacbankercollectiondiscoveryevasioninfostealerpersistencestealthtrojan

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Removes its main activity from the application launcher

    stealthtrojanevasion

  • Checks CPU information

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery

  • Checks memory information

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Reads information about phone network operator.

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1behavioral2behavioral3