ermac | 820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04

General

Target

820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04
Size

3.3MB
Sample

240419-nqnphaae89
MD5

fed46ad35d269dd4fff2e000143b5a62
SHA1

ab44009839aa65c28652262ffc206d0ffed8f2c8
SHA256

820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04
SHA512

9b0c177839f9030ab2e71d8bb961f239ce87326f420cf179cd4553023d740917f3cdca4378a5922f48155dec68575beda230c246989f2fbab76ae729499cdbf8
SSDEEP

98304:Oc9piReR5PEVJxhHsqY8bkY42LlS/aeHELijWG:leoRe1Zk925b+jWG

Score

10^/10

Malware Config

Extracted

Family

hook

C2

http://163.5.169.19:3434

AES_key

Targets

- Target
  
  820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04
- Size
  
  3.3MB
- MD5
  
  fed46ad35d269dd4fff2e000143b5a62
- SHA1
  
  ab44009839aa65c28652262ffc206d0ffed8f2c8
- SHA256
  
  820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04
- SHA512
  
  9b0c177839f9030ab2e71d8bb961f239ce87326f420cf179cd4553023d740917f3cdca4378a5922f48155dec68575beda230c246989f2fbab76ae729499cdbf8
- SSDEEP
  
  98304:Oc9piReR5PEVJxhHsqY8bkY42LlS/aeHELijWG:leoRe1Zk925b+jWG
Score

10^/10

hook collection discovery evasion infostealer persistence rat stealth trojan
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks CPU information
  Checks CPU information which indicate if the system is an emulator.
  evasion discovery
- Checks memory information
  Checks memory information which indicate if the system is an emulator.
  evasion discovery
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about running processes on the device.
  Application may abuse the framework's APIs to collect information about running processes on the device.
  discovery
- Queries information about the current Wi-Fi connection.
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Hook

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Checks CPU information

Checks memory information

Makes use of the framework's foreground persistence service

Queries information about running processes on the device.

Queries information about the current Wi-Fi connection.

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3