Extracted

• • Target

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd.bin

  • Size

    2.8MB

  • MD5

    f8e3c435984479f11ff3d01339ffd608

  • SHA1

    c35db3eb25583f15830b543b519f35be61d8fe1a

  • SHA256

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd

  • SHA512

    34ad04829b6f6e9d7a7538f0c264c323263b44b7566b70d5998cb8a85c0d62a9652f25f4e0fa9661004a9b0588fcde5d1c3e5a021e1c3867d13042736e0c987f

  • SSDEEP

    49152:D69/+HgoyVlWIQteqHaSJBcema0O0b5zI/tZKxZYrcuG7oC9PbteC9gWhZdGcqQ:mmuArYWtZKx6YuGDjeMZZj

  Score

  10^/10

  ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac

  • Ermac2 payload

  • Removes its main activity from the application launcher

    stealthtrojanevasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence

  • Performs UI accessibility actions on behalf of the user

    Application may abuse the accessibility service to prevent their removal.

    evasion

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion
  behavioral1behavioral2behavioral3