ermac

General

Target

08113a4affb0356a63a356fc88a88c7eeaf3fe7d0b8df852ea8723f014aadee1.bin
Size

3.0MB
Sample

240909-1w1x8svale
MD5

d2d453c7460e87470fea92c2cef75a13
SHA1

2b5caf78c0050a2dcc413792a5c7d270c77ca2c7
SHA256

08113a4affb0356a63a356fc88a88c7eeaf3fe7d0b8df852ea8723f014aadee1
SHA512

c55fc60588ecc354cd28e47710363882bcaaa89a06c3fdeea1c86229963142908ce3966a2c8d367595198a0aef95a07d2a494bb3b70ca78b922a60e97685024a
SSDEEP

49152:PL54VxsS/XTRr7sExiulh9XKDjhSmUoZgEk6PcTHPuhQfS6TXY9oiKCWR82p:pIlr7tn6jhZG6PcTG6KCXYaCI

Score

10^/10

Malware Config

Extracted

Family

ermac

C2

http://81.177.140.77:3434

AES_key

rsa_pubkey

AES_key

Extracted

Family

hook

C2

http://81.177.140.77:3434

AES_key

rsa_pubkey

AES_key

Targets

- Target
  
  08113a4affb0356a63a356fc88a88c7eeaf3fe7d0b8df852ea8723f014aadee1.bin
- Size
  
  3.0MB
- MD5
  
  d2d453c7460e87470fea92c2cef75a13
- SHA1
  
  2b5caf78c0050a2dcc413792a5c7d270c77ca2c7
- SHA256
  
  08113a4affb0356a63a356fc88a88c7eeaf3fe7d0b8df852ea8723f014aadee1
- SHA512
  
  c55fc60588ecc354cd28e47710363882bcaaa89a06c3fdeea1c86229963142908ce3966a2c8d367595198a0aef95a07d2a494bb3b70ca78b922a60e97685024a
- SSDEEP
  
  49152:PL54VxsS/XTRr7sExiulh9XKDjhSmUoZgEk6PcTHPuhQfS6TXY9oiKCWR82p:pIlr7tn6jhZG6PcTG6KCXYaCI
Score

10^/10

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Ermac2 payload
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Checks if the Android device is rooted.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
behavioral1 behavioral2 behavioral3