Extracted

• • Target

    43573ce77b2793e9a8625998090644d255b00f29efeb72cae072cdeaf1a7a43e.bin

  • Size

    1.5MB

  • MD5

    6d05cc90ed36940c534f070871cffdf1

  • SHA1

    09b5b6af4c9c3ad3a8580201c1f6786af625923c

  • SHA256

    43573ce77b2793e9a8625998090644d255b00f29efeb72cae072cdeaf1a7a43e

  • SHA512

    a03fb15c79c90f1ced564d0f47f8200c2f954d589c2f2c242795a8152056ee9bae278f2b21f712b66d73d01e4101788a2b32ea6c66fa3649d1f3969d5ac6fd03

  • SSDEEP

    24576:4P7PpHfrmbtj5rDVE5h8aqVlnC/9p9SrRJgSrN9W3WlQfg+:4P7qhKCaqVlnMDMgSmW2g+

  Score

  10^/10

  ermacbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac

  • Ermac family

    ermac

  • Ermac2 payload

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access

  • Obtains sensitive information copied to the device clipboard

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence

  • Performs UI accessibility actions on behalf of the user

    Application may abuse the accessibility service to prevent their removal.

    evasion

  • Queries the mobile country code (MCC)

    discovery

  • Queries the unique device ID (IMEI, MEID, IMSI)

    discovery

  • Reads information about phone network operator.

    discovery
  behavioral1behavioral2behavioral3