Overview

overview

10

Static

static

6

52c86ec4b0...fc.apk

android-9-x86

10

52c86ec4b0...fc.apk

android-10-x64

10

52c86ec4b0...fc.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    19/03/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52c86ec4b0e05589e620929c2d274cb702991ada0241ddbe985bd36e6c3b69fc.apk

  • Size

    3.7MB

  • MD5

    f22aaff1a86b5e39f89271edb5760859

  • SHA1

    529a4bf198d7ff202e2709ff8280cc2f2562c415

  • SHA256

    52c86ec4b0e05589e620929c2d274cb702991ada0241ddbe985bd36e6c3b69fc

  • SHA512

    a520ee4ab26dc47f16e261f8bc716030c793ff09ef1582f08511d432d4a651b652a1e3a7e2b4e1283b8ed14e87c04ceab7dab4fa5fb9a7d6bf6d4cb0eb6bd350

  • SSDEEP

    98304:TJzPxd4f3eT64q1lib7XILy3aDgt0LVH0jqm:92lcLcDi0eqm

Score
10/10
ermacbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://176.111.174.191

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 11 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.nsbkdmlvu.govhtfuxg
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4772

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nsbkdmlvu.govhtfuxg/app_app_dex/scvqqhg.nog
    Filesize

    1.3MB

    MD5

    ef469d07bc784afa035fc906a6dd83c3

    SHA1

    324b4e4866b5c9852a92cec6a67083e2570ab286

    SHA256

    8cf2615c1a05fe93df385165b2ce7f29ed1495a71a8d29b56ac9f2a0ee91d5e0

    SHA512

    039b534b9c94c7c8b01669ab510dd6fc7548a9e8135ad79c9786d0d51469f40c52c0d03fef7468ac659c43dad771b5c19b9440c7f9d390d117a7c389b3b12764

    Download Submit

  • /data/data/com.nsbkdmlvu.govhtfuxg/files/ilodfd.rwu
    Filesize

    22B

    MD5

    76cdb2bad9582d23c1f6f4d868218d6c

    SHA1

    b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

    SHA256

    8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

    SHA512

    5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

    Download Submit