ermac | 1b3c98ff4d21d7b106e8efe098a4c2b048be3a1be0d202d6f522907af4239019

Sharing

Copy URL

Twitter E-mail

General

Target

1b3c98ff4d21d7b106e8efe098a4c2b048be3a1be0d202d6f522907af4239019.bin
Size

1.1MB
Sample

240501-1xb1haha8w
MD5

ff689eb1fe167ffbcee6633c5b14ba7c
SHA1

d2c49bf3c93d707eb2895254b13121ce44ccf99f
SHA256

1b3c98ff4d21d7b106e8efe098a4c2b048be3a1be0d202d6f522907af4239019
SHA512

8e0e08e818f35dd85ec60c343b654eb3fa92ee715a56f3aa4f40b9284bb14c9c16f133328a8066e8adf89df2e8ed0e767e32070b950896c1355d4d7f235301b2
SSDEEP

24576:CG46H8f31UBrpbakdGnGsgTZR/I7qfVN7WojyO3sp3g/lnjB:Q6WitaYGnZeZR/I7QNaXosp3g/dB

Score

10^/10

Malware Config

Extracted

Family

hook

http://93.127.202.69:3434

AES_key

Targets

- Target
  
  1b3c98ff4d21d7b106e8efe098a4c2b048be3a1be0d202d6f522907af4239019.bin
- Size
  
  1.1MB
- MD5
  
  ff689eb1fe167ffbcee6633c5b14ba7c
- SHA1
  
  d2c49bf3c93d707eb2895254b13121ce44ccf99f
- SHA256
  
  1b3c98ff4d21d7b106e8efe098a4c2b048be3a1be0d202d6f522907af4239019
- SHA512
  
  8e0e08e818f35dd85ec60c343b654eb3fa92ee715a56f3aa4f40b9284bb14c9c16f133328a8066e8adf89df2e8ed0e767e32070b950896c1355d4d7f235301b2
- SSDEEP
  
  24576:CG46H8f31UBrpbakdGnGsgTZR/I7qfVN7WojyO3sp3g/lnjB:Q6WitaYGnZeZR/I7QNaXosp3g/dB
Score

10^/10

hook collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about running processes on the device
  Application may abuse the framework's APIs to collect information about running processes on the device.
  discovery
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Reads information about phone network operator.
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Hook

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3