trickmo

General

Target

aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d.apk
Size

10.9MB
Sample

250224-dzkzvszncm
MD5

548ede0959d30a22484ae452f535a0db
SHA1

7b34fc3a7d4f2d6ce38f3f0de08df80ed4859e27
SHA256

aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d
SHA512

564feb15f3ff884fee96e3a54793379d969c49d97163d9214707e6c77e50dfe6c61be04dcdb8a444f86ed96844f82a4691093d51f05654ad28ac9c1ad9b618d7
SSDEEP

196608:3XeOWRtCAvekoDLWGxXfyzTn9P3m5AC+FX6JagEQVZxkpUSlPJn:3OX/3xYLpxXfyzjtd3FX61PVZx8USlPp

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d.apk
- Size
  
  10.9MB
- MD5
  
  548ede0959d30a22484ae452f535a0db
- SHA1
  
  7b34fc3a7d4f2d6ce38f3f0de08df80ed4859e27
- SHA256
  
  aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d
- SHA512
  
  564feb15f3ff884fee96e3a54793379d969c49d97163d9214707e6c77e50dfe6c61be04dcdb8a444f86ed96844f82a4691093d51f05654ad28ac9c1ad9b618d7
- SSDEEP
  
  196608:3XeOWRtCAvekoDLWGxXfyzTn9P3m5AC+FX6JagEQVZxkpUSlPJn:3OX/3xYLpxXfyzjtd3FX61PVZx8USlPp
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3
- Target
  
  deper.apk
- Size
  
  7.3MB
- MD5
  
  c59b52822aa4d008e2b29372ca143179
- SHA1
  
  9adc650d28dd99e8413c3546de9195fa42aefcd5
- SHA256
  
  fb6a726e3888842c21f274ccbd64a30962e1cd12d2472aa8c088fb052819b503
- SHA512
  
  f93c04b9ac5dbf45ef7f4dc1dfd588d45d1a0d5b5959647ab0995d83dbff433d798f84cf9d17e0336a8132a2c5b29b290c5024db2bd641a491c981c9d923a4e2
- SSDEEP
  
  196608:1k3/3jQSRVaVzbzd7u5wmS/l6LgMUyB3p6pez:e/USRVaVfJvR/l6ZNB3pAez
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral4 behavioral5 behavioral6