trickmo

General

Target

TikTok18.apk
Size

11.2MB
Sample

250224-mfmh1sxjz9
MD5

f20e95261bf244f7b7c8df748fd7885d
SHA1

2a5ceeaba1825ccc1c8cdaf86cd0fb6827c3f4f5
SHA256

81c8136a260fff29b8e46a620cd1e8d6e88bd8b9f55e0cf8ee0ec952f5292804
SHA512

e739a635a19efb641deb6645134084b3dea2ca8d665cd6c2103a10ed1b85b4a7e990aff6c60d76487ed4a23c3cdeb4db1da92d9b0e42987d674b1077bfd20f40
SSDEEP

196608:veGPrPXn8o57/mOCq3LoFfret42buc+qiwh+siRjugUU55zmjeQM5QPYCy2LcD:ve2b8oN/tR3Lkry42bYqii+syjbUUvsM

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://regtoyou.com/amvgaghabjvlamkmms

Targets

- Target
  
  TikTok18.apk
- Size
  
  11.2MB
- MD5
  
  f20e95261bf244f7b7c8df748fd7885d
- SHA1
  
  2a5ceeaba1825ccc1c8cdaf86cd0fb6827c3f4f5
- SHA256
  
  81c8136a260fff29b8e46a620cd1e8d6e88bd8b9f55e0cf8ee0ec952f5292804
- SHA512
  
  e739a635a19efb641deb6645134084b3dea2ca8d665cd6c2103a10ed1b85b4a7e990aff6c60d76487ed4a23c3cdeb4db1da92d9b0e42987d674b1077bfd20f40
- SSDEEP
  
  196608:veGPrPXn8o57/mOCq3LoFfret42buc+qiwh+siRjugUU55zmjeQM5QPYCy2LcD:ve2b8oN/tR3Lkry42bYqii+syjbUUvsM
Score

7^/10

discovery evasion persistence collection credential_access impact
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Declares broadcast receivers with permission to handle system events
- Declares services with permission to bind to the system
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Queries the mobile country code (MCC)
  discovery
- Requests dangerous framework permissions
behavioral1 behavioral2 behavioral3
- Target
  
  deper.apk
- Size
  
  7.0MB
- MD5
  
  29759b117a6ecbb109eb13b61eacc875
- SHA1
  
  e43ca6077982d51cac30cd400c667e9f49265945
- SHA256
  
  b35d3b94968603813ae26c35442b7d254c4d670aa299cb7439f083d46ff50bc9
- SHA512
  
  a21c4265b91fecc60886c3ebe48c47dd15890b6f451e4450e3ba2cc8ba595b3d2f4d8ef4864883d41cef65217f44e2d6a5d34df4bba69832ff77e0413673c0be
- SSDEEP
  
  196608:WJnJLjXIH/aMTuMkqM6rwii11a6mOt9XkRsCA/gex:EJv2aMT4qM0wiG15mOfis94ex
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries the mobile country code (MCC)
  discovery
behavioral4 behavioral5 behavioral6