trickmo

General

Target

9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394
Size

12.8MB
Sample

250321-wctbtsyj19
MD5

f5071e7fe4f8d85ece2e28d678a2b7e2
SHA1

4a6fd8b9a7132089420de178f294466166081e7f
SHA256

9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394
SHA512

0585e7d2bb7f07c8616025fc51b9d091b147572437936add16358f5b3ecf35acc91bb178dcb90f0e81ebbe99d9f533ddd3436e7623ea16f4574315f78395d584
SSDEEP

393216:ZZD8O1T+BHMRrmIk08UVryK9+gtLbrNbaEetg:nIOmsRrZk08UgKg2LPNLetg

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://monster-truck-mx.info/c

Targets

- Target
  
  9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394
- Size
  
  12.8MB
- MD5
  
  f5071e7fe4f8d85ece2e28d678a2b7e2
- SHA1
  
  4a6fd8b9a7132089420de178f294466166081e7f
- SHA256
  
  9e5da5bf917acd4132c8b3d4b63af9b23d7bc16e71e51bffcd4a82162e598394
- SHA512
  
  0585e7d2bb7f07c8616025fc51b9d091b147572437936add16358f5b3ecf35acc91bb178dcb90f0e81ebbe99d9f533ddd3436e7623ea16f4574315f78395d584
- SSDEEP
  
  393216:ZZD8O1T+BHMRrmIk08UVryK9+gtLbrNbaEetg:nIOmsRrZk08UgKg2LPNLetg
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
behavioral1 behavioral2
- Target
  
  base.apk
- Size
  
  7.6MB
- MD5
  
  3be791e432b3ef50c0c947968afb41b1
- SHA1
  
  6aecf3056085a44d709879f726b36447ee9f5610
- SHA256
  
  6c968e052fdb59730897cc37a0e61e69a8c5a20f04400c0276534ae0604c430d
- SHA512
  
  9def8ad356092a24e936c735b9fb3122a7dfa559c5b2ba2ac8e92428accf4bfadff77c51e893acb917fc6b758de99986c66bd90d8135d5ac89e99e1dd5d952b6
- SSDEEP
  
  196608:xtK7pfMaBf8C4GfJCtMJCp1Uawqy+DbufUVjv5Lpb:/u1MokCdfEwfqypkRLZ
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral3 behavioral4