trickmo

General

Target

56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5
Size

13.6MB
Sample

250321-wpk6zsvvgy
MD5

4ed2da8bc58cd8c0ae53d5d5def307cf
SHA1

54eea6d31336c189f2de9d5e3bee6e4774967bed
SHA256

56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5
SHA512

ec2895aabf546eb5b8986cd4f5ce16671f49916ac37ea304ec1b3063503221549e128f8e932ef3a932335bf68ef3291b798335e5c0bb77d07cacdc44f098bd6d
SSDEEP

393216:Kr0uOZvwcOFrU5skcpBwNeJKNRUQm9OyrP:KrqbUrU5skcpTJXNrP

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5
- Size
  
  13.6MB
- MD5
  
  4ed2da8bc58cd8c0ae53d5d5def307cf
- SHA1
  
  54eea6d31336c189f2de9d5e3bee6e4774967bed
- SHA256
  
  56a74028bfc73c08da282de29a19d26d0539ea5cee846d6364671fe59e6d99d5
- SHA512
  
  ec2895aabf546eb5b8986cd4f5ce16671f49916ac37ea304ec1b3063503221549e128f8e932ef3a932335bf68ef3291b798335e5c0bb77d07cacdc44f098bd6d
- SSDEEP
  
  393216:Kr0uOZvwcOFrU5skcpBwNeJKNRUQm9OyrP:KrqbUrU5skcpTJXNrP
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  deper.apk
- Size
  
  8.4MB
- MD5
  
  6fd72f1bcccd204a9e0f99a72b423657
- SHA1
  
  06e4d4fd5d84371150bdc541136c873c081f8559
- SHA256
  
  c2925e1433a7f8667540b473c1b7cab2ecce965cf2e8400db81bc740d48f6982
- SHA512
  
  4826b304f119b97d7531d35e32efb59af3675b30c093884827d0b8a58f55cdbe14a77c4068a8cca0c8f499d3c3c09c63c519141ab8422fae774c0666daeae286
- SSDEEP
  
  196608:iBj5dbmzbVdw7Dteuo8cLlqfhGRN9ibn0CyNJn:0qpdw77LslyGsbTcV
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral3 behavioral4