trickmo | 702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab | Triage

Sharing

General

Target

702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab
Size

8.6MB
Sample

250322-a6jtlat1a1
MD5

1e601badb689ec4328e7206483f7fc8f
SHA1

d103db4da641e5dad66226087c45a92f5a35ec3d
SHA256

702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab
SHA512

91b042429caf3ec6709f816d80f95930fdf4bd81965ea7e4232b7d3bdf4560aba64e0e181d5186896dff49137644915381f166835863be2627928882bd77298b
SSDEEP

196608:oOsWNIJ8HMmitHQfX1BSNlit0XvuYznJcTZBzhBfCR:/Ps01gNlit0Xv7zGLzh8R

Score

10^/10

trickmo android banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab
- Size
  
  8.6MB
- MD5
  
  1e601badb689ec4328e7206483f7fc8f
- SHA1
  
  d103db4da641e5dad66226087c45a92f5a35ec3d
- SHA256
  
  702d8ae90b3535bf923522cdce541922065fd31c23356474d04c29245ef153ab
- SHA512
  
  91b042429caf3ec6709f816d80f95930fdf4bd81965ea7e4232b7d3bdf4560aba64e0e181d5186896dff49137644915381f166835863be2627928882bd77298b
- SSDEEP
  
  196608:oOsWNIJ8HMmitHQfX1BSNlit0XvuYznJcTZBzhBfCR:/Ps01gNlit0Xv7zGLzh8R
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries the mobile country code (MCC)
  discovery
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Tasks

static1

behavioral1

behavioral2

trickmobankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

behavioral3

trickmobankercollectioncredential_accessdefense_evasionevasionexecutionimpactinfostealerpersistencetrojan