trickmo | d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f | Triage

Sharing

General

Target

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
Size

8.8MB
Sample

250322-abmxrsxmz9
MD5

b8749ed305053ea52cb866fd6dd7444c
SHA1

cd9931622abdaca64ee70021965606a199c2bc12
SHA256

d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
SHA512

6d2dc1cde0dd94ed4ce4abef7334f5e703559a6d2749bbed2cfa264c4b6a5cad45716fcad47f506777f3e73c6dfd23c9d538e607b4012e46227d29362935e5bc
SSDEEP

196608:JbUoY2S7vhEYoQRl90WGQ647qfsrLgbO6JL1gf408gBArrX/s0WbhJ:JbUoYvhN90LH47qUaL1g5tAXPFWbP

Score

10^/10

trickmo android banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
- Size
  
  8.8MB
- MD5
  
  b8749ed305053ea52cb866fd6dd7444c
- SHA1
  
  cd9931622abdaca64ee70021965606a199c2bc12
- SHA256
  
  d92c8fd829d80c9b0700fd077957d8a00ff17064b001d147233b971aea0e442f
- SHA512
  
  6d2dc1cde0dd94ed4ce4abef7334f5e703559a6d2749bbed2cfa264c4b6a5cad45716fcad47f506777f3e73c6dfd23c9d538e607b4012e46227d29362935e5bc
- SSDEEP
  
  196608:JbUoY2S7vhEYoQRl90WGQ647qfsrLgbO6JL1gf408gBArrX/s0WbhJ:JbUoYvhN90LH47qUaL1g5tAXPFWbP
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries the mobile country code (MCC)
  discovery
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Tasks

static1

behavioral1

trickmobankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

behavioral2

trickmobankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

behavioral3

trickmobankercollectioncredential_accessdefense_evasionevasionexecutionimpactinfostealerpersistencetrojan