trickmo

General

Target

47c1a611304c0be57625c0590e06760096ad50ddde3608d77bf78bc82ec80a4d
Size

12.6MB
Sample

250322-aewdbatvew
MD5

b4274768d4b92e28c76989250f4f3850
SHA1

b904fcfba0d78879183c558cf8f3929b254fbc29
SHA256

47c1a611304c0be57625c0590e06760096ad50ddde3608d77bf78bc82ec80a4d
SHA512

c6d06d3ee47498ca850fc0f726b2558787582d8bafbda3dbab804204219a22ad46cc8ae3e47639a19bf6885e059da78d065e6a5db80e46519d688d755fe30fe6
SSDEEP

196608:NGjjVnjqOZoP1qUBOQ5P0ch+bGJpkBT+hK7VHjkf25VCYzMuNrST3pA:NCteOsqwOQqchbYDtk2vYupST3pA

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  47c1a611304c0be57625c0590e06760096ad50ddde3608d77bf78bc82ec80a4d
- Size
  
  12.6MB
- MD5
  
  b4274768d4b92e28c76989250f4f3850
- SHA1
  
  b904fcfba0d78879183c558cf8f3929b254fbc29
- SHA256
  
  47c1a611304c0be57625c0590e06760096ad50ddde3608d77bf78bc82ec80a4d
- SHA512
  
  c6d06d3ee47498ca850fc0f726b2558787582d8bafbda3dbab804204219a22ad46cc8ae3e47639a19bf6885e059da78d065e6a5db80e46519d688d755fe30fe6
- SSDEEP
  
  196608:NGjjVnjqOZoP1qUBOQ5P0ch+bGJpkBT+hK7VHjkf25VCYzMuNrST3pA:NCteOsqwOQqchbYDtk2vYupST3pA
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  deper.apk
- Size
  
  8.6MB
- MD5
  
  7c33b8f6e8f2892eb3a96b0b607d36b1
- SHA1
  
  2233fa82bfa466913aed8faa2af26bb318df82da
- SHA256
  
  1c687269db68f08688066ef13e9ff36818fb0c4fdeb552392bd7fda318be84dc
- SHA512
  
  663b9d007977e368bf12c5d395aa88b92f850df792e134201a867ec20efb999cf4df74d5828cd7c23293f49bb00ae0b7abb18296d192e55ae704f0c6b578957e
- SSDEEP
  
  196608:GgMo0kHupyKLg13WJNE/E5N/XaPsj7oYZO+DFgxtw:RMsuyoBr6sZY+hgxe
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral3 behavioral4