trickmo

General

Target

26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb
Size

13.5MB
Sample

250322-akyevsxpt6
MD5

daeef69481050078388141a95cf5aa6d
SHA1

c0cbfefd361a15bf8ec180f7da35bcfba3ea4593
SHA256

26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb
SHA512

96e711b122504c0489019e366869b622d1c26f766c2adb05c8c4d431b74c8e35376c7c9180293326b17b58379629ab65e371f2180416e1602cb60fde321b3800
SSDEEP

196608:ZqHM1pMza6/6a4OAY8kl4gCnLyZvP84RnI39qpIsEsptCZGSfbgVLbNfEtv5bHf:ZhpMORh3kl4Z+6II3Owspt0MVBwBb/

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://b-always-free.org/u3n6hcu6te3b46gc

Targets

- Target
  
  26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb
- Size
  
  13.5MB
- MD5
  
  daeef69481050078388141a95cf5aa6d
- SHA1
  
  c0cbfefd361a15bf8ec180f7da35bcfba3ea4593
- SHA256
  
  26b7c0b09bf02742ce0a07d7584a20c3bf78382d696e5e76f0dcc4b5da9425bb
- SHA512
  
  96e711b122504c0489019e366869b622d1c26f766c2adb05c8c4d431b74c8e35376c7c9180293326b17b58379629ab65e371f2180416e1602cb60fde321b3800
- SSDEEP
  
  196608:ZqHM1pMza6/6a4OAY8kl4gCnLyZvP84RnI39qpIsEsptCZGSfbgVLbNfEtv5bHf:ZhpMORh3kl4Z+6II3Owspt0MVBwBb/
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
behavioral1 behavioral2
- Target
  
  base.apk
- Size
  
  7.9MB
- MD5
  
  f525baeadeacf35b7ad1a678704ddad6
- SHA1
  
  6126abb50a4842799ac33e4a39434e43475a6a0d
- SHA256
  
  8773345e94b7f8ec7ed5515e507f72ad7358ecf7efca360a719ac7a39d18456c
- SHA512
  
  daa597e2f6d2eefc9fb8f7c349b6a51a9e059a3a7d90ceed9f6c7ed71776ebf4a2b7c8aeabd984f800420cf3cdef0f3526dcf0685a94db7380bf0df2bb4cab7e
- SSDEEP
  
  98304:wNDTv2Eq7sH83EhsrdbQ6r9dFb2LhqtVTKMiXPGYMKNG0rz4fqW7HCfGsG+x6zZV:ubc+8bQmO0XTg/GY5NGxlJPzZvjv5Lt1
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral3 behavioral4