trickmo

General

Target

4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6
Size

12.6MB
Sample

250322-ax12hsxrt7
MD5

6151b95d963680e705b7ac9c94976c2f
SHA1

36f8ae11c1a63aa76dfc9d40e07bcb32f47445ea
SHA256

4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6
SHA512

5a0d50eacd5c4ee14342d9f1086b3737368e2704b0229f976de467ac95b36e8f72821a9305897b9877842adc1747bab844b06d1e9d6f5966ed8652d6b42ce5ab
SSDEEP

393216:jebElJRwdvKMaOe8Fpc71sgaitiFbyHzgVIZK:jRJ2v0wFeJsPi0O0QK

Score

10^/10

Malware Config

Extracted

Family

trickmo

C2

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Targets

- Target
  
  4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6
- Size
  
  12.6MB
- MD5
  
  6151b95d963680e705b7ac9c94976c2f
- SHA1
  
  36f8ae11c1a63aa76dfc9d40e07bcb32f47445ea
- SHA256
  
  4df101836ec39711255b56a4fa3d2843b3ab6aab675e510953122e4bf6372fe6
- SHA512
  
  5a0d50eacd5c4ee14342d9f1086b3737368e2704b0229f976de467ac95b36e8f72821a9305897b9877842adc1747bab844b06d1e9d6f5966ed8652d6b42ce5ab
- SSDEEP
  
  393216:jebElJRwdvKMaOe8Fpc71sgaitiFbyHzgVIZK:jRJ2v0wFeJsPi0O0QK
Score

7^/10

evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  deper.apk
- Size
  
  8.1MB
- MD5
  
  2240488b9d8e26e7a7c5d76a915b08d0
- SHA1
  
  9484cc97cbd0538fe759e8d6f500b94df0c15ba5
- SHA256
  
  882a8aad8dcb9ec62e374a03553c5a7f2f0cc6db66050ca444e8d47d3d1838db
- SHA512
  
  5fd447c6a1584c9155366e806423caf37412ceedaaf5f84ae122d76c81fc8801a1fec86990554fe2ddbb33c0a7e76c89c2f48f83013e2de1d6a9ea4f60352bad
- SSDEEP
  
  196608:cpOsHIcaddwITP6wUAfm122Jl/aPkJ7wspYVoMW/:cpOA25SwUAuMZP87BquH
Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan
- TrickMo
  TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
  trojan infostealer banker trickmo
- Trickmo family
  trickmo
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Queries the mobile country code (MCC)
  discovery
- Listens for changes in the sensor environment (might be used to detect emulation)
  defense_evasion
behavioral3 behavioral4