trickmo | 37c6da21e2e37daee70d4920b38defb1dc8ffad8cd2488c24f4217b8cb71a33c

Analysis

max time kernel
29s
max time network
41s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c6da21e2e37daee70d4920b38defb1dc8ffad8cd2488c24f4217b8cb71a33c.apk
Size

8.1MB
MD5

6cdd2c4acee3178b7edd646e86813eb8
SHA1

5a3f87bca9fc8341125922a10d0b530fe6e1edfc
SHA256

37c6da21e2e37daee70d4920b38defb1dc8ffad8cd2488c24f4217b8cb71a33c
SHA512

3b9923d3d052cc23fd9bfd76f9bf5b302585d06d9ab1fb037e929be20fe550ed2c9e8660a11e9744382efa7209e2aea4b3ae5702c0abb377caebd6a8bd30945e
SSDEEP

196608:WTRxN22XpL6iSgGP/4T/1s6GW78I+KulzSbXIU7Apjv5Lb:YdMI/oI+K7zI39RLb

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://b-fulltime.org/u3n6hcu6te3b46gc

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/framos.ma581.en/app_color/TRAR.json	4503	framos.ma581.en
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes2.dex	4503	framos.ma581.en
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes3.dex	4503	framos.ma581.en
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes4.dex	4503	framos.ma581.en

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	framos.ma581.en

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	framos.ma581.en

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	framos.ma581.en

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	framos.ma581.en

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	framos.ma581.en

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	framos.ma581.en

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	framos.ma581.en

framos.ma581.en
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4503

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/framos.ma581.en/app_color/TRAR.json

Filesize
4.9MB

MD5
c303e02c6071f2d06ab8d70eb37f106c

SHA1
0d19128af08462702f7ce35880b4f391439f9198

SHA256
eca9df8eb5552fb55c212a33e2d2b5cfc0d39ee884993991f7c0ff0ecc66de0e

SHA512
a345994c2d93aad3fa628cd2b81ed60129c2dcebe4294c4c0d8719b1342f266c565c15ade873297f8678e4e2f85cbd6dcc77b1c3a947a152d6eecc99dc1d6a3d

Download Submit
/data/data/framos.ma581.en/app_color/TRAR.json

Filesize
4.9MB

MD5
f6a1ddcf76dbf4ba7f354d008e54bc06

SHA1
4e343c35c409575aec5e10faaa7ec339148b04e4

SHA256
4767a6beefd359f82b729c144b6048baf16fc19e5ed654b6f69458c0a0827e85

SHA512
e58640ce6cc4e18a692bfca6c907d2a802fe05c06655ae20c8f65f534107da288dea21cbb1a54f9ed03f93e3337b7e6f010faf60bbe1fbe183823f4417b2a5ff

Download Submit
/data/data/framos.ma581.en/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/framos.ma581.en/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/framos.ma581.en/databases/a

Filesize
20KB

MD5
951454cc1e2e43b26e1bc1053c8c3d31

SHA1
d835e2e41c992876bde8c92fd41291080cbd391b

SHA256
040ca6ba7ed6bfb66ba342294eb32982bca73a96f64556af53b4983083d5cc3a

SHA512
7fb25cbee5222123d5b00cc21514cf851ea69f95bf7317ba6b412b67f2868e8a4543fedcb854b9ee9178c09756d9a11c131c072841ec348b88d4745dc2253580

Download Submit
/data/data/framos.ma581.en/databases/a-journal

Filesize
512B

MD5
962aa4522bb7dc4bdf911db98a7d600f

SHA1
a9c70d4ef0ddc0e08b04c8d81acdaf1260c20995

SHA256
584daf7e60a59703b7b19bb9302f313d50fde68f1fde604ff1c559a3a348e876

SHA512
54148166c334d0c89d45dba4c4566a6ecfd20a53d47cf2f795545b08955d9f9d978a2858d36225a318f8822c4af86611c2ae431faacb58fb6dd5b618b6e3b321

Download Submit
/data/data/framos.ma581.en/databases/a-journal

Filesize
8KB

MD5
e9546d8aa6b83e15508e98d4926f9851

SHA1
440e70ccb2e0d0974d1142190a34a07367db14a2

SHA256
ee2d6a586114d7981d42986817e3b47988d2e0868228cf86869cdd54b6fd2d8e

SHA512
7164458f12cd22701e14d17ce7ee09d6ee0ee157120c3732f0f4242c72cc1d525011128f28077cb586b90c4f3b049632a3aa6e70d31618399cd015ac892393fb

Download Submit
/data/data/framos.ma581.en/databases/a-journal

Filesize
8KB

MD5
7010fdbec22e12cd0d4dd987f6a07dbe

SHA1
81097809aea0a0b3f4622d2a74873642b62fdcb0

SHA256
6a31cffb550c8e94b66a2b595c96ba2b49c1e19177e7c4d87e52af28e7aea94a

SHA512
6faf970ccfc001a230df6edbbdcd5ef05dcecdc74cf97c5f141237ac3ee040e6e3a8ffa96087653a28b62b9c91db7bc113776157c618067ddf3794a5091a99e1

Download Submit
/data/data/framos.ma581.en/databases/a-journal

Filesize
12KB

MD5
d4117af6f53ded2e8d59ba7a8eb38b52

SHA1
a20fb45bbf62a4a76ef6409534d5bf241210e05c

SHA256
58f3a5c04df08025b043f7c63a05d9494a962d698f779cce2276906f8874646d

SHA512
d08b67fe38887a167fe086e46aa0875af138eae5565c5e5774bd5fb7b28ae902e9ff57abcb394f16df92cd4d87a9e56d62538a51e2d1388b5db2db2ec1fd5177

Download Submit
/data/data/framos.ma581.en/files/framos.ma581.en

Filesize
256B

MD5
88a32c160ac328525c657f53c52d16fa

SHA1
f4cd7008447d088ac4a9a2f11da1968aa0a9454c

SHA256
19c411346598c27a83da945f75634a81e438489ccce4fa433fef27c5924a58e2

SHA512
6de5ac88c7e98198dc5c24e574868225a605f836bf7060595ddeb6465b8b1b9a5885ce2ee01fdf6fafa05f042c2f4328ee9d5734599c8ae17266e5e5fb139476

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
12b936628b0a3ff98ff9f0a06d242430

SHA1
89fc9122bb9663aa8c1d29acc61ca883af584ac3

SHA256
1dee632440b92c500cc5db0327ef0e9c4052f662dcb26cdbfc040ad85ae7e023

SHA512
45bcd537d4ba1843e2c6b4119b8509a54b66e8cbe45398e1e659d9d1fa64c4d8c948ec8c2f9d0369e2c1dd732fb8439ab2df5cd053dd7865d2d5dc776ed9c262

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
5334ca737c89b0a5b7e7fbc6cd7874ef

SHA1
4e680cbf6458cd38ab287bf0d65ce0b66883b88a

SHA256
9ef237cb0c8d64df7c8d8d15fb4c2da2ab94babbd58223d6c2c68163efcbd1b0

SHA512
07a9f49c778c6be2abe3c8c479fa35b1285dddca16b123dba4ab9656c404741ae0efde2c58057186a83d5a23cad258805906995dc42742dcf8a106ca89bcc295

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
07371d38fcc8c77e265a819d02b572a0

SHA1
74e0568f325873659930f189725a9aa1ded1245f

SHA256
5401b4b045a4b7c5f81e7df5be773c4887e462eb906a48c3d98968f9ee897964

SHA512
0e4d55913d3780a61e8169f3244892effa7b517a994966291aa9577d1c3b1167080e355edab1097f1110a29dd8bd4e42ccbdd2b0025683bee7337cd7edc5abb5

Download Submit
/data/data/framos.ma581.en/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
ecd8e4483256f912d2fbd437eb9becc3

SHA1
a286aa0fc2bfe7d2acab10caae549c2847368c5b

SHA256
ba8fe9d9574415ef37d181279c38e0f2939b4c3510214f5355a2bf578f831610

SHA512
49f84818efe03b07a61ecf340df565879b0c8bbf9d790da92e5ffe7c1f24181f093cdc97cf8cf76d35a1203818eaeb4d989919a4ce28ba00972f6bc628c0c619

Download Submit
/data/user/0/framos.ma581.en/app_color/TRAR.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes2.dex

Filesize
308KB

MD5
76e304dbdf41c2a5273aab2d96aaf04a

SHA1
25f8b53f1200fa92938408279bac568d6b266e53

SHA256
25230fe4edc293753e49079e014984510c447c5ff2b0fc690cc52bd7749690fe

SHA512
9e58560c1dcea1e5105c51ce22d5e6286d24383bf28cdd5241c009f3fcaecdb0ec4dc2441967a7977e14963a340d405a8eb6d3c3286a734aa98ba811a6146f4d

Download Submit
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes3.dex

Filesize
265KB

MD5
0fb703879afb0f2a30ed760031c209a4

SHA1
040a7447e04eb4b7b901acd3808e1198b4901dec

SHA256
b88c1487aadeec90bee8d5af7e4aa3d245f6992ccd67dc09d1c4bec527f2e79d

SHA512
219b314c2486780ea7f1cd8b49e50b38f5d179d7965204586c1cebd22b909cf92674ba82dbbd5e611aa04e1e04f5211c2f60387b4aa5491085b52810b7f96b1f

Download Submit
/data/user/0/framos.ma581.en/app_color/TRAR.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/framos.ma581.en/cache/logs/log.txt

Filesize
83B

MD5
3966e1a2a98874525bcb419846bf8e16

SHA1
05870d4bac3ec91132379999d6e2a9c28b7d1f91

SHA256
bb37d54164c189c8bf423466e50da3e14045a018c0c9f390df2d2972510e63d7

SHA512
17d3fdb3443d957a04553229c0f2664923f63896d85365e98f14b1daed3194c6e38fdeaf79352bb666902337b0cdbd24d657669a507ff2533b120762d4d2b218

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads