trickmo | 47c1a611304c0be57625c0590e06760096ad50ddde3608d77bf78bc82ec80a4d

Analysis

max time kernel
29s
max time network
30s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deper.apk
Size

8.6MB
MD5

7c33b8f6e8f2892eb3a96b0b607d36b1
SHA1

2233fa82bfa466913aed8faa2af26bb318df82da
SHA256

1c687269db68f08688066ef13e9ff36818fb0c4fdeb552392bd7fda318be84dc
SHA512

663b9d007977e368bf12c5d395aa88b92f850df792e134201a867ec20efb999cf4df74d5828cd7c23293f49bb00ae0b7abb18296d192e55ae704f0c6b578957e
SSDEEP

196608:GgMo0kHupyKLg13WJNE/E5N/XaPsj7oYZO+DFgxtw:RMsuyoBr6sZY+hgxe

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://somakeawish.com/hpuex9yu0lfad7pjoxcl

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/neuli.ter584.li/app_coin/cb.json	4435	neuli.ter584.li
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes2.dex	4435	neuli.ter584.li
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes3.dex	4435	neuli.ter584.li
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes4.dex	4435	neuli.ter584.li

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	neuli.ter584.li

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	neuli.ter584.li

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	neuli.ter584.li

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	neuli.ter584.li

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	neuli.ter584.li

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	neuli.ter584.li

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	neuli.ter584.li

neuli.ter584.li
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4435

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/neuli.ter584.li/app_coin/cb.json

Filesize
4.9MB

MD5
4140eaecd3a5123aa884c15856b4a9cb

SHA1
91683896b9f15479c35af075501a9d1739af8803

SHA256
95f8117d805ee5196fe750c970d8cd238f49430d2d1fa08f0b8bb51206996db3

SHA512
e97c3fb4012ec58e066500b65d07a15c1ccba05b91f18f1b216547547b77e6a4afd3a635ce06657cd1bf301c90983ec4bf8bcb4896059713fcad22ac29a2f58c

Download Submit
/data/data/neuli.ter584.li/app_coin/cb.json

Filesize
4.9MB

MD5
ad6ec3c1167f0718bcccbfdfbaba165e

SHA1
11524c3583591da843dd492ba9b2df967dd2d78d

SHA256
1418cc2f8a55028e45bcdacbcdc025ec1b6e7678a9a7875ddfdb769419e5051c

SHA512
26f99458d25ea77386356c42f21bf29c5ac8fd1bd3f615567ba019bcdc03493c3ab52055fdc6d7917971729f50e3a3f09d94e6143f69b273fec1481e26a56ac3

Download Submit
/data/data/neuli.ter584.li/cache/clicker.json

Filesize
20KB

MD5
2a08aa3691d360c2ff0815d0b7812fde

SHA1
50c37f212fd78fb89ecb00f81656723ef28fd53f

SHA256
ec0eacdcb736f245853bb430a97dfcd3dbf0e6abf43733470db53fbebcdd0e2c

SHA512
d9243b6ea042f3d0014ecd1f1afc1e71e9da1fca40f36d3a3e0bcdcb91badc7e892a2944c994a267ad3efdd94e78c17db9afd461d2858d189f4b42c622897b89

Download Submit
/data/data/neuli.ter584.li/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/neuli.ter584.li/databases/a

Filesize
20KB

MD5
6f608a4c575a2e5f931b5b9220fb909b

SHA1
d304c6aeeb6321ea8229157787f118b46467904c

SHA256
f2331afa30f1208b68a0ee1c348411d398eaafa1a013730d2a9d8324be0baded

SHA512
277e3989d2f85e7478ec6adaaf7dc91f4813063e81331538123f0b0d1e19ae61db97d83895c7efa1bebc9991165fbbcb1ef4d2b967ef080eac0b269f37961ddd

Download Submit
/data/data/neuli.ter584.li/databases/a-journal

Filesize
512B

MD5
d6a91bbd585aa61c3a9299ef0b7e91f3

SHA1
99a9c4982d20906dd223419703ad1230eb8134cd

SHA256
b15abdc8e784d5a1c3549f32def628ddadebd5f638580fcf5fbb060d1e65dd33

SHA512
ea56231d86a0a99c1871dc4a65649bbd8079173709abbbab2bd069326ff2067e400e0891000da7486777fe14bc000863cf52fb792f9b39685f7c5618e7fff1b2

Download Submit
/data/data/neuli.ter584.li/databases/a-journal

Filesize
8KB

MD5
cdb6d0f2fe31e1cc798e2cbe50090865

SHA1
c3b0b948463548a329efe1b2e125be5b3d12825d

SHA256
c74e1235505e4d4e916e03a2246b5f3f14a5d622c7d0605adf8bfae88f5b3feb

SHA512
924d16555d0b5748d8ffb1509423a20c7f0bcf5613d01deba076e516be0ec06f3ac9d425beca488f59eb010e4bf884e9acb95b5e39693c4297711d740cc53e3d

Download Submit
/data/data/neuli.ter584.li/databases/a-journal

Filesize
8KB

MD5
68ebf88b86c735e2519349bf1689d571

SHA1
851f1f3456d32e407acd3385a8aab874bdda374b

SHA256
6e75d4420d411ae0d25dd56e5e7ce96f3b9f543231c387475ccdaf0290ba0220

SHA512
553b2f677e0e7c1feb43838108aabf65465acb02c9ed2160c0305b6778d630ada8d4d173394513d4a4b4aa944350a560d3307df3ec4de34886775844bc2d67b1

Download Submit
/data/data/neuli.ter584.li/databases/a-journal

Filesize
12KB

MD5
c34bed3e0a9208eae10d5180fbbd4a14

SHA1
890e543f42c5c1de3d1df3312037a6d20605cb1e

SHA256
0060d68dcc5b7e62adf9c3e9d073b16a90fb0375b46bc6cbe02a6cefb321f070

SHA512
e05a33b4fa28b514617d7a67af9772676b04ea9527830626714d22a13befe565533d0d8df435010fb5bb3a02fccba865497e6767b8d0e4a2d029670a5e710b29

Download Submit
/data/data/neuli.ter584.li/files/neuli.ter584.li

Filesize
256B

MD5
3f515803c1f57178cdfcdd37fc504b30

SHA1
41a057cbc86392e1472ab77ef5f7f7ec9c7e13d7

SHA256
e861670fa25575a0bc44b09131b8199e8a24d8928248a2233b8f94ee44c7fede

SHA512
bb86414686603915f5d53fc0b277166fcd8e24c12ec816a4acd842143c7770f99d41781fad66513b1738b3f61c3e6fd066c584753c4cf92b17386152ed9b431a

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
21e12e09ce8f49f0badd5b77cd2459e3

SHA1
def0599e611b1a24c2270509646ca1880e95ece0

SHA256
5639ed45693c43a2cb2611716598ddf4c177944284fcabfae42aaf02e655b091

SHA512
2e938c75903a39f184fe3ea3abe497f3d56c69548f3bdf895446acb79b482deb0cebbe3ce50dd4e75f71519e69ef925bca7b94488c9d7e69166c5b688ded8db2

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
06ef4ea28a2b6bef60877b911e817add

SHA1
933fe7696c375d84f6c058b585fd0313ca48ee2f

SHA256
b025da967f4b1cf5ab87bc8192c787f9a681972ed67eb9ded1b522315e9356f4

SHA512
1819b463fc0f8db1d02d6680a00654cb5ee138ca287f4cfaaa72b64edd67f6531d8ed6e53f23e8321040767ebe338aa0acf11ca9f3f5c291cf0515e2cd82a34f

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
72ceda82aa529d6beec330c2e96f168d

SHA1
aacd3a9b171336df2c74919407865d6b77bb3975

SHA256
816d6a4e9ce36970e629c7af8bcf8239ab3b455ca6ba4ed1a0b291aa888d0feb

SHA512
643035757a2d66a176bc9570a7e7a6d86a3cec5a4d3bb4b578bc604e4b3bbd9dbd2ba8176f18d46308305e5833ed916aaf7d3cc48ea713bd5c113ea3fcfb4d35

Download Submit
/data/data/neuli.ter584.li/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
5a980d7729b406a3daf1fd9bdd92e4f7

SHA1
890c0e77d25bf5a5eddde4b4b6cbbed3067ed33a

SHA256
8bb8952a1d278bb0f08bf257cb4440160698166af6a93ed5c6b2b48cfa5b51bd

SHA512
2a021c53b3989fde5da9e3498bb233f74626ab2ba38c1c4c946c5e1f12af74315dc2ad733a8f0afd38aa4a9b968d5fcefd3b695af2813c1d58c7801ddf69ab1a

Download Submit
/data/user/0/neuli.ter584.li/app_coin/cb.json

Filesize
10.9MB

MD5
35d4cda95e19e9be467673c78e1e2fa2

SHA1
3868d4dda794c360f57ba650c332b39ce5c68d8e

SHA256
6c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746

SHA512
577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7

Download Submit
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes2.dex

Filesize
308KB

MD5
c9b33ee563c706b95589b51a77666972

SHA1
dd4c6f1659a1037faed9fc8d77ba87097833f0b9

SHA256
26a158276b2ae50288d03b58676ec21fa272053e062f006a185cddf6e84fb5b8

SHA512
339714c27e675cca9bfa55f2f23c09945aa311af06965c851b5fddd8792552b23284ad93e2c3f0f2db3387e63d674ba5995625e94ddbc773bf3f4b7801294b22

Download Submit
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes3.dex

Filesize
265KB

MD5
6716a37b3c2cf93aaeca8c3cfdc8432d

SHA1
f56e7d26afed360f74cc0bd9693074d81c50cce8

SHA256
47f93d71390617553f8e23eec1d18c9a28e87982d7d83302b00983a6e552df51

SHA512
2ca3515ca4619d4bebd0315042f83ef89af968a3252852fd6239c28b14b8bb0b8cf3734be78fb32a42a14772a6b025a98940878ebbe3cd90b6d32b5920a356c5

Download Submit
/data/user/0/neuli.ter584.li/app_coin/cb.json!classes4.dex

Filesize
1.7MB

MD5
30465152db261852e3a226a666ec4304

SHA1
442a188e07db85653022734d0a8537d4312aef38

SHA256
c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4

SHA512
3b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63

Download Submit
/storage/emulated/0/Android/data/neuli.ter584.li/cache/logs/log.txt

Filesize
83B

MD5
4fed541c322e2686dc4ca258d3465b17

SHA1
6764d86b2d309ae189226baaa1a392d61954e837

SHA256
0341a08f4b9f4cbe400e9a0d54bf09001c2c90d7d8d76b19fc7ae1d298c5f8b7

SHA512
b471f55a4255627566b69937224495b3027148dbdddd468620600d1574e95148aa5ae8c7261a8b13c497a167aa67f2fb0b104e9ffd665b9465bf8e148bdf49fb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads