trickmo | 0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84

Analysis

max time kernel
29s
max time network
36s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22/03/2025, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84.apk
Size

8.0MB
MD5

090d40fa8f1a3550ebdfe3241872dc0e
SHA1

5c08a70b4e2fed4683fb49718a487e94b78acdb3
SHA256

0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84
SHA512

a0258167d857a5531dc052a0f31468c986e19dc445ee1a434d9887e20afd757ad25b8a8cb838661c29b174326e8171d5622dccfceb673919ec2cf61bf814a4f5
SSDEEP

196608:ZM1V0jsGDszhM9zSMI/bFa3mAAcFpYYXCTLWHozfkoHdQpz+:aK/ozhlMISxJSTLWo/i4

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://techpoint.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/tibo.sa194.seatt/app_chest/uX.json	4512	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes2.dex	4512	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes3.dex	4512	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes4.dex	4512	tibo.sa194.seatt

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	tibo.sa194.seatt

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	tibo.sa194.seatt

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	tibo.sa194.seatt

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	tibo.sa194.seatt

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	tibo.sa194.seatt

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	tibo.sa194.seatt

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	tibo.sa194.seatt

tibo.sa194.seatt
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4512

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/tibo.sa194.seatt/app_chest/uX.json

Filesize
5.2MB

MD5
08b2dcac6d95bf9169b65abf96d18f4c

SHA1
a52d56ff6eb43cb92f9a656a3c53d7fd146cc1a2

SHA256
5bacec5809058c0e576f8881095d244c14b84a736610fff89a7593dc1e9473be

SHA512
4b00793d96d5a59e01a9decddfdc853ab3e2419be0833899bc61baee5d76fbf06de8b92270477ec91c983308305c75f7b3f965548fe6b62edbcbbe68dbd0a149

Download Submit
/data/data/tibo.sa194.seatt/app_chest/uX.json

Filesize
5.2MB

MD5
427aa85947acca82b6b0a13a88f108c6

SHA1
19a76ef781a2dea48a037d6a0f82a49a4ded4ffd

SHA256
8d407190b2f19ec67258d92f3f36c20637b675d8d4b55c345325e02954c7e3f1

SHA512
a1a7f88484b70c234c1254770f6066dab1d0e3b37e489cc735c0033ad0a87799a01acc7d6373fa553aeb61ea1f1964e1bc630d5cae44983e13f9d7d6fbeebd38

Download Submit
/data/data/tibo.sa194.seatt/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/tibo.sa194.seatt/databases/a

Filesize
20KB

MD5
91af32c14839a2828ca58297e0861362

SHA1
bd758cc0bb47b570da2061d4633aa998a87ed971

SHA256
5d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923

SHA512
9810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7

Download Submit
/data/data/tibo.sa194.seatt/databases/a

Filesize
20KB

MD5
800353bbdd55b4d4fa21ed52b88f18f0

SHA1
cd2d0036dd26b7fae01255735274a14ea402e1cf

SHA256
8a6cff0ef14194cd54218416a8aa83469072ec0a6b36732ce300e229bd8964c1

SHA512
82f2f1edaadc5aa40159ccb60718d1c8aaab9e27a7212c6c1ff5da0547dd91b3138cdb043bb8113303d9f650f09a6d3e57694e9e5819a416d74bed166340e4d9

Download Submit
/data/data/tibo.sa194.seatt/databases/a-journal

Filesize
512B

MD5
72ff339bf00f7d1ef189fe8838f19970

SHA1
b45121c356abe2df1a86badd444f4bdeefdee93a

SHA256
9bbf037f9d7d3c7815916463c4e48f443596a5104ac941f6da32dfee2c3e1f96

SHA512
80cacb33c9b02eb9b42221908a6d0162cca9d5f2b2e7fe696f0bfb82fc427486f9df9ce94fc3a1e0890853664aea2818cb42416bfdd22703199bf809baf7d21b

Download Submit
/data/data/tibo.sa194.seatt/databases/a-journal

Filesize
8KB

MD5
c83100cba6da7f346513783db11a4482

SHA1
435106514537c6e0cd7ffbd5828379edfd1b8b24

SHA256
dc8a79ce6accd2fc7d1c8d6e8db90d8f2caf89e9f765a772e9450614bdfc0c9b

SHA512
73add24fe775b83a8bd3fc0160e40478eb46f962eb821acb091d8ffdd5a7e2b95ab1cefd70fe91d81b859501a2f6fb3d9dd0dee9b52c08eb84a4cd2cd50f1bf3

Download Submit
/data/data/tibo.sa194.seatt/databases/a-journal

Filesize
8KB

MD5
651fe359a649c0c102cf8239b62a16bf

SHA1
662796a75060fb410bb0011d844da675d063fc0e

SHA256
15511d4f2a29b57a6f7a3efa7c58434956e51f26f37048fb886da950d4bd7268

SHA512
6b5d23d64af4f7b7f6a8786414e19e57c76890c72c674d88aac320be75f0a966da1f0df09b9d045be6427da31dba629c6d73f36d3283102277bda3cb12259497

Download Submit
/data/data/tibo.sa194.seatt/databases/a-journal

Filesize
12KB

MD5
bd811a86ffa9d430a0f508031ed4f9ca

SHA1
02f2f06e6c9dced9482bfd96cf93049fc398dce4

SHA256
f50ce0e0e435ec95af62c31cd4ce195cdbd1c4b1bc0fddc0b36b770d9ddb1719

SHA512
8788bb5ad0a631e74a3207dd977266ddf643bae24e83e831a58600c85061c5e1becee76dab902a511f64da7ef4116b8059ea7116730b9dd35332d80fff8478aa

Download Submit
/data/data/tibo.sa194.seatt/files/tibo.sa194.seatt

Filesize
256B

MD5
98a538216924b0e83701fbd1b719da53

SHA1
e49c3826ef9ef57b2f444185d39e5322d0a95667

SHA256
0c3eeda7f7d411ca8924a4178522c874be1e6fa5d70758d784362b2124c3079f

SHA512
90a6d58bc55eb95e0ad0e26276906c7755f075b63941227269bd1a346b4ccbad0ecba69fa2a7043973b68881a9f6c2e0733f33265fb077309ee369b4fdcdaa25

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
a50d5a54236c6c9b62a2e90603bc3057

SHA1
a01e4f31c8b181aa28eb797d21c728c5ad536631

SHA256
a1babae8bf60eb986eb7d6a939cdf73798a9226f1dc098069cfe45d643089e47

SHA512
d85d0a7a9378067a4e1a42d53b6d510193c1ae469970b998feb576801bfec0a3e82a990df86a35d283b0d6333c9b849fb8fc5996239023c8a9916c11101921a6

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
2631d2f8a73f60c26bb7ea7575e001ae

SHA1
b23e8918be239782eef8f1848b084d967f421b5d

SHA256
c6bda04b49812f481f8f3347d90559eede33a56fbc76c26d7b4507a67db49bf9

SHA512
17bd2670bcf6df4d01b1e00aa0a2ac374756b61e53d4665ceb8987d12db02ee0a412d2a9523dd91aa2fbee4259ce0ce454c0359fb80959119d09452891e8ce75

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
61271bbd2235ec39ce6e41008fdcac77

SHA1
8fdb20642a59bfb51af3e37f31b55dee434dc55b

SHA256
728c1e0e0d90f99b7a0f35dbee797fc4d29cdf6a9b881b3e76aac3ad9a68386a

SHA512
55d034f5ad6279e473033009377bc3d3226b8cb7e7922898e4003992e549a334f9a5ab73b4debd3173e79e7062172dcd5411c99d92859bb76da9d144ca65f592

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
5a7d7bbaafdbd35c736f8467278f7aa5

SHA1
60e9721b260324f419fd650d91bac5f6dba22ab0

SHA256
4d3ecfa244fb994dac482385913c3b6d3c2b473faace902af160d742ed44a9ea

SHA512
d30ebca12a59fb271d1d7ab62ac917b95383f44bee4ddeda673898983e4b1659c1236ef6485d363611adb4366e1c03df45f3653035d2903973258f3a2c5dd1f3

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes2.dex

Filesize
351KB

MD5
2c40764a05fede34d609a3153c21dc9b

SHA1
f50f32daca41b56a16edfcc1b3db8cc9508b13de

SHA256
f281069a24636924e9a474d7e374a73ae70f271a8404e4b99a140706aacfb8f5

SHA512
0a1924021add70495ae3f067b8219e4841c48d8b8dfc34c02b9556d29734df5e80373372c99440da0fc3a06eaea970e7d4e264b5a97218216dbbe6d07a03a769

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes3.dex

Filesize
257KB

MD5
bdef4f966e5e09a0f2168a19f32097ef

SHA1
16163a2ffe1ede91db16b0cde4e7bd277008c13c

SHA256
4ff3c79ab68c56d915d241c9764d34462116d72011080fa5cdcb914bd03046f9

SHA512
c220c442be8c662b6ceaabf06e010c842a6fe29c3cf805bb0af90e595a84afdffb2cf54c624a1a0cc38ced885add95877014cb4248ddf610ea653704051fc1d0

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/tibo.sa194.seatt/cache/logs/log.txt

Filesize
3KB

MD5
10bdb883c68724b8b2d9851bad55b5e3

SHA1
439a8a5fcbe4d63c1ecd4c0464372361595f6d0d

SHA256
8472e4c79c8ed6eab9969231370a2590580f4f36443f21b51988ecd37505c60c

SHA512
40701f8b5267e25c75b4e03575d5306d6218253e7b913bfa54f3e1a97d06ae35792ee81d31e46ff03819f813989624cb178a153dab01da344461c2f8cd1e8e24

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads