trickmo | 0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84

Analysis

max time kernel
29s
max time network
30s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84.apk
Size

8.0MB
MD5

090d40fa8f1a3550ebdfe3241872dc0e
SHA1

5c08a70b4e2fed4683fb49718a487e94b78acdb3
SHA256

0b536b95b5a65c6f79546adc9c7ff0902019af1742b22fdbe4f4370b3089bc84
SHA512

a0258167d857a5531dc052a0f31468c986e19dc445ee1a434d9887e20afd757ad25b8a8cb838661c29b174326e8171d5622dccfceb673919ec2cf61bf814a4f5
SSDEEP

196608:ZM1V0jsGDszhM9zSMI/bFa3mAAcFpYYXCTLWHozfkoHdQpz+:aK/ozhlMISxJSTLWo/i4

Score

10^/10

trickmo banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

trickmo

http://techpoint.cn.com/c

Signatures

TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
trojan infostealer banker trickmo
Trickmo family
trickmo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/tibo.sa194.seatt/app_chest/uX.json	4279	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes2.dex	4279	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes3.dex	4279	tibo.sa194.seatt
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes4.dex	4279	tibo.sa194.seatt

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	tibo.sa194.seatt

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	tibo.sa194.seatt

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	tibo.sa194.seatt

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	tibo.sa194.seatt

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	tibo.sa194.seatt

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	tibo.sa194.seatt

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	tibo.sa194.seatt

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	tibo.sa194.seatt

tibo.sa194.seatt
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4279

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/tibo.sa194.seatt/app_chest/uX.json

Filesize
5.2MB

MD5
08b2dcac6d95bf9169b65abf96d18f4c

SHA1
a52d56ff6eb43cb92f9a656a3c53d7fd146cc1a2

SHA256
5bacec5809058c0e576f8881095d244c14b84a736610fff89a7593dc1e9473be

SHA512
4b00793d96d5a59e01a9decddfdc853ab3e2419be0833899bc61baee5d76fbf06de8b92270477ec91c983308305c75f7b3f965548fe6b62edbcbbe68dbd0a149

Download Submit
/data/data/tibo.sa194.seatt/app_chest/uX.json

Filesize
5.2MB

MD5
427aa85947acca82b6b0a13a88f108c6

SHA1
19a76ef781a2dea48a037d6a0f82a49a4ded4ffd

SHA256
8d407190b2f19ec67258d92f3f36c20637b675d8d4b55c345325e02954c7e3f1

SHA512
a1a7f88484b70c234c1254770f6066dab1d0e3b37e489cc735c0033ad0a87799a01acc7d6373fa553aeb61ea1f1964e1bc630d5cae44983e13f9d7d6fbeebd38

Download Submit
/data/data/tibo.sa194.seatt/cache/clicker.json

Filesize
17KB

MD5
d780f836fe54e51872bf31220a4dcb77

SHA1
5136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae

SHA256
32abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17

SHA512
62842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635

Download Submit
/data/data/tibo.sa194.seatt/databases/a

Filesize
20KB

MD5
0dc7e78fefa721c9e8ce654bf2a27808

SHA1
e66fba90b17b57614492a8f501203ebbdfab33d8

SHA256
bb19920b844410e6f18aa513d6c7b83c3ecb09d6ac91d8a440fdf8d5c817a3f9

SHA512
846ca593b25eef509f431cfd9141a91dd22f3b08d14285fb75513c5fa1430e6ac89703df73b676b56c8814c5ba3bcf664bf040185464a18ee0384839c732de5b

Download Submit
/data/data/tibo.sa194.seatt/databases/a-journal

Filesize
512B

MD5
0457bd21c14ae42af4d59976cb68c30a

SHA1
35b60a464a3e1fb1c04d469d9c09302a9fce3d42

SHA256
4946881df963f3ed7094503d1102de9b9f8dcc516da4ecee76272a8cbabb954f

SHA512
133d84d96ed5b7682065d941b31d0222add7e97a0d883bdb94d957e0cbf12ba5a7b1c873e9fcb7bbc13161ee2e216acf54b337b7bcc3801ce96e2fb59b91d062

Download Submit
/data/data/tibo.sa194.seatt/databases/a-wal

Filesize
32KB

MD5
bba78ed52045c5b759ea747311f7bb3e

SHA1
bd29fa0526fc809ed8d6e688fcd1b4b737142f55

SHA256
d6b23e3ca4851a2cc41114ea4216f8f77b244eea8e96077afc69619e7ee32100

SHA512
b2b250dba459d44a17e94abf4b8d8ca523145604245934122136afb56846e53cd1e8414c8e5b1184184bc10c3b172dafd3283413c8f0ee6245da3dea4ffa5420

Download Submit
/data/data/tibo.sa194.seatt/databases/a-wal

Filesize
40KB

MD5
60f6510a99fbf3055c60c5341d68292c

SHA1
ac2c2518bf4ce14015f26995f93a6eb56fd99026

SHA256
de9b7163a09be82c5fdeaf06d70d42e7a02adfa5aa2c2b9c9450e2b5e16071d3

SHA512
3c3b5fb8a77067b147bec89ffe6e5e09820e406957018c334c5f65dd3702bcd96e2c8ab14b23985b4ee7ffd61ada01721a8278b7c40d8dd28ae9a61e895af980

Download Submit
/data/data/tibo.sa194.seatt/files/tibo.sa194.seatt

Filesize
256B

MD5
64e536a1f80caab53b46a5162296bf9e

SHA1
47b897fe1974efcd2f90e868a13e104b37fa791a

SHA256
91f53a9be6fa6c196bd489e8c12ed16a4a9ed856bac3b4651251bafe2a92f6c0

SHA512
8a8045840808efe480777f664bc98c5c46a796fedfc074b9d3e5d4167a006d1be1131db05a58b0909f0eb810d06b6af469682b6fd109f0e16b1c72fa8731c581

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
992990bf0571d1f1f7edd649d9871c5b

SHA1
d0d2237d0809d274c81bfa67126759d4fa1629ad

SHA256
0fb46fc311bea9b1d6b37fc9ffb02b6a62f101f2aa49eccd0b0a8a0c8f8dee00

SHA512
de48eeaca904f31795303d8e9711b486c553a2f426c4f747459a9395dd1e2bb6f614cf094ddbbd6f96b2921c55427e8f932298cb22131e81d6867b87b1f9c33b

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
9602ff2ef2612a7dbfa7e1bccafce09d

SHA1
b7657a74ffc156e39c219376d07f10dd3dd3cea5

SHA256
0f4d7c2b2483fdbe6e64235870f22b3b962a381242f3d67e5cd996ad29b12b12

SHA512
8761a99d5472a28d018f4210bbcd760fcdb68dfad0367bb5046a5be07439a728a22e25f37be92cee5fa3643a98b28dd940c78d76b711e1f314a2dbb5ffa5af8c

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
c62731d5493827be87bcfe530478d5d2

SHA1
4e288717762bb5eaa60d507334702d937a70caf0

SHA256
63ebd71a18ec4c4e044c0d8d150527a635e0a99a631f3fb21995f9aec5845fcc

SHA512
a1279f120c43e089df3114b1f626befe32a5cfb3566c20866f7de3607628b00d10fff673a7a4ed04c2f1a8c36c9fd3dfa3fc3b222ff9aae2e37494d42df94332

Download Submit
/data/data/tibo.sa194.seatt/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
c69d5453ec26ec1f67ef3695f2977d80

SHA1
847dc05be7c18661bff0658fc2965fe67203f638

SHA256
455b1a277906068efcfd45219a8f0783e48517f7799183a1bcb75c5cb9708fb8

SHA512
525520a89c529d3a9eb7259488245f335df43e02dcd4e1ad2fd17c07a0d47813b03c7faf1618bdfa32a15fc1421af21dc72abef96b0db990f7c456d654864771

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json

Filesize
11.1MB

MD5
28041432b0c51e3e887643272629c83e

SHA1
fbea5dfc62f03e1ff784b410ec0d547de0e8156b

SHA256
85c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902

SHA512
7e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes2.dex

Filesize
351KB

MD5
2c40764a05fede34d609a3153c21dc9b

SHA1
f50f32daca41b56a16edfcc1b3db8cc9508b13de

SHA256
f281069a24636924e9a474d7e374a73ae70f271a8404e4b99a140706aacfb8f5

SHA512
0a1924021add70495ae3f067b8219e4841c48d8b8dfc34c02b9556d29734df5e80373372c99440da0fc3a06eaea970e7d4e264b5a97218216dbbe6d07a03a769

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes3.dex

Filesize
257KB

MD5
bdef4f966e5e09a0f2168a19f32097ef

SHA1
16163a2ffe1ede91db16b0cde4e7bd277008c13c

SHA256
4ff3c79ab68c56d915d241c9764d34462116d72011080fa5cdcb914bd03046f9

SHA512
c220c442be8c662b6ceaabf06e010c842a6fe29c3cf805bb0af90e595a84afdffb2cf54c624a1a0cc38ced885add95877014cb4248ddf610ea653704051fc1d0

Download Submit
/data/user/0/tibo.sa194.seatt/app_chest/uX.json!classes4.dex

Filesize
1.9MB

MD5
2d73c5997273e3910c1ac1d8db7ba145

SHA1
25737e75ed15863e69d02a14efa781370dfec798

SHA256
411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965

SHA512
7adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a

Download Submit
/storage/emulated/0/Android/data/tibo.sa194.seatt/cache/logs/log.txt

Filesize
643B

MD5
a4f80f6fb42e6b6c4551a65add6aeac4

SHA1
b6baee295567d21e73e8501e1adbaa466d3a68eb

SHA256
ad2bd3f30c35716510110a7a5305cf6cf79a69fed59e5bfc4a76b85c736d5de6

SHA512
b1f088d8b9a79909e0f69a754d25e2e78f2c9b4d83f6d152fb25066f176a39fb659ca6d4e16eb4fbd0706d4a855d4d8798f622ced0f1dc7b4c75591fa906e0d8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads