Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-25 16:39:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
18eedeacb1
cyber_threat_intelligence/actors/TrickBot
History
Marc Ruef 18eedeacb1 Update
2022-06-14 10:04:31 +02:00
..
README.md Update 2022-06-14 10:04:31 +02:00

README.md

TrickBot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot

Campaigns

The following campaigns are known and can be associated with TrickBot:

  • AnchorMail

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:

There are 5 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.

ID IP address Hostname Campaign Confidence
1 3.224.145.145 ec2-3-224-145-145.compute-1.amazonaws.com - Medium
2 5.1.81.68 mx4.tarifvergleichbhv.net - High
3 5.2.70.145 merlinsbeard.co.uk - High
4 5.2.72.84 cipixia.com - High
5 5.2.75.93 - - High
6 5.2.75.167 coms.a9v34.com.cn - High
7 5.2.76.122 mx3.ximple.eu - High
8 5.34.177.50 unallocated.layer6.net - High
9 5.34.178.126 yhlas111410.pserver.ru - High
10 5.39.47.22 mail.dmgs.site - High
11 5.53.124.49 dgbtechnologies.com - High
12 5.59.205.32 dhcp-32-205-59-5.metro86.ru - High
13 5.133.179.108 5-133-179-108.freeucouponsnow.ru - High
14 5.149.253.99 - - High
15 5.182.210.30 realestatepromotion.ru - High
16 5.182.210.109 - - High
17 5.182.210.132 - - High
18 5.182.210.178 mail.rainingdreams.to - High
19 5.182.210.226 - - High
20 5.182.210.230 - - High
21 5.182.210.246 - - High
22 5.182.210.254 n01-nlam.kdktech.com - High
23 5.182.211.44 - - High
24 5.196.247.14 ip14.ip-5-196-247.eu - High
25 5.230.22.40 - - High
26 5.255.96.217 vps11.host1.be - High
27 5.255.96.218 - - High
28 14.241.244.60 - - High
29 18.213.79.189 ec2-18-213-79-189.compute-1.amazonaws.com - Medium
30 18.233.90.151 ec2-18-233-90-151.compute-1.amazonaws.com - Medium
31 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
32 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
33 23.3.125.111 a23-3-125-111.deploy.static.akamaitechnologies.com - High
34 23.20.220.174 ec2-23-20-220-174.compute-1.amazonaws.com - Medium
35 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
36 23.21.48.44 ec2-23-21-48-44.compute-1.amazonaws.com - Medium
37 23.21.121.219 ec2-23-21-121-219.compute-1.amazonaws.com - Medium
38 23.21.252.4 ec2-23-21-252-4.compute-1.amazonaws.com - Medium
39 23.23.83.153 ec2-23-23-83-153.compute-1.amazonaws.com - Medium
40 23.23.243.154 ec2-23-23-243-154.compute-1.amazonaws.com - Medium
41 23.62.6.161 a23-62-6-161.deploy.static.akamaitechnologies.com - High
42 23.62.6.170 a23-62-6-170.deploy.static.akamaitechnologies.com - High
43 23.94.233.210 23-94-233-210-host.colocrossing.com - High
44 23.95.231.187 23-95-231-187-host.colocrossing.com - High
45 23.96.30.229 - - High
46 23.160.192.125 unknown.ip-xfer.net - High
47 23.160.193.106 unknown.ip-xfer.net - High
48 23.202.231.166 a23-202-231-166.deploy.static.akamaitechnologies.com - High
49 23.217.138.107 a23-217-138-107.deploy.static.akamaitechnologies.com - High
50 24.162.214.166 cpe-24-162-214-166.elp.res.rr.com - High
51 27.72.107.215 dynamic-adsl.viettel.vn - High
52 27.147.173.227 173.227.cetus.link3.net - High
53 31.131.26.122 - - High
54 31.134.60.181 31-134-60-181.telico.pl - High
55 31.134.124.90 - - High
56 31.172.177.90 poczta.mp-lift.pl - High
57 31.184.253.6 - - High
58 31.184.253.37 models9.vixgrafica.de - High
59 31.202.132.22 - - High
60 31.211.85.110 - - High
61 31.214.138.207 f0a4213918138.rev.snt.net.pl - High
62 34.117.59.81 81.59.117.34.bc.googleusercontent.com - Medium
63 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
64 34.196.181.158 ec2-34-196-181-158.compute-1.amazonaws.com - Medium
65 34.198.132.204 ec2-34-198-132-204.compute-1.amazonaws.com - Medium
66 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com - Medium
67 36.37.176.6 - - High
68 36.66.115.180 - - High
69 36.89.85.103 - - High
70 36.89.191.119 - - High
71 36.89.193.181 - - High
72 36.89.193.235 - - High
73 36.89.228.201 - - High
74 36.89.243.241 - - High
75 36.91.45.10 - - High
76 36.91.88.164 - - High
77 36.91.117.231 - - High
78 36.91.186.235 - - High
79 36.94.27.124 - - High
80 36.94.33.102 - - High
81 36.94.100.202 - - High
82 36.95.23.89 - - High
83 36.95.27.243 - - High
84 37.44.212.179 - - High
85 37.44.212.216 - - High
86 37.59.183.142 - - High
87 37.228.70.134 - - High
88 37.228.117.146 metobor.ru - High
89 37.228.117.250 janome.ru - High
90 37.230.112.146 audiotop.ru - High
91 37.230.114.93 admin1.fvds.ru - High
92 37.230.114.248 kosmolot.com - High
93 37.230.115.129 dvcarry.fvds.ru - High
94 37.230.115.133 wdai.io - High
95 37.230.115.138 i2.com - High
96 37.230.115.171 geobrox.com - High
97 37.230.115.184 21922vdscom.com - High
98 38.132.99.174 - - High
99 41.77.134.250 cliente6386477933.clubnet.mz - High
100 41.243.29.182 182-29-243-41.r.airtel.cd - High
101 43.245.216.116 - - High
102 45.5.152.39 - - High
103 45.6.16.68 - - High
104 45.14.226.115 - - High
105 45.36.99.184 cpe-45-36-99-184.triad.res.rr.com - High
106 45.66.11.116 vm1488716.2ssd.had.wf - High
107 45.80.148.30 - - High
108 45.115.172.105 - - High
109 45.125.1.34 45.125.1.34.static.xtom.hk - High
110 45.127.222.8 - - High
111 45.137.151.198 ourdiaspora.net - High
112 45.138.158.32 - - High
113 45.142.213.58 vm372119.pq.hosting - High
114 45.148.120.153 - - High
115 45.148.120.195 pe195.peryon.web.tr - High
116 45.155.173.242 - - High
117 45.160.145.11 - - High
118 45.160.145.179 - - High
119 45.160.145.216 - - High
120 45.167.249.126 - - High
121 45.178.142.14 - - High
122 45.201.134.202 - - High
123 45.224.214.34 clientes-214-34.intercommtech.com.br - High
124 45.229.71.211 static-45-229-71-211.extrememt.com.br - High
125 45.234.248.154 45.-234.248-154.rev.voanet.br - High
126 46.4.167.250 ip-subnet46-4-167.unassigned.theideahosting.net - High
127 46.8.21.10 53980.web.hosting-russia.ru - High
128 46.8.21.113 64403.web.hosting-russia.ru - High
129 46.30.41.229 vm494526.eurodir.ru - High
130 46.30.45.208 vm418209.eurodir.ru - High
131 46.99.175.217 - - High
132 46.209.140.220 - - High
133 46.254.128.174 46.254.128.174.lanultra.net - High
134 49.156.34.134 - - High
135 50.16.229.140 ec2-50-16-229-140.compute-1.amazonaws.com - Medium
136 50.19.247.198 ec2-50-19-247-198.compute-1.amazonaws.com - Medium
137 51.38.101.194 - - High
138 51.68.247.62 ip62.ip-51-68-247.eu - High
139 51.77.92.215 - - High
140 51.81.112.144 - - High
141 51.89.73.159 theladbible.site - High
142 51.89.115.101 secure-3111.buzztary.com - High
143 51.89.115.108 coms.jt120.com.cn - High
144 51.89.115.110 pocket-usage.nationfox.net - High
145 51.89.115.112 brides-crude.nationfox.net - High
146 51.89.115.116 tombe.nationfox.net - High
147 51.89.115.121 mail1.cmailer.online - High
148 51.89.115.124 mta.ga-emailcamel.com - High
149 51.89.177.20 ip20.ip-51-89-177.eu - High
150 51.159.23.217 jambold.co.uk - High
151 51.254.69.244 - - High
152 51.254.83.17 ip17.ip-51-254-83.eu - High
153 51.254.164.243 amortizserv.info - High
154 51.254.164.244 y9gs.gaurented.com - High
155 51.254.164.245 ip245.ip-51-254-164.eu - High
156 51.254.164.249 ip249.ip-51-254-164.eu - High
157 52.0.197.231 ec2-52-0-197-231.compute-1.amazonaws.com - Medium
158 52.20.197.7 ec2-52-20-197-7.compute-1.amazonaws.com - Medium
159 52.44.169.135 ec2-52-44-169-135.compute-1.amazonaws.com - Medium
160 52.55.255.113 ec2-52-55-255-113.compute-1.amazonaws.com - Medium
161 52.202.139.131 ec2-52-202-139-131.compute-1.amazonaws.com - Medium
162 52.204.109.97 ec2-52-204-109-97.compute-1.amazonaws.com - Medium
163 52.206.161.133 ec2-52-206-161-133.compute-1.amazonaws.com - Medium
164 52.206.178.1 ec2-52-206-178-1.compute-1.amazonaws.com - Medium
165 54.39.106.25 ns560342.ip-54-39-106.net - High
166 54.204.36.156 ec2-54-204-36-156.compute-1.amazonaws.com - Medium
167 54.221.253.252 ec2-54-221-253-252.compute-1.amazonaws.com - Medium
168 ... ... ... ...

There are 667 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
2 T1068 CWE-264, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 6 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /acms/admin/?page=transactions/manage_transaction High
2 File /acms/admin/cargo_types/manage_cargo_type.php High
3 File /acms/admin/cargo_types/view_cargo_type.php High
4 File /acms/classes/Master.php?f=delete_cargo High
5 File /acms/classes/Master.php?f=delete_cargo_type High
6 File /acms/classes/Master.php?f=delete_img High
7 File /admin/new-content High
8 File /Ap4RtpAtom.cpp High
9 File /bcms/admin/?page=user/list High
10 File /cgi-bin/login.cgi High
11 File /cgi-bin/luci/api/auth High
12 File /cgi-bin/luci/api/diagnose High
13 File /cgi-bin/luci/api/switch High
14 File /cgi-bin/luci/api/wireless High
15 File /coreframe/app/member/admin/group.php High
16 File /ctpms/admin/?page=applications/view_application High
17 File /ctpms/admin/?page=individuals/view_individual High
18 File /ctpms/admin/applications/update_status.php High
19 File /ctpms/admin/individuals/update_status.php High
20 File /ctpms/classes/Master.php?f=delete_application High
21 File /ctpms/classes/Master.php?f=delete_img High
22 File /debug/pprof Medium
23 File /dict/list.do High
24 File /fantasticblog/single.php High
25 File /farm/store.php High
26 File /fuel/index.php/fuel/logs/items High
27 ... ... ...

There are 232 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!