Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-27 09:28:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
5304286881
cyber_threat_intelligence/actors/TrickBot
History
Marc Ruef 5304286881 Update
2022-07-23 08:39:44 +02:00
..
README.md Update 2022-07-23 08:39:44 +02:00

README.md

TrickBot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot

Campaigns

The following campaigns are known and can be associated with TrickBot:

  • AnchorMail

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:

There are 2 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.

ID IP address Hostname Campaign Confidence
1 3.209.171.143 ec2-3-209-171-143.compute-1.amazonaws.com - Medium
2 3.217.175.153 ec2-3-217-175-153.compute-1.amazonaws.com - Medium
3 3.224.145.145 ec2-3-224-145-145.compute-1.amazonaws.com - Medium
4 3.231.23.10 ec2-3-231-23-10.compute-1.amazonaws.com - Medium
5 5.1.81.68 mx4.tarifvergleichbhv.net - High
6 5.2.70.145 merlinsbeard.co.uk - High
7 5.2.72.84 cipixia.com - High
8 5.2.75.93 - - High
9 5.2.75.167 coms.a9v34.com.cn - High
10 5.2.76.122 mx3.ximple.eu - High
11 5.2.78.118 - - High
12 5.34.177.50 unallocated.layer6.net - High
13 5.34.178.126 yhlas111410.pserver.ru - High
14 5.39.47.22 mail.dmgs.site - High
15 5.53.124.49 dgbtechnologies.com - High
16 5.59.205.32 dhcp-32-205-59-5.metro86.ru - High
17 5.133.179.108 5-133-179-108.freeucouponsnow.ru - High
18 5.149.253.99 - - High
19 5.152.175.57 - - High
20 5.182.210.30 realestatepromotion.ru - High
21 5.182.210.109 - - High
22 5.182.210.132 - - High
23 5.182.210.178 mail.rainingdreams.to - High
24 5.182.210.226 - - High
25 5.182.210.230 - - High
26 5.182.210.246 - - High
27 5.182.210.254 n01-nlam.kdktech.com - High
28 5.182.211.44 - - High
29 5.196.247.14 ip14.ip-5-196-247.eu - High
30 5.199.173.152 - - High
31 5.230.22.40 - - High
32 5.255.96.217 vps11.host1.be - High
33 5.255.96.218 - - High
34 14.241.244.60 - - High
35 18.213.79.189 ec2-18-213-79-189.compute-1.amazonaws.com - Medium
36 18.233.90.151 ec2-18-233-90-151.compute-1.amazonaws.com - Medium
37 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
38 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
39 23.3.125.111 a23-3-125-111.deploy.static.akamaitechnologies.com - High
40 23.19.31.135 - - High
41 23.20.220.174 ec2-23-20-220-174.compute-1.amazonaws.com - Medium
42 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
43 23.21.48.44 ec2-23-21-48-44.compute-1.amazonaws.com - Medium
44 23.21.121.219 ec2-23-21-121-219.compute-1.amazonaws.com - Medium
45 23.21.252.4 ec2-23-21-252-4.compute-1.amazonaws.com - Medium
46 23.23.83.153 ec2-23-23-83-153.compute-1.amazonaws.com - Medium
47 23.23.243.154 ec2-23-23-243-154.compute-1.amazonaws.com - Medium
48 23.62.6.161 a23-62-6-161.deploy.static.akamaitechnologies.com - High
49 23.62.6.170 a23-62-6-170.deploy.static.akamaitechnologies.com - High
50 23.94.233.210 23-94-233-210-host.colocrossing.com - High
51 23.95.97.59 23-95-97-59-host.colocrossing.com - High
52 23.95.231.187 23-95-231-187-host.colocrossing.com - High
53 23.96.30.229 - - High
54 23.160.192.125 unknown.ip-xfer.net - High
55 23.160.193.106 unknown.ip-xfer.net - High
56 23.202.231.166 a23-202-231-166.deploy.static.akamaitechnologies.com - High
57 23.217.138.107 a23-217-138-107.deploy.static.akamaitechnologies.com - High
58 24.162.214.166 cpe-24-162-214-166.elp.res.rr.com - High
59 27.72.107.215 dynamic-adsl.viettel.vn - High
60 27.147.173.227 173.227.cetus.link3.net - High
61 30.10.121.157 - - High
62 31.131.21.184 - - High
63 31.131.26.122 - - High
64 31.134.60.181 31-134-60-181.telico.pl - High
65 31.134.124.90 - - High
66 31.172.177.90 poczta.mp-lift.pl - High
67 31.184.253.6 - - High
68 31.184.253.37 models9.vixgrafica.de - High
69 31.202.132.22 - - High
70 31.211.85.110 - - High
71 31.214.138.207 f0a4213918138.rev.snt.net.pl - High
72 34.117.59.81 81.59.117.34.bc.googleusercontent.com - Medium
73 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
74 34.196.181.158 ec2-34-196-181-158.compute-1.amazonaws.com - Medium
75 34.198.132.204 ec2-34-198-132-204.compute-1.amazonaws.com - Medium
76 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com - Medium
77 36.37.176.6 - - High
78 36.66.115.180 - - High
79 36.66.188.251 - - High
80 36.89.85.103 - - High
81 36.89.106.69 - - High
82 36.89.191.119 - - High
83 36.89.193.181 - - High
84 36.89.193.235 - - High
85 36.89.228.201 - - High
86 36.89.243.241 - - High
87 36.91.45.10 - - High
88 36.91.87.227 - - High
89 36.91.88.164 - - High
90 36.91.117.231 - - High
91 36.91.186.235 - - High
92 36.94.27.124 - - High
93 36.94.33.102 - - High
94 36.94.100.202 - - High
95 36.95.23.89 - - High
96 36.95.27.243 - - High
97 37.7.123.244 apn-37-7-123-244.dynamic.gprs.plus.pl - High
98 37.44.212.179 - - High
99 37.44.212.216 - - High
100 37.59.183.142 - - High
101 37.228.70.134 - - High
102 37.228.117.146 metobor.ru - High
103 37.228.117.250 janome.ru - High
104 37.230.112.146 audiotop.ru - High
105 37.230.114.93 admin1.fvds.ru - High
106 37.230.114.248 kosmolot.com - High
107 37.230.115.129 dvcarry.fvds.ru - High
108 37.230.115.133 wdai.io - High
109 37.230.115.138 i2.com - High
110 37.230.115.171 geobrox.com - High
111 37.230.115.184 21922vdscom.com - High
112 38.132.99.174 - - High
113 41.77.134.250 cliente6386477933.clubnet.mz - High
114 41.175.22.226 - - High
115 41.243.29.182 182-29-243-41.r.airtel.cd - High
116 43.245.216.116 - - High
117 45.5.152.39 - - High
118 45.6.16.68 - - High
119 45.14.226.115 - - High
120 45.36.99.184 cpe-45-36-99-184.triad.res.rr.com - High
121 45.66.11.116 vm1488716.2ssd.had.wf - High
122 45.80.148.30 - - High
123 45.89.127.92 - - High
124 45.115.172.105 - - High
125 45.125.1.34 45.125.1.34.static.xtom.hk - High
126 45.127.222.8 - - High
127 45.137.151.198 ourdiaspora.net - High
128 45.138.158.32 - - High
129 45.142.213.58 vm372119.pq.hosting - High
130 45.144.113.168 - - High
131 45.148.120.153 - - High
132 45.148.120.195 pe195.peryon.web.tr - High
133 45.155.173.242 - - High
134 45.160.145.11 - - High
135 45.160.145.179 - - High
136 45.160.145.216 - - High
137 45.167.249.126 - - High
138 45.178.142.14 - - High
139 45.201.134.202 - - High
140 45.224.214.34 clientes-214-34.intercommtech.com.br - High
141 45.229.71.211 static-45-229-71-211.extrememt.com.br - High
142 45.234.248.154 45.-234.248-154.rev.voanet.br - High
143 46.4.167.250 ip-subnet46-4-167.unassigned.theideahosting.net - High
144 46.8.21.10 53980.web.hosting-russia.ru - High
145 46.8.21.113 64403.web.hosting-russia.ru - High
146 46.30.41.229 vm494526.eurodir.ru - High
147 46.30.45.208 vm418209.eurodir.ru - High
148 46.99.175.149 - - High
149 46.99.175.217 - - High
150 46.99.188.223 - - High
151 46.209.140.220 - - High
152 46.237.117.193 - - High
153 46.254.128.174 46.254.128.174.lanultra.net - High
154 49.156.34.134 - - High
155 49.176.188.184 static-n49-176-188-184.bla2.nsw.optusnet.com.au - High
156 50.16.229.140 ec2-50-16-229-140.compute-1.amazonaws.com - Medium
157 50.19.247.198 ec2-50-19-247-198.compute-1.amazonaws.com - Medium
158 51.38.101.194 - - High
159 51.68.247.62 ip62.ip-51-68-247.eu - High
160 51.77.92.215 - - High
161 51.81.112.144 - - High
162 51.81.113.25 - - High
163 51.89.73.159 theladbible.site - High
164 51.89.115.101 secure-3111.buzztary.com - High
165 51.89.115.108 coms.jt120.com.cn - High
166 51.89.115.110 pocket-usage.nationfox.net - High
167 51.89.115.112 brides-crude.nationfox.net - High
168 51.89.115.116 tombe.nationfox.net - High
169 51.89.115.121 mail1.cmailer.online - High
170 51.89.115.124 mta.ga-emailcamel.com - High
171 51.89.177.20 ip20.ip-51-89-177.eu - High
172 51.159.23.217 jambold.co.uk - High
173 51.254.25.115 ip115.ip-51-254-25.eu - High
174 51.254.69.244 - - High
175 51.254.83.17 ip17.ip-51-254-83.eu - High
176 51.254.164.243 amortizserv.info - High
177 51.254.164.244 y9gs.gaurented.com - High
178 51.254.164.245 ip245.ip-51-254-164.eu - High
179 51.254.164.249 ip249.ip-51-254-164.eu - High
180 52.0.197.231 ec2-52-0-197-231.compute-1.amazonaws.com - Medium
181 52.20.78.240 ec2-52-20-78-240.compute-1.amazonaws.com - Medium
182 52.20.197.7 ec2-52-20-197-7.compute-1.amazonaws.com - Medium
183 52.44.169.135 ec2-52-44-169-135.compute-1.amazonaws.com - Medium
184 52.55.255.113 ec2-52-55-255-113.compute-1.amazonaws.com - Medium
185 52.202.139.131 ec2-52-202-139-131.compute-1.amazonaws.com - Medium
186 52.204.109.97 ec2-52-204-109-97.compute-1.amazonaws.com - Medium
187 52.206.161.133 ec2-52-206-161-133.compute-1.amazonaws.com - Medium
188 52.206.178.1 ec2-52-206-178-1.compute-1.amazonaws.com - Medium
189 ... ... ... ...

There are 754 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23 Pathname Traversal High
2 T1040 CWE-294 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-94 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 20 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File .python-version High
2 File /api/sys_username_passwd.cmd High
3 File /app/options.py High
4 File /auth/callback High
5 File /bin/posix/src/ports/POSIX/OpENer High
6 File /conf/ Low
7 File /dashboard/menu-list.php High
8 File /dashboard/profile.php High
9 File /dashboard/reports/logs/view High
10 File /dashboard/table-list.php High
11 File /dev/pts/ Medium
12 ... ... ...

There are 95 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!