mirror of
https://github.com/vuldb/cyber_threat_intelligence
synced 2024-06-28 09:53:30 +00:00
| .. | ||
| README.md | ||
TrickBot - Cyber Threat Intelligence
These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot
Campaigns
The following campaigns are known and can be associated with TrickBot:
- AnchorMail
- Bitzlato
Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
There are 8 more country items available. Please use our online service to access the data.
IOC - Indicator of Compromise
These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.
| ID | IP address | Hostname | Campaign | Confidence |
|---|---|---|---|---|
| 1 | 3.130.204.160 | ec2-3-130-204-160.us-east-2.compute.amazonaws.com | Bitzlato | Medium |
| 2 | 3.131.233.90 | ec2-3-131-233-90.us-east-2.compute.amazonaws.com | Bitzlato | Medium |
| 3 | 3.209.171.143 | ec2-3-209-171-143.compute-1.amazonaws.com | - | Medium |
| 4 | 3.217.175.153 | ec2-3-217-175-153.compute-1.amazonaws.com | - | Medium |
| 5 | 3.224.145.145 | ec2-3-224-145-145.compute-1.amazonaws.com | - | Medium |
| 6 | 3.231.23.10 | ec2-3-231-23-10.compute-1.amazonaws.com | - | Medium |
| 7 | 5.1.81.68 | mx4.tarifvergleichbhv.net | - | High |
| 8 | 5.2.70.145 | merlinsbeard.co.uk | - | High |
| 9 | 5.2.72.84 | cipixia.com | - | High |
| 10 | 5.2.75.93 | - | - | High |
| 11 | 5.2.75.137 | - | - | High |
| 12 | 5.2.75.167 | coms.a9v34.com.cn | - | High |
| 13 | 5.2.76.122 | mx3.ximple.eu | - | High |
| 14 | 5.2.78.118 | - | - | High |
| 15 | 5.34.74.210 | - | - | High |
| 16 | 5.34.176.184 | billing2.pserver.ru | - | High |
| 17 | 5.34.177.50 | unallocated.layer6.net | - | High |
| 18 | 5.34.177.194 | unallocated.layer6.net | - | High |
| 19 | 5.34.178.126 | yhlas111410.pserver.ru | - | High |
| 20 | 5.34.180.173 | - | - | High |
| 21 | 5.34.180.180 | stportal.com.ua | - | High |
| 22 | 5.34.180.185 | vt-bak-scan-0.antkar.hosted-by.itldc.com | - | High |
| 23 | 5.39.47.22 | mail.dmgs.site | - | High |
| 24 | 5.53.124.49 | dgbtechnologies.com | - | High |
| 25 | 5.59.205.32 | dhcp-32-205-59-5.metro86.ru | - | High |
| 26 | 5.79.68.107 | - | Bitzlato | High |
| 27 | 5.79.68.108 | - | Bitzlato | High |
| 28 | 5.79.68.109 | - | Bitzlato | High |
| 29 | 5.79.68.110 | - | Bitzlato | High |
| 30 | 5.133.179.108 | 5-133-179-108.freeucouponsnow.ru | - | High |
| 31 | 5.135.37.87 | ip87.ip-5-135-37.eu | - | High |
| 32 | 5.149.253.99 | - | - | High |
| 33 | 5.152.175.57 | - | - | High |
| 34 | 5.182.210.30 | realestatepromotion.ru | - | High |
| 35 | 5.182.210.109 | - | - | High |
| 36 | 5.182.210.120 | 120.210.182.5.hosted-by.phanes.cloud | - | High |
| 37 | 5.182.210.132 | - | - | High |
| 38 | 5.182.210.178 | mail.rainingdreams.to | - | High |
| 39 | 5.182.210.226 | - | - | High |
| 40 | 5.182.210.230 | - | - | High |
| 41 | 5.182.210.246 | - | - | High |
| 42 | 5.182.210.254 | n01-nlam.kdktech.com | - | High |
| 43 | 5.182.211.44 | - | - | High |
| 44 | 5.182.211.76 | 5-182-211-76.hosted-by.phanes.cloud | - | High |
| 45 | 5.196.247.14 | ip14.ip-5-196-247.eu | - | High |
| 46 | 5.199.173.152 | - | - | High |
| 47 | 5.202.120.150 | - | - | High |
| 48 | 5.230.22.40 | - | - | High |
| 49 | 5.255.96.119 | - | - | High |
| 50 | 5.255.96.153 | - | - | High |
| 51 | 5.255.96.217 | vps11.host1.be | - | High |
| 52 | 5.255.96.218 | - | - | High |
| 53 | 6.43.51.17 | - | - | High |
| 54 | 8.247.119.126 | - | - | High |
| 55 | 8.253.38.248 | - | - | High |
| 56 | 8.253.140.118 | - | - | High |
| 57 | 8.253.141.249 | - | - | High |
| 58 | 8.253.154.236 | - | - | High |
| 59 | 10.4.20.4 | - | - | High |
| 60 | 10.4.20.101 | - | - | High |
| 61 | 13.107.21.200 | - | - | High |
| 62 | 14.102.15.100 | - | - | High |
| 63 | 14.102.15.101 | - | - | High |
| 64 | 14.102.46.9 | - | - | High |
| 65 | 14.102.72.204 | - | - | High |
| 66 | 14.102.188.227 | axntech-dynamic-227.188.102.14.axntechnologies.in | - | High |
| 67 | 14.232.161.45 | - | - | High |
| 68 | 14.241.244.60 | - | - | High |
| 69 | 18.139.111.104 | ec2-18-139-111-104.ap-southeast-1.compute.amazonaws.com | - | Medium |
| 70 | 18.213.79.189 | ec2-18-213-79-189.compute-1.amazonaws.com | - | Medium |
| 71 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Bitzlato | Medium |
| 72 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Bitzlato | Medium |
| 73 | 18.233.90.151 | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium |
| 74 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High |
| 75 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High |
| 76 | 23.3.125.111 | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High |
| 77 | 23.19.31.135 | - | - | High |
| 78 | 23.19.227.147 | - | - | High |
| 79 | 23.20.220.174 | ec2-23-20-220-174.compute-1.amazonaws.com | - | Medium |
| 80 | 23.20.239.12 | ec2-23-20-239-12.compute-1.amazonaws.com | Bitzlato | Medium |
| 81 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium |
| 82 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium |
| 83 | 23.21.121.219 | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium |
| 84 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium |
| 85 | 23.23.83.153 | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium |
| 86 | 23.23.243.154 | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium |
| 87 | 23.46.150.43 | a23-46-150-43.deploy.static.akamaitechnologies.com | - | High |
| 88 | 23.46.150.58 | a23-46-150-58.deploy.static.akamaitechnologies.com | - | High |
| 89 | 23.46.150.81 | a23-46-150-81.deploy.static.akamaitechnologies.com | - | High |
| 90 | 23.62.6.161 | a23-62-6-161.deploy.static.akamaitechnologies.com | - | High |
| 91 | 23.62.6.170 | a23-62-6-170.deploy.static.akamaitechnologies.com | - | High |
| 92 | 23.94.70.12 | 23-94-70-12-host.colocrossing.com | - | High |
| 93 | 23.94.233.210 | 23-94-233-210-host.colocrossing.com | - | High |
| 94 | 23.95.97.59 | 23-95-97-59-host.colocrossing.com | - | High |
| 95 | 23.95.227.159 | 23-95-227-159-host.colocrossing.com | - | High |
| 96 | 23.95.231.187 | 23-95-231-187-host.colocrossing.com | - | High |
| 97 | 23.95.231.200 | 200-231-lentiviruss.floodsvi.cfd | - | High |
| 98 | 23.96.30.229 | - | - | High |
| 99 | 23.160.192.125 | unknown.ip-xfer.net | - | High |
| 100 | 23.160.193.106 | unknown.ip-xfer.net | - | High |
| 101 | 23.202.231.166 | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High |
| 102 | 23.202.231.167 | a23-202-231-167.deploy.static.akamaitechnologies.com | Bitzlato | High |
| 103 | 23.217.138.107 | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High |
| 104 | 23.217.138.108 | a23-217-138-108.deploy.static.akamaitechnologies.com | Bitzlato | High |
| 105 | 23.227.196.5 | 23-227-196-5.static.hvvc.us | - | High |
| 106 | 23.227.206.170 | 23-227-206-170.static.hvvc.us | - | High |
| 107 | 23.254.224.2 | hwsrv-1062664.hostwindsdns.com | - | High |
| 108 | 24.28.12.23 | cpe-24-28-12-23.austin.res.rr.com | - | High |
| 109 | 24.32.202.68 | - | - | High |
| 110 | 24.153.175.236 | rrcs-24-153-175-236.sw.biz.rr.com | - | High |
| 111 | 24.162.214.166 | cpe-24-162-214-166.elp.res.rr.com | - | High |
| 112 | 24.182.101.64 | 024-182-101-064.res.spectrum.com | - | High |
| 113 | 24.227.152.42 | rrcs-24-227-152-42.sw.biz.rr.com | - | High |
| 114 | 24.247.181.125 | 024-247-181-125.res.spectrum.com | - | High |
| 115 | 27.72.107.215 | dynamic-adsl.viettel.vn | - | High |
| 116 | 27.147.173.227 | 173.227.cetus.link3.net | - | High |
| 117 | 30.10.121.157 | - | - | High |
| 118 | 31.31.204.59 | cluster25.reg.ru | Bitzlato | High |
| 119 | 31.31.204.61 | parking.reg.ru | Bitzlato | High |
| 120 | 31.128.13.45 | 31-128-13-45.ip.oxynet.pl | - | High |
| 121 | 31.129.228.122 | - | - | High |
| 122 | 31.131.21.30 | - | - | High |
| 123 | 31.131.21.184 | - | - | High |
| 124 | 31.131.26.122 | - | - | High |
| 125 | 31.134.52.42 | 31-134-52-42.telico.pl | - | High |
| 126 | 31.134.60.181 | 31-134-60-181.telico.pl | - | High |
| 127 | 31.134.124.90 | - | - | High |
| 128 | 31.172.177.90 | poczta.mp-lift.pl | - | High |
| 129 | 31.173.137.39 | - | - | High |
| 130 | 31.173.137.47 | - | - | High |
| 131 | 31.173.137.49 | - | - | High |
| 132 | 31.184.253.6 | - | - | High |
| 133 | 31.184.253.37 | models9.vixgrafica.de | - | High |
| 134 | 31.202.132.22 | - | - | High |
| 135 | 31.211.85.110 | - | - | High |
| 136 | 31.214.138.207 | f0a4213918138.rev.snt.net.pl | - | High |
| 137 | 31.220.16.53 | - | Bitzlato | High |
| 138 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | - | Medium |
| 139 | 34.160.111.145 | 145.111.160.34.bc.googleusercontent.com | - | Medium |
| 140 | 34.192.250.175 | ec2-34-192-250-175.compute-1.amazonaws.com | - | Medium |
| 141 | 34.196.181.158 | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium |
| 142 | 34.198.132.204 | ec2-34-198-132-204.compute-1.amazonaws.com | - | Medium |
| 143 | 34.233.102.38 | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium |
| 144 | 36.37.99.242 | - | - | High |
| 145 | 36.37.176.6 | - | - | High |
| 146 | 36.66.111.251 | - | - | High |
| 147 | 36.66.115.180 | - | - | High |
| 148 | 36.66.188.251 | - | - | High |
| 149 | 36.66.218.117 | - | - | High |
| 150 | 36.67.97.127 | - | - | High |
| 151 | 36.67.109.15 | - | - | High |
| 152 | 36.71.150.118 | - | - | High |
| 153 | 36.89.85.103 | - | - | High |
| 154 | 36.89.98.183 | - | - | High |
| 155 | 36.89.106.69 | - | - | High |
| 156 | 36.89.182.225 | - | - | High |
| 157 | 36.89.191.119 | - | - | High |
| 158 | 36.89.193.181 | - | - | High |
| 159 | 36.89.193.235 | - | - | High |
| 160 | 36.89.228.201 | - | - | High |
| 161 | 36.89.243.241 | - | - | High |
| 162 | 36.91.36.29 | - | - | High |
| 163 | 36.91.45.10 | - | - | High |
| 164 | 36.91.87.227 | - | - | High |
| 165 | 36.91.88.164 | - | - | High |
| 166 | 36.91.98.231 | - | - | High |
| 167 | 36.91.117.231 | - | - | High |
| 168 | 36.91.186.235 | - | - | High |
| 169 | 36.92.19.205 | - | - | High |
| 170 | 36.92.59.93 | - | - | High |
| 171 | 36.92.93.5 | - | - | High |
| 172 | 36.94.27.124 | - | - | High |
| 173 | 36.94.33.102 | - | - | High |
| 174 | 36.94.62.207 | - | - | High |
| 175 | 36.94.100.202 | - | - | High |
| 176 | 36.94.202.131 | - | - | High |
| 177 | 36.95.4.29 | - | - | High |
| 178 | 36.95.23.89 | - | - | High |
| 179 | 36.95.27.243 | - | - | High |
| 180 | 36.95.110.19 | - | - | High |
| 181 | 37.7.123.244 | apn-37-7-123-244.dynamic.gprs.plus.pl | - | High |
| 182 | 37.44.212.179 | - | - | High |
| 183 | 37.44.212.216 | - | - | High |
| 184 | 37.48.65.136 | - | Bitzlato | High |
| 185 | 37.48.65.143 | - | Bitzlato | High |
| 186 | 37.48.65.145 | - | Bitzlato | High |
| 187 | 37.48.65.148 | - | Bitzlato | High |
| 188 | 37.48.65.149 | - | Bitzlato | High |
| 189 | 37.48.65.150 | - | Bitzlato | High |
| 190 | 37.48.65.151 | - | Bitzlato | High |
| 191 | 37.48.65.152 | - | Bitzlato | High |
| 192 | 37.48.65.153 | - | Bitzlato | High |
| 193 | 37.48.65.154 | - | Bitzlato | High |
| 194 | 37.48.65.155 | - | Bitzlato | High |
| 195 | 37.57.82.112 | 112.82.57.37.triolan.net | - | High |
| 196 | 37.59.183.142 | - | - | High |
| 197 | 37.143.150.186 | - | - | High |
| 198 | 37.228.70.134 | - | - | High |
| 199 | 37.228.117.146 | metobor.ru | - | High |
| 200 | 37.228.117.250 | janome.ru | - | High |
| 201 | 37.230.112.146 | audiotop.ru | - | High |
| 202 | 37.230.114.93 | admin1.fvds.ru | - | High |
| 203 | 37.230.114.248 | kosmolot.com | - | High |
| 204 | 37.230.115.129 | dvcarry.fvds.ru | - | High |
| 205 | 37.230.115.133 | wdai.io | - | High |
| 206 | 37.230.115.138 | i2.com | - | High |
| 207 | 37.230.115.171 | geobrox.com | - | High |
| 208 | 37.230.115.184 | 21922vdscom.com | - | High |
| 209 | 37.235.230.123 | 37-235-230-123.dynamic.customer.lanta.me | - | High |
| 210 | 38.110.100.33 | - | - | High |
| 211 | 38.110.100.104 | - | - | High |
| 212 | 38.110.100.142 | - | - | High |
| 213 | 38.110.100.242 | - | - | High |
| 214 | 38.110.103.18 | - | - | High |
| 215 | 38.110.103.113 | - | - | High |
| 216 | 38.110.103.124 | - | - | High |
| 217 | 38.110.103.136 | - | - | High |
| 218 | 38.132.99.174 | - | - | High |
| 219 | 41.57.156.203 | - | - | High |
| 220 | 41.60.233.170 | - | - | High |
| 221 | 41.77.134.250 | cliente6386477933.clubnet.mz | - | High |
| 222 | 41.159.31.227 | - | - | High |
| 223 | 41.175.22.226 | - | - | High |
| 224 | 41.189.214.11 | - | - | High |
| 225 | 41.216.166.142 | - | - | High |
| 226 | 41.243.29.182 | 182-29-243-41.r.airtel.cd | - | High |
| 227 | 43.225.148.118 | - | - | High |
| 228 | 43.245.216.116 | - | - | High |
| 229 | 43.252.158.104 | ipv4-104-158-252.as55666.net | - | High |
| 230 | 45.4.29.26 | - | - | High |
| 231 | 45.5.152.39 | - | - | High |
| 232 | 45.6.16.68 | - | - | High |
| 233 | 45.7.56.172 | - | - | High |
| 234 | 45.14.226.101 | - | - | High |
| 235 | 45.14.226.115 | - | - | High |
| 236 | 45.36.99.184 | cpe-45-36-99-184.triad.res.rr.com | - | High |
| 237 | 45.65.249.154 | - | - | High |
| 238 | 45.66.11.116 | vm1488716.2ssd.had.wf | - | High |
| 239 | 45.70.4.108 | - | - | High |
| 240 | 45.70.14.98 | host-45-70-14-98.nedetel.net | - | High |
| 241 | 45.77.55.61 | 45.77.55.61.vultrusercontent.com | Bitzlato | High |
| 242 | 45.79.90.143 | 45-79-90-143.ip.linodeusercontent.com | - | High |
| 243 | 45.79.126.97 | 45-79-126-97.ip.linodeusercontent.com | - | High |
| 244 | 45.79.155.9 | 45-79-155-9.ip.linodeusercontent.com | - | High |
| 245 | 45.79.212.97 | 45-79-212-97.ip.linodeusercontent.com | - | High |
| 246 | 45.79.253.142 | 45-79-253-142.ip.linodeusercontent.com | - | High |
| 247 | 45.80.148.30 | - | - | High |
| 248 | 45.83.129.224 | - | - | High |
| 249 | 45.83.151.103 | - | - | High |
| 250 | 45.86.74.111 | - | - | High |
| 251 | 45.89.125.214 | - | - | High |
| 252 | 45.89.127.70 | - | - | High |
| 253 | 45.89.127.92 | - | - | High |
| 254 | 45.89.127.240 | - | - | High |
| 255 | 45.93.4.134 | - | - | High |
| 256 | 45.115.172.105 | - | - | High |
| 257 | 45.116.106.45 | - | - | High |
| 258 | 45.125.1.34 | 45.125.1.34.static.xtom.hk | - | High |
| 259 | 45.127.222.8 | - | - | High |
| 260 | 45.137.151.198 | ourdiaspora.net | - | High |
| 261 | 45.138.72.155 | sp200177.example.com | - | High |
| 262 | 45.138.158.32 | - | - | High |
| 263 | 45.142.213.58 | vm372119.pq.hosting | - | High |
| 264 | 45.142.213.70 | support7.example.com | - | High |
| 265 | 45.142.215.235 | vm1246284.stark-industries.solutions | - | High |
| 266 | 45.144.113.168 | - | - | High |
| 267 | 45.148.120.153 | - | - | High |
| 268 | 45.148.120.195 | pe195.peryon.web.tr | - | High |
| 269 | 45.155.173.242 | - | - | High |
| 270 | 45.155.173.248 | - | - | High |
| 271 | 45.160.145.11 | - | - | High |
| 272 | 45.160.145.179 | - | - | High |
| 273 | 45.160.145.216 | - | - | High |
| 274 | 45.161.33.88 | - | - | High |
| 275 | 45.164.80.94 | - | - | High |
| 276 | 45.167.249.126 | - | - | High |
| 277 | 45.178.142.14 | - | - | High |
| 278 | 45.181.207.101 | - | - | High |
| 279 | 45.181.207.156 | - | - | High |
| 280 | 45.182.190.142 | - | - | High |
| 281 | 45.201.134.202 | - | - | High |
| 282 | 45.201.136.3 | - | - | High |
| 283 | 45.201.209.29 | - | - | High |
| 284 | 45.224.214.34 | clientes-214-34.intercommtech.com.br | - | High |
| 285 | 45.226.124.226 | 45-226-124-226.gilsonnet.com.br | - | High |
| 286 | 45.229.71.211 | static-45-229-71-211.extrememt.com.br | - | High |
| 287 | 45.229.162.233 | - | - | High |
| 288 | 45.230.244.20 | - | - | High |
| 289 | 45.233.116.8 | - | - | High |
| 290 | 45.233.170.75 | ip-cr4523316975.clientesimectgroup.com | - | High |
| 291 | 45.234.248.66 | 45.-234.248-66.rev.voanet.br | - | High |
| 292 | 45.234.248.146 | 45.-234.248-146.rev.voanet.br | - | High |
| 293 | 45.234.248.154 | 45.-234.248-154.rev.voanet.br | - | High |
| 294 | 45.235.5.162 | 45-235-5-162.aknet.net.br | - | High |
| 295 | 45.235.213.126 | - | - | High |
| 296 | 45.239.233.131 | 45-239-233-131.speednetinformatica.com.br | - | High |
| 297 | 45.239.234.2 | - | - | High |
| 298 | 45.250.65.9 | - | - | High |
| 299 | 46.4.167.227 | static.227.167.4.46.clients.your-server.de | - | High |
| 300 | 46.4.167.250 | ip-subnet46-4-167.unassigned.theideahosting.net | - | High |
| 301 | 46.8.21.10 | 53980.web.hosting-russia.ru | - | High |
| 302 | 46.8.21.113 | 64403.web.hosting-russia.ru | - | High |
| 303 | 46.30.41.229 | vm494526.eurodir.ru | - | High |
| 304 | 46.30.45.208 | vm418209.eurodir.ru | - | High |
| 305 | 46.99.175.149 | - | - | High |
| 306 | 46.99.175.217 | - | - | High |
| 307 | 46.99.188.223 | - | - | High |
| 308 | 46.105.84.141 | - | - | High |
| 309 | 46.166.182.54 | suggest-wrong.shamrockuser.com | Bitzlato | High |
| 310 | 46.166.182.62 | all-multiuser.aboveoption.com | Bitzlato | High |
| 311 | 46.173.218.172 | - | - | High |
| 312 | 46.173.218.175 | - | - | High |
| 313 | 46.174.235.36 | host36.net46-174-235.interkam.pl | - | High |
| 314 | 46.209.140.220 | - | - | High |
| 315 | 46.237.117.193 | - | - | High |
| 316 | 46.254.128.174 | 46.254.128.174.lanultra.net | - | High |
| 317 | 47.37.90.57 | 047-037-090-057.res.spectrum.com | - | High |
| 318 | 47.51.21.82 | 047-051-021-082.biz.spectrum.com | - | High |
| 319 | 47.51.219.98 | 047-051-219-098.biz.spectrum.com | - | High |
| 320 | 47.190.2.12 | static-47-190-2-12.crtn.tx.frontiernet.net | - | High |
| 321 | 49.156.34.134 | - | - | High |
| 322 | 49.156.39.150 | - | - | High |
| 323 | 49.176.188.184 | static-n49-176-188-184.bla2.nsw.optusnet.com.au | - | High |
| 324 | 49.248.217.170 | static-170.217.248.49-tataidc.co.in | - | High |
| 325 | 50.16.229.140 | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium |
| 326 | 50.19.247.198 | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium |
| 327 | 50.63.202.53 | 53.202.63.50.host.secureserver.net | Bitzlato | High |
| 328 | 50.63.202.64 | 64.202.63.50.host.secureserver.net | Bitzlato | High |
| 329 | 50.63.202.65 | 65.202.63.50.host.secureserver.net | Bitzlato | High |
| 330 | 50.63.202.69 | 69.202.63.50.host.secureserver.net | Bitzlato | High |
| 331 | 50.63.202.93 | 93.202.63.50.host.secureserver.net | Bitzlato | High |
| 332 | 50.75.131.6 | rrcs-50-75-131-6.nys.biz.rr.com | - | High |
| 333 | 50.84.233.214 | rrcs-50-84-233-214.sw.biz.rr.com | - | High |
| 334 | 50.197.243.125 | 50-197-243-125-static.hfc.comcastbusiness.net | - | High |
| 335 | 50.208.68.153 | 50-208-68-153-static.hfc.comcastbusiness.net | - | High |
| 336 | 51.38.101.194 | - | - | High |
| 337 | 51.68.247.62 | ip62.ip-51-68-247.eu | - | High |
| 338 | 51.77.92.215 | - | - | High |
| 339 | 51.77.124.137 | - | - | High |
| 340 | 51.81.112.144 | - | - | High |
| 341 | 51.81.113.25 | - | - | High |
| 342 | 51.89.73.159 | theladbible.site | - | High |
| 343 | 51.89.115.99 | 4f09rl5gw0.friscoinsuranceguy.com | - | High |
| 344 | 51.89.115.101 | secure-3111.buzztary.com | - | High |
| 345 | 51.89.115.103 | ip103.ip-51-89-115.eu | - | High |
| 346 | 51.89.115.108 | coms.jt120.com.cn | - | High |
| 347 | 51.89.115.110 | pocket-usage.nationfox.net | - | High |
| 348 | 51.89.115.112 | brides-crude.nationfox.net | - | High |
| 349 | 51.89.115.116 | tombe.nationfox.net | - | High |
| 350 | 51.89.115.121 | mail1.cmailer.online | - | High |
| 351 | 51.89.115.124 | mta.ga-emailcamel.com | - | High |
| 352 | 51.89.177.20 | ip20.ip-51-89-177.eu | - | High |
| 353 | 51.159.23.217 | jambold.co.uk | - | High |
| 354 | 51.254.25.115 | ip115.ip-51-254-25.eu | - | High |
| 355 | 51.254.69.244 | - | - | High |
| 356 | 51.254.83.17 | ip17.ip-51-254-83.eu | - | High |
| 357 | 51.254.164.243 | amortizserv.info | - | High |
| 358 | 51.254.164.244 | y9gs.gaurented.com | - | High |
| 359 | 51.254.164.245 | ip245.ip-51-254-164.eu | - | High |
| 360 | 51.254.164.249 | ip249.ip-51-254-164.eu | - | High |
| 361 | 52.0.197.231 | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium |
| 362 | 52.0.217.44 | ec2-52-0-217-44.compute-1.amazonaws.com | Bitzlato | Medium |
| 363 | 52.4.209.250 | ec2-52-4-209-250.compute-1.amazonaws.com | Bitzlato | Medium |
| 364 | 52.6.128.155 | ec2-52-6-128-155.compute-1.amazonaws.com | Bitzlato | Medium |
| 365 | 52.20.78.240 | ec2-52-20-78-240.compute-1.amazonaws.com | - | Medium |
| 366 | 52.20.197.7 | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium |
| 367 | 52.44.169.135 | ec2-52-44-169-135.compute-1.amazonaws.com | - | Medium |
| 368 | 52.54.24.134 | ec2-52-54-24-134.compute-1.amazonaws.com | Bitzlato | Medium |
| 369 | 52.55.255.113 | ec2-52-55-255-113.compute-1.amazonaws.com | - | Medium |
| 370 | 52.73.179.54 | ec2-52-73-179-54.compute-1.amazonaws.com | Bitzlato | Medium |
| 371 | 52.202.139.131 | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium |
| 372 | 52.204.109.97 | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium |
| 373 | 52.206.161.133 | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium |
| 374 | 52.206.178.1 | ec2-52-206-178-1.compute-1.amazonaws.com | - | Medium |
| 375 | 53.182.82.27 | - | - | High |
| 376 | 54.39.106.25 | ns560342.ip-54-39-106.net | - | High |
| 377 | 54.111.105.80 | - | - | High |
| 378 | 54.161.222.85 | ec2-54-161-222-85.compute-1.amazonaws.com | Bitzlato | Medium |
| 379 | 54.204.36.156 | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium |
| 380 | 54.221.253.252 | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium |
| 381 | 54.225.159.35 | ec2-54-225-159-35.compute-1.amazonaws.com | - | Medium |
| 382 | 54.235.124.112 | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium |
| 383 | 54.235.203.7 | ec2-54-235-203-7.compute-1.amazonaws.com | - | Medium |
| 384 | 54.235.220.229 | ec2-54-235-220-229.compute-1.amazonaws.com | - | Medium |
| 385 | 54.243.147.226 | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium |
| 386 | 54.243.198.12 | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium |
| 387 | 54.243.208.112 | ec2-54-243-208-112.compute-1.amazonaws.com | - | Medium |
| 388 | 58.97.72.83 | 58-97-72-83.static.asianet.co.th | - | High |
| 389 | 60.51.47.65 | - | - | High |
| 390 | 61.19.116.53 | - | - | High |
| 391 | 61.69.102.170 | 61-69-102-170.mel.static-ipl.aapt.com.au | - | High |
| 392 | 62.64.9.237 | clients-62.64.9.237.misp.ru | - | High |
| 393 | 62.69.241.103 | 62-69-241-103.internetia.net.pl | - | High |
| 394 | 62.99.76.213 | 213.62-99-76.static.clientes.euskaltel.es | - | High |
| 395 | ... | ... | ... | ... |
There are 1575 more IOC items available. Please use our online service to access the data.
TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.
| ID | Technique | Weakness | Description | Confidence |
|---|---|---|---|---|
| 1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-35, CWE-37 | Pathname Traversal | High |
| 2 | T1055 | CWE-74 | Injection | High |
| 3 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High |
| 4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High |
| 5 | T1068 | CWE-264, CWE-269, CWE-284 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | High |
| 6 | T1083 | CWE-552 | File and Directory Information Exposure | High |
| 7 | ... | ... | ... | ... |
There are 22 more TTP items available. Please use our online service to access the data.
IOA - Indicator of Attack
These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.
| ID | Type | Indicator | Confidence |
|---|---|---|---|
| 1 | File | /academy/tutor/filter |
High |
| 2 | File | /admin/add-category.php |
High |
| 3 | File | /admin/admin-profile.php |
High |
| 4 | File | /admin/index2.html |
High |
| 5 | File | /admin/sales/view_details.php |
High |
| 6 | File | /api/cron/settings/setJob/ |
High |
| 7 | File | /api/sys/login |
High |
| 8 | File | /api/sys/set_passwd |
High |
| 9 | File | /api/v1/snapshots |
High |
| 10 | File | /aqpg/users/login.php |
High |
| 11 | File | /audit/log/log_management.php |
High |
| 12 | File | /cgi-bin/login.cgi |
High |
| 13 | File | /cgi-bin/mainfunction.cgi |
High |
| 14 | File | /cgi-bin/wlogin.cgi |
High |
| 15 | File | /changePassword |
High |
| 16 | File | /classes/Users.php |
High |
| 17 | File | /debug/pprof |
Medium |
| 18 | File | /dottie.js |
Medium |
| 19 | File | /env |
Low |
| 20 | File | /forms/doLogin |
High |
| 21 | File | /forum/away.php |
High |
| 22 | File | /hrm/controller/employee.php |
High |
| 23 | File | /hrm/employeeview.php |
High |
| 24 | File | /index.php |
Medium |
| 25 | File | /index.php?p=admin/actions/users/send-password-reset-email |
High |
| 26 | File | /librarian/bookdetails.php |
High |
| 27 | File | /log/webmailattach.php |
High |
| 28 | File | /login.php?do=login |
High |
| 29 | File | /m4pdf/pdf.php |
High |
| 30 | File | /mc |
Low |
| 31 | File | /mhds/clinic/view_details.php |
High |
| 32 | File | /modules/projects/vw_files.php |
High |
| 33 | File | /php-opos/index.php |
High |
| 34 | File | /project/tasks/list |
High |
| 35 | File | /protocol/iscgwtunnel/uploadiscgwrouteconf.php |
High |
| 36 | File | /public/login.htm |
High |
| 37 | ... | ... | ... |
There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
References
The following list contains external sources which discuss the actor and the associated activities:
- https://bazaar.abuse.ch/sample/0e37236baf4ffd32c94711ba767810af3d24049cd9fb9e5c21535839c05f2491/
- https://bazaar.abuse.ch/sample/01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5/
- https://bazaar.abuse.ch/sample/088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22/
- https://bazaar.abuse.ch/sample/5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0/
- https://bazaar.abuse.ch/sample/6e78ffba1483bbf0e751244631d8f992492e4832733ac516c333164ec2ee417f/
- https://bazaar.abuse.ch/sample/8fda4c4de4cb7ec3c461887cec086d3385d8809cdfb302af310ab70c340c12ac/
- https://bazaar.abuse.ch/sample/38a01d1adc7e746287feeb38522ee9f8899dd487cc5393203148589d1a820e26/
- https://bazaar.abuse.ch/sample/71a5ee88580fb5ab41db8fe42ba2197cfaeed46ff40b4d8942ced0d5eda9d2b3/
- https://bazaar.abuse.ch/sample/81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77/
- https://bazaar.abuse.ch/sample/94dfc86b7314e9b0981a4e3667d5b82711ab82a3079f2441788bb9523249a7eb/
- https://bazaar.abuse.ch/sample/97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27/
- https://bazaar.abuse.ch/sample/210e03682a3d02a4ed1787cab12d998629314fb1999e594e4f00cb0b54ca9b94/
- https://bazaar.abuse.ch/sample/342c6f896cfd65506ce1940e8c9902e47f2921830ca8085d1e2847fc7b7cb102/
- https://bazaar.abuse.ch/sample/1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c/
- https://bazaar.abuse.ch/sample/57923313973c7955afed23ce377688c7eb1cc088423f0678206b3fb16bd433ec/
- https://bazaar.abuse.ch/sample/a072edeb8887bb0354b6126b03a641633e9e514d1feadc59f5feb97b2dd615fc/
- https://bazaar.abuse.ch/sample/af3fcc4d0646a3a2c27512b07a0c84428ced10606e28e248ecfcd8c2569d85d8/
- https://bazaar.abuse.ch/sample/c7e6c31cbe36b1c92d7be9f7b1928c2d9e444abc84aa78241fd800784edd4c71/
- https://bazaar.abuse.ch/sample/cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54/
- https://bazaar.abuse.ch/sample/d2122f044167ecb831d202ce7829d2e50a902266f7e290e42b5ff432e8879b9a/
- https://bazaar.abuse.ch/sample/e040cad9eb0815e34d1133d52e15d5a254fabbff250972329303d0cc1da15c35/
- https://bazaar.abuse.ch/sample/e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4/
- https://bazaar.abuse.ch/sample/e387b4d5f18119293154fe71b36bdc460382539496dae504885afb529d110077/
- https://bazaar.abuse.ch/sample/f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5/
- https://blog.morphisec.com/trickbot-emotet-delivery-through-word-macro
- https://blog.talosintelligence.com/2018/01/threat-round-up-1229-0105.html
- https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-0628-0705.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html
- https://blog.talosintelligence.com/2019/08/threat-roundup-0809-0816.html
- https://blog.talosintelligence.com/2019/08/threat-roundup-0823-0830.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1004-1011.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1018-1025.html
- https://blog.talosintelligence.com/2019/11/threat-roundup-1101-1108.html
- https://blog.talosintelligence.com/2019/11/threat-roundup-1115-1122.html
- https://blog.talosintelligence.com/2019/12/threat-roundup-1213-1220.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0110-0117.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
- https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html
- https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html
- https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
- https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
- https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0416-0423.html
- https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
- https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
- https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
- https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
- https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
- https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
- https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
- https://blog.talosintelligence.com/2022/05/threat-roundup-0513-0520.html
- https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html
- https://blog.talosintelligence.com/2022/06/threat-roundup-0617-0624.html
- https://blog.talosintelligence.com/2022/08/threat-roundup-0805-0812.html
- https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html
- https://blog.talosintelligence.com/threat-roundup-0106-0113/
- https://blog.talosintelligence.com/threat-roundup-0127-0203/
- https://blog.talosintelligence.com/threat-roundup-0310-0317/
- https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/
- https://blogs.blackberry.com/en/2019/09/blackberry-cylance-vs-trickbot-infostealer-malware
- https://blogs.infoblox.com/cyber-threat-intelligence/ransomware-attacks-target-healthcare-sector/
- https://community.blueliv.com/#!/s/611a51a282df413eb235470a
- https://community.blueliv.com/#!/s/60414fc982df413eaf34607d
- https://ddanchev.blogspot.com/2023/02/exposing-trickbots-bitzlato.html
- https://feodotracker.abuse.ch/downloads/ipblocklist.csv
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-19%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-21%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-08%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-22%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-12-09%20Trickbot%20IOCs
- https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/
- https://isc.sans.edu/forums/diary/Emotet+malspam+is+back/25330/
- https://isc.sans.edu/forums/diary/German+language+malspam+pushes+yet+another+wave+of+Trickbot/25594/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+gtag+rob13/27112/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+malware+on+Friday+20180511/23653/
- https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/
- https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
- https://isc.sans.edu/forums/diary/Trickbot+gtag+red5+distributed+as+a+DLL+file/25918/
- https://pastebin.com/AynCmBXq
- https://pastebin.com/Cyt0hwDX
- https://pastebin.com/fuiyABK2
- https://pastebin.com/j7jPxYaF
- https://pastebin.com/rgi0Xcwg
- https://pastebin.com/td9yY4EJ
- https://pastebin.com/TU5327mm
- https://pastebin.com/WxHma06Z
- https://pastebin.com/Xu7GcQBs
- https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/
- https://securelist.com/trickbot-module-descriptions/104603/
- https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
- https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/
- https://thedfirreport.com/2020/04/30/tricky-pyxie/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://threatfox.abuse.ch
- https://twitter.com/dark0pcodes/status/1338932562966753281
- https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
- https://www.cyber45.com
- https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html
Literature
The following articles explain our unique predictive cyber threat intelligence:
- VulDB Cyber Threat Intelligence Documentation
- Cyber Threat Intelligence - Early Anticipation of Attacks
License
(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!