48 KiB
TrickBot - Cyber Threat Intelligence
These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot
Campaigns
The following campaigns are known and can be associated with TrickBot:
- AnchorMail
- Bitzlato
Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
There are 8 more country items available. Please use our online service to access the data.
IOC - Indicator of Compromise
These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.
ID | IP address | Hostname | Campaign | Confidence |
---|---|---|---|---|
1 | 3.130.204.160 | ec2-3-130-204-160.us-east-2.compute.amazonaws.com | Bitzlato | Medium |
2 | 3.131.233.90 | ec2-3-131-233-90.us-east-2.compute.amazonaws.com | Bitzlato | Medium |
3 | 3.209.171.143 | ec2-3-209-171-143.compute-1.amazonaws.com | - | Medium |
4 | 3.217.175.153 | ec2-3-217-175-153.compute-1.amazonaws.com | - | Medium |
5 | 3.224.145.145 | ec2-3-224-145-145.compute-1.amazonaws.com | - | Medium |
6 | 3.231.23.10 | ec2-3-231-23-10.compute-1.amazonaws.com | - | Medium |
7 | 5.1.81.68 | mx4.tarifvergleichbhv.net | - | High |
8 | 5.2.70.145 | merlinsbeard.co.uk | - | High |
9 | 5.2.72.84 | cipixia.com | - | High |
10 | 5.2.75.93 | - | - | High |
11 | 5.2.75.137 | - | - | High |
12 | 5.2.75.167 | coms.a9v34.com.cn | - | High |
13 | 5.2.76.122 | mx3.ximple.eu | - | High |
14 | 5.2.78.118 | - | - | High |
15 | 5.34.74.210 | - | - | High |
16 | 5.34.176.184 | billing2.pserver.ru | - | High |
17 | 5.34.177.50 | unallocated.layer6.net | - | High |
18 | 5.34.177.194 | unallocated.layer6.net | - | High |
19 | 5.34.178.126 | yhlas111410.pserver.ru | - | High |
20 | 5.34.180.173 | - | - | High |
21 | 5.34.180.180 | stportal.com.ua | - | High |
22 | 5.34.180.185 | vt-bak-scan-0.antkar.hosted-by.itldc.com | - | High |
23 | 5.39.47.22 | mail.dmgs.site | - | High |
24 | 5.53.124.49 | dgbtechnologies.com | - | High |
25 | 5.59.205.32 | dhcp-32-205-59-5.metro86.ru | - | High |
26 | 5.79.68.107 | - | Bitzlato | High |
27 | 5.79.68.108 | - | Bitzlato | High |
28 | 5.79.68.109 | - | Bitzlato | High |
29 | 5.79.68.110 | - | Bitzlato | High |
30 | 5.133.179.108 | 5-133-179-108.freeucouponsnow.ru | - | High |
31 | 5.135.37.87 | ip87.ip-5-135-37.eu | - | High |
32 | 5.149.253.99 | - | - | High |
33 | 5.152.175.57 | - | - | High |
34 | 5.182.210.30 | realestatepromotion.ru | - | High |
35 | 5.182.210.109 | - | - | High |
36 | 5.182.210.120 | 120.210.182.5.hosted-by.phanes.cloud | - | High |
37 | 5.182.210.132 | - | - | High |
38 | 5.182.210.178 | mail.rainingdreams.to | - | High |
39 | 5.182.210.226 | - | - | High |
40 | 5.182.210.230 | - | - | High |
41 | 5.182.210.246 | - | - | High |
42 | 5.182.210.254 | n01-nlam.kdktech.com | - | High |
43 | 5.182.211.44 | - | - | High |
44 | 5.182.211.76 | 5-182-211-76.hosted-by.phanes.cloud | - | High |
45 | 5.196.247.14 | ip14.ip-5-196-247.eu | - | High |
46 | 5.199.173.152 | - | - | High |
47 | 5.202.120.150 | - | - | High |
48 | 5.230.22.40 | - | - | High |
49 | 5.255.96.119 | - | - | High |
50 | 5.255.96.153 | - | - | High |
51 | 5.255.96.217 | vps11.host1.be | - | High |
52 | 5.255.96.218 | - | - | High |
53 | 6.43.51.17 | - | - | High |
54 | 8.247.119.126 | - | - | High |
55 | 8.253.38.248 | - | - | High |
56 | 8.253.140.118 | - | - | High |
57 | 8.253.141.249 | - | - | High |
58 | 8.253.154.236 | - | - | High |
59 | 10.4.20.4 | - | - | High |
60 | 10.4.20.101 | - | - | High |
61 | 13.107.21.200 | - | - | High |
62 | 14.102.15.100 | - | - | High |
63 | 14.102.15.101 | - | - | High |
64 | 14.102.46.9 | - | - | High |
65 | 14.102.72.204 | - | - | High |
66 | 14.102.188.227 | axntech-dynamic-227.188.102.14.axntechnologies.in | - | High |
67 | 14.232.161.45 | - | - | High |
68 | 14.241.244.60 | - | - | High |
69 | 18.139.111.104 | ec2-18-139-111-104.ap-southeast-1.compute.amazonaws.com | - | Medium |
70 | 18.213.79.189 | ec2-18-213-79-189.compute-1.amazonaws.com | - | Medium |
71 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Bitzlato | Medium |
72 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Bitzlato | Medium |
73 | 18.233.90.151 | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium |
74 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High |
75 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High |
76 | 23.3.125.111 | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High |
77 | 23.19.31.135 | - | - | High |
78 | 23.19.227.147 | - | - | High |
79 | 23.20.220.174 | ec2-23-20-220-174.compute-1.amazonaws.com | - | Medium |
80 | 23.20.239.12 | ec2-23-20-239-12.compute-1.amazonaws.com | Bitzlato | Medium |
81 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium |
82 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium |
83 | 23.21.121.219 | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium |
84 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium |
85 | 23.23.83.153 | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium |
86 | 23.23.243.154 | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium |
87 | 23.46.150.43 | a23-46-150-43.deploy.static.akamaitechnologies.com | - | High |
88 | 23.46.150.58 | a23-46-150-58.deploy.static.akamaitechnologies.com | - | High |
89 | 23.46.150.81 | a23-46-150-81.deploy.static.akamaitechnologies.com | - | High |
90 | 23.62.6.161 | a23-62-6-161.deploy.static.akamaitechnologies.com | - | High |
91 | 23.62.6.170 | a23-62-6-170.deploy.static.akamaitechnologies.com | - | High |
92 | 23.94.70.12 | 23-94-70-12-host.colocrossing.com | - | High |
93 | 23.94.233.210 | 23-94-233-210-host.colocrossing.com | - | High |
94 | 23.95.97.59 | 23-95-97-59-host.colocrossing.com | - | High |
95 | 23.95.227.159 | 23-95-227-159-host.colocrossing.com | - | High |
96 | 23.95.231.187 | 23-95-231-187-host.colocrossing.com | - | High |
97 | 23.95.231.200 | 200-231-lentiviruss.floodsvi.cfd | - | High |
98 | 23.96.30.229 | - | - | High |
99 | 23.160.192.125 | unknown.ip-xfer.net | - | High |
100 | 23.160.193.106 | unknown.ip-xfer.net | - | High |
101 | 23.202.231.166 | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High |
102 | 23.202.231.167 | a23-202-231-167.deploy.static.akamaitechnologies.com | Bitzlato | High |
103 | 23.217.138.107 | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High |
104 | 23.217.138.108 | a23-217-138-108.deploy.static.akamaitechnologies.com | Bitzlato | High |
105 | 23.227.196.5 | 23-227-196-5.static.hvvc.us | - | High |
106 | 23.227.206.170 | 23-227-206-170.static.hvvc.us | - | High |
107 | 23.254.224.2 | hwsrv-1062664.hostwindsdns.com | - | High |
108 | 24.28.12.23 | cpe-24-28-12-23.austin.res.rr.com | - | High |
109 | 24.32.202.68 | - | - | High |
110 | 24.153.175.236 | rrcs-24-153-175-236.sw.biz.rr.com | - | High |
111 | 24.162.214.166 | cpe-24-162-214-166.elp.res.rr.com | - | High |
112 | 24.182.101.64 | 024-182-101-064.res.spectrum.com | - | High |
113 | 24.227.152.42 | rrcs-24-227-152-42.sw.biz.rr.com | - | High |
114 | 24.247.181.125 | 024-247-181-125.res.spectrum.com | - | High |
115 | 27.72.107.215 | dynamic-adsl.viettel.vn | - | High |
116 | 27.147.173.227 | 173.227.cetus.link3.net | - | High |
117 | 30.10.121.157 | - | - | High |
118 | 31.31.204.59 | cluster25.reg.ru | Bitzlato | High |
119 | 31.31.204.61 | parking.reg.ru | Bitzlato | High |
120 | 31.128.13.45 | 31-128-13-45.ip.oxynet.pl | - | High |
121 | 31.129.228.122 | - | - | High |
122 | 31.131.21.30 | - | - | High |
123 | 31.131.21.184 | - | - | High |
124 | 31.131.26.122 | - | - | High |
125 | 31.134.52.42 | 31-134-52-42.telico.pl | - | High |
126 | 31.134.60.181 | 31-134-60-181.telico.pl | - | High |
127 | 31.134.124.90 | - | - | High |
128 | 31.172.177.90 | poczta.mp-lift.pl | - | High |
129 | 31.173.137.39 | - | - | High |
130 | 31.173.137.47 | - | - | High |
131 | 31.173.137.49 | - | - | High |
132 | 31.184.253.6 | - | - | High |
133 | 31.184.253.37 | models9.vixgrafica.de | - | High |
134 | 31.202.132.22 | - | - | High |
135 | 31.211.85.110 | - | - | High |
136 | 31.214.138.207 | f0a4213918138.rev.snt.net.pl | - | High |
137 | 31.220.16.53 | - | Bitzlato | High |
138 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | - | Medium |
139 | 34.160.111.145 | 145.111.160.34.bc.googleusercontent.com | - | Medium |
140 | 34.192.250.175 | ec2-34-192-250-175.compute-1.amazonaws.com | - | Medium |
141 | 34.196.181.158 | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium |
142 | 34.198.132.204 | ec2-34-198-132-204.compute-1.amazonaws.com | - | Medium |
143 | 34.233.102.38 | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium |
144 | 36.37.99.242 | - | - | High |
145 | 36.37.176.6 | - | - | High |
146 | 36.66.111.251 | - | - | High |
147 | 36.66.115.180 | - | - | High |
148 | 36.66.188.251 | - | - | High |
149 | 36.66.218.117 | - | - | High |
150 | 36.67.97.127 | - | - | High |
151 | 36.67.109.15 | - | - | High |
152 | 36.71.150.118 | - | - | High |
153 | 36.89.85.103 | - | - | High |
154 | 36.89.98.183 | - | - | High |
155 | 36.89.106.69 | - | - | High |
156 | 36.89.182.225 | - | - | High |
157 | 36.89.191.119 | - | - | High |
158 | 36.89.193.181 | - | - | High |
159 | 36.89.193.235 | - | - | High |
160 | 36.89.228.201 | - | - | High |
161 | 36.89.243.241 | - | - | High |
162 | 36.91.36.29 | - | - | High |
163 | 36.91.45.10 | - | - | High |
164 | 36.91.87.227 | - | - | High |
165 | 36.91.88.164 | - | - | High |
166 | 36.91.98.231 | - | - | High |
167 | 36.91.117.231 | - | - | High |
168 | 36.91.186.235 | - | - | High |
169 | 36.92.19.205 | - | - | High |
170 | 36.92.59.93 | - | - | High |
171 | 36.92.93.5 | - | - | High |
172 | 36.94.27.124 | - | - | High |
173 | 36.94.33.102 | - | - | High |
174 | 36.94.62.207 | - | - | High |
175 | 36.94.100.202 | - | - | High |
176 | 36.94.202.131 | - | - | High |
177 | 36.95.4.29 | - | - | High |
178 | 36.95.23.89 | - | - | High |
179 | 36.95.27.243 | - | - | High |
180 | 36.95.110.19 | - | - | High |
181 | 37.7.123.244 | apn-37-7-123-244.dynamic.gprs.plus.pl | - | High |
182 | 37.44.212.179 | - | - | High |
183 | 37.44.212.216 | - | - | High |
184 | 37.48.65.136 | - | Bitzlato | High |
185 | 37.48.65.143 | - | Bitzlato | High |
186 | 37.48.65.145 | - | Bitzlato | High |
187 | 37.48.65.148 | - | Bitzlato | High |
188 | 37.48.65.149 | - | Bitzlato | High |
189 | 37.48.65.150 | - | Bitzlato | High |
190 | 37.48.65.151 | - | Bitzlato | High |
191 | 37.48.65.152 | - | Bitzlato | High |
192 | 37.48.65.153 | - | Bitzlato | High |
193 | 37.48.65.154 | - | Bitzlato | High |
194 | 37.48.65.155 | - | Bitzlato | High |
195 | 37.57.82.112 | 112.82.57.37.triolan.net | - | High |
196 | 37.59.183.142 | - | - | High |
197 | 37.143.150.186 | - | - | High |
198 | 37.228.70.134 | - | - | High |
199 | 37.228.117.146 | metobor.ru | - | High |
200 | 37.228.117.250 | janome.ru | - | High |
201 | 37.230.112.146 | audiotop.ru | - | High |
202 | 37.230.114.93 | admin1.fvds.ru | - | High |
203 | 37.230.114.248 | kosmolot.com | - | High |
204 | 37.230.115.129 | dvcarry.fvds.ru | - | High |
205 | 37.230.115.133 | wdai.io | - | High |
206 | 37.230.115.138 | i2.com | - | High |
207 | 37.230.115.171 | geobrox.com | - | High |
208 | 37.230.115.184 | 21922vdscom.com | - | High |
209 | 37.235.230.123 | 37-235-230-123.dynamic.customer.lanta.me | - | High |
210 | 38.110.100.33 | - | - | High |
211 | 38.110.100.104 | - | - | High |
212 | 38.110.100.142 | - | - | High |
213 | 38.110.100.242 | - | - | High |
214 | 38.110.103.18 | - | - | High |
215 | 38.110.103.113 | - | - | High |
216 | 38.110.103.124 | - | - | High |
217 | 38.110.103.136 | - | - | High |
218 | 38.132.99.174 | - | - | High |
219 | 41.57.156.203 | - | - | High |
220 | 41.60.233.170 | - | - | High |
221 | 41.77.134.250 | cliente6386477933.clubnet.mz | - | High |
222 | 41.159.31.227 | - | - | High |
223 | 41.175.22.226 | - | - | High |
224 | 41.189.214.11 | - | - | High |
225 | 41.216.166.142 | - | - | High |
226 | 41.243.29.182 | 182-29-243-41.r.airtel.cd | - | High |
227 | 43.225.148.118 | - | - | High |
228 | 43.245.216.116 | - | - | High |
229 | 43.252.158.104 | ipv4-104-158-252.as55666.net | - | High |
230 | 45.4.29.26 | - | - | High |
231 | 45.5.152.39 | - | - | High |
232 | 45.6.16.68 | - | - | High |
233 | 45.7.56.172 | - | - | High |
234 | 45.14.226.101 | - | - | High |
235 | 45.14.226.115 | - | - | High |
236 | 45.36.99.184 | cpe-45-36-99-184.triad.res.rr.com | - | High |
237 | 45.65.249.154 | - | - | High |
238 | 45.66.11.116 | vm1488716.2ssd.had.wf | - | High |
239 | 45.70.4.108 | - | - | High |
240 | 45.70.14.98 | host-45-70-14-98.nedetel.net | - | High |
241 | 45.77.55.61 | 45.77.55.61.vultrusercontent.com | Bitzlato | High |
242 | 45.79.90.143 | 45-79-90-143.ip.linodeusercontent.com | - | High |
243 | 45.79.126.97 | 45-79-126-97.ip.linodeusercontent.com | - | High |
244 | 45.79.155.9 | 45-79-155-9.ip.linodeusercontent.com | - | High |
245 | 45.79.212.97 | 45-79-212-97.ip.linodeusercontent.com | - | High |
246 | 45.79.253.142 | 45-79-253-142.ip.linodeusercontent.com | - | High |
247 | 45.80.148.30 | - | - | High |
248 | 45.83.129.224 | - | - | High |
249 | 45.83.151.103 | - | - | High |
250 | 45.86.74.111 | - | - | High |
251 | 45.89.125.214 | - | - | High |
252 | 45.89.127.70 | - | - | High |
253 | 45.89.127.92 | - | - | High |
254 | 45.89.127.240 | - | - | High |
255 | 45.93.4.134 | - | - | High |
256 | 45.115.172.105 | - | - | High |
257 | 45.116.106.45 | - | - | High |
258 | 45.125.1.34 | 45.125.1.34.static.xtom.hk | - | High |
259 | 45.127.222.8 | - | - | High |
260 | 45.137.151.198 | ourdiaspora.net | - | High |
261 | 45.138.72.155 | sp200177.example.com | - | High |
262 | 45.138.158.32 | - | - | High |
263 | 45.142.213.58 | vm372119.pq.hosting | - | High |
264 | 45.142.213.70 | support7.example.com | - | High |
265 | 45.142.215.235 | vm1246284.stark-industries.solutions | - | High |
266 | 45.144.113.168 | - | - | High |
267 | 45.148.120.153 | - | - | High |
268 | 45.148.120.195 | pe195.peryon.web.tr | - | High |
269 | 45.155.173.242 | - | - | High |
270 | 45.155.173.248 | - | - | High |
271 | 45.160.145.11 | - | - | High |
272 | 45.160.145.179 | - | - | High |
273 | 45.160.145.216 | - | - | High |
274 | 45.161.33.88 | - | - | High |
275 | 45.164.80.94 | - | - | High |
276 | 45.167.249.126 | - | - | High |
277 | 45.178.142.14 | - | - | High |
278 | 45.181.207.101 | - | - | High |
279 | 45.181.207.156 | - | - | High |
280 | 45.182.190.142 | - | - | High |
281 | 45.201.134.202 | - | - | High |
282 | 45.201.136.3 | - | - | High |
283 | 45.201.209.29 | - | - | High |
284 | 45.224.214.34 | clientes-214-34.intercommtech.com.br | - | High |
285 | 45.226.124.226 | 45-226-124-226.gilsonnet.com.br | - | High |
286 | 45.229.71.211 | static-45-229-71-211.extrememt.com.br | - | High |
287 | 45.229.162.233 | - | - | High |
288 | 45.230.244.20 | - | - | High |
289 | 45.233.116.8 | - | - | High |
290 | 45.233.170.75 | ip-cr4523316975.clientesimectgroup.com | - | High |
291 | 45.234.248.66 | 45.-234.248-66.rev.voanet.br | - | High |
292 | 45.234.248.146 | 45.-234.248-146.rev.voanet.br | - | High |
293 | 45.234.248.154 | 45.-234.248-154.rev.voanet.br | - | High |
294 | 45.235.5.162 | 45-235-5-162.aknet.net.br | - | High |
295 | 45.235.213.126 | - | - | High |
296 | 45.239.233.131 | 45-239-233-131.speednetinformatica.com.br | - | High |
297 | 45.239.234.2 | - | - | High |
298 | 45.250.65.9 | - | - | High |
299 | 46.4.167.227 | static.227.167.4.46.clients.your-server.de | - | High |
300 | 46.4.167.250 | ip-subnet46-4-167.unassigned.theideahosting.net | - | High |
301 | 46.8.21.10 | 53980.web.hosting-russia.ru | - | High |
302 | 46.8.21.113 | 64403.web.hosting-russia.ru | - | High |
303 | 46.30.41.229 | vm494526.eurodir.ru | - | High |
304 | 46.30.45.208 | vm418209.eurodir.ru | - | High |
305 | 46.99.175.149 | - | - | High |
306 | 46.99.175.217 | - | - | High |
307 | 46.99.188.223 | - | - | High |
308 | 46.105.84.141 | - | - | High |
309 | 46.166.182.54 | suggest-wrong.shamrockuser.com | Bitzlato | High |
310 | 46.166.182.62 | all-multiuser.aboveoption.com | Bitzlato | High |
311 | 46.173.218.172 | - | - | High |
312 | 46.173.218.175 | - | - | High |
313 | 46.174.235.36 | host36.net46-174-235.interkam.pl | - | High |
314 | 46.209.140.220 | - | - | High |
315 | 46.237.117.193 | - | - | High |
316 | 46.254.128.174 | 46.254.128.174.lanultra.net | - | High |
317 | 47.37.90.57 | 047-037-090-057.res.spectrum.com | - | High |
318 | 47.51.21.82 | 047-051-021-082.biz.spectrum.com | - | High |
319 | 47.51.219.98 | 047-051-219-098.biz.spectrum.com | - | High |
320 | 47.190.2.12 | static-47-190-2-12.crtn.tx.frontiernet.net | - | High |
321 | 49.156.34.134 | - | - | High |
322 | 49.156.39.150 | - | - | High |
323 | 49.176.188.184 | static-n49-176-188-184.bla2.nsw.optusnet.com.au | - | High |
324 | 49.248.217.170 | static-170.217.248.49-tataidc.co.in | - | High |
325 | 50.16.229.140 | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium |
326 | 50.19.247.198 | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium |
327 | 50.63.202.53 | 53.202.63.50.host.secureserver.net | Bitzlato | High |
328 | 50.63.202.64 | 64.202.63.50.host.secureserver.net | Bitzlato | High |
329 | 50.63.202.65 | 65.202.63.50.host.secureserver.net | Bitzlato | High |
330 | 50.63.202.69 | 69.202.63.50.host.secureserver.net | Bitzlato | High |
331 | 50.63.202.93 | 93.202.63.50.host.secureserver.net | Bitzlato | High |
332 | 50.75.131.6 | rrcs-50-75-131-6.nys.biz.rr.com | - | High |
333 | 50.84.233.214 | rrcs-50-84-233-214.sw.biz.rr.com | - | High |
334 | 50.197.243.125 | 50-197-243-125-static.hfc.comcastbusiness.net | - | High |
335 | 50.208.68.153 | 50-208-68-153-static.hfc.comcastbusiness.net | - | High |
336 | 51.38.101.194 | - | - | High |
337 | 51.68.247.62 | ip62.ip-51-68-247.eu | - | High |
338 | 51.77.92.215 | - | - | High |
339 | 51.77.124.137 | - | - | High |
340 | 51.81.112.144 | - | - | High |
341 | 51.81.113.25 | - | - | High |
342 | 51.89.73.159 | theladbible.site | - | High |
343 | 51.89.115.99 | 4f09rl5gw0.friscoinsuranceguy.com | - | High |
344 | 51.89.115.101 | secure-3111.buzztary.com | - | High |
345 | 51.89.115.103 | ip103.ip-51-89-115.eu | - | High |
346 | 51.89.115.108 | coms.jt120.com.cn | - | High |
347 | 51.89.115.110 | pocket-usage.nationfox.net | - | High |
348 | 51.89.115.112 | brides-crude.nationfox.net | - | High |
349 | 51.89.115.116 | tombe.nationfox.net | - | High |
350 | 51.89.115.121 | mail1.cmailer.online | - | High |
351 | 51.89.115.124 | mta.ga-emailcamel.com | - | High |
352 | 51.89.177.20 | ip20.ip-51-89-177.eu | - | High |
353 | 51.159.23.217 | jambold.co.uk | - | High |
354 | 51.254.25.115 | ip115.ip-51-254-25.eu | - | High |
355 | 51.254.69.244 | - | - | High |
356 | 51.254.83.17 | ip17.ip-51-254-83.eu | - | High |
357 | 51.254.164.243 | amortizserv.info | - | High |
358 | 51.254.164.244 | y9gs.gaurented.com | - | High |
359 | 51.254.164.245 | ip245.ip-51-254-164.eu | - | High |
360 | 51.254.164.249 | ip249.ip-51-254-164.eu | - | High |
361 | 52.0.197.231 | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium |
362 | 52.0.217.44 | ec2-52-0-217-44.compute-1.amazonaws.com | Bitzlato | Medium |
363 | 52.4.209.250 | ec2-52-4-209-250.compute-1.amazonaws.com | Bitzlato | Medium |
364 | 52.6.128.155 | ec2-52-6-128-155.compute-1.amazonaws.com | Bitzlato | Medium |
365 | 52.20.78.240 | ec2-52-20-78-240.compute-1.amazonaws.com | - | Medium |
366 | 52.20.197.7 | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium |
367 | 52.44.169.135 | ec2-52-44-169-135.compute-1.amazonaws.com | - | Medium |
368 | 52.54.24.134 | ec2-52-54-24-134.compute-1.amazonaws.com | Bitzlato | Medium |
369 | 52.55.255.113 | ec2-52-55-255-113.compute-1.amazonaws.com | - | Medium |
370 | 52.73.179.54 | ec2-52-73-179-54.compute-1.amazonaws.com | Bitzlato | Medium |
371 | 52.202.139.131 | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium |
372 | 52.204.109.97 | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium |
373 | 52.206.161.133 | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium |
374 | 52.206.178.1 | ec2-52-206-178-1.compute-1.amazonaws.com | - | Medium |
375 | 53.182.82.27 | - | - | High |
376 | 54.39.106.25 | ns560342.ip-54-39-106.net | - | High |
377 | 54.111.105.80 | - | - | High |
378 | 54.161.222.85 | ec2-54-161-222-85.compute-1.amazonaws.com | Bitzlato | Medium |
379 | 54.204.36.156 | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium |
380 | 54.221.253.252 | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium |
381 | 54.225.159.35 | ec2-54-225-159-35.compute-1.amazonaws.com | - | Medium |
382 | 54.235.124.112 | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium |
383 | 54.235.203.7 | ec2-54-235-203-7.compute-1.amazonaws.com | - | Medium |
384 | 54.235.220.229 | ec2-54-235-220-229.compute-1.amazonaws.com | - | Medium |
385 | 54.243.147.226 | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium |
386 | 54.243.198.12 | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium |
387 | 54.243.208.112 | ec2-54-243-208-112.compute-1.amazonaws.com | - | Medium |
388 | 58.97.72.83 | 58-97-72-83.static.asianet.co.th | - | High |
389 | 60.51.47.65 | - | - | High |
390 | 61.19.116.53 | - | - | High |
391 | 61.69.102.170 | 61-69-102-170.mel.static-ipl.aapt.com.au | - | High |
392 | 62.64.9.237 | clients-62.64.9.237.misp.ru | - | High |
393 | 62.69.241.103 | 62-69-241-103.internetia.net.pl | - | High |
394 | 62.99.76.213 | 213.62-99-76.static.clientes.euskaltel.es | - | High |
395 | ... | ... | ... | ... |
There are 1575 more IOC items available. Please use our online service to access the data.
TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence |
---|---|---|---|---|
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-35, CWE-37 | Pathname Traversal | High |
2 | T1055 | CWE-74 | Injection | High |
3 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High |
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High |
5 | T1068 | CWE-264, CWE-269, CWE-284 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | High |
6 | T1083 | CWE-552 | File and Directory Information Exposure | High |
7 | ... | ... | ... | ... |
There are 22 more TTP items available. Please use our online service to access the data.
IOA - Indicator of Attack
These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence |
---|---|---|---|
1 | File | /academy/tutor/filter |
High |
2 | File | /admin/add-category.php |
High |
3 | File | /admin/admin-profile.php |
High |
4 | File | /admin/index2.html |
High |
5 | File | /admin/sales/view_details.php |
High |
6 | File | /api/cron/settings/setJob/ |
High |
7 | File | /api/sys/login |
High |
8 | File | /api/sys/set_passwd |
High |
9 | File | /api/v1/snapshots |
High |
10 | File | /aqpg/users/login.php |
High |
11 | File | /audit/log/log_management.php |
High |
12 | File | /cgi-bin/login.cgi |
High |
13 | File | /cgi-bin/mainfunction.cgi |
High |
14 | File | /cgi-bin/wlogin.cgi |
High |
15 | File | /changePassword |
High |
16 | File | /classes/Users.php |
High |
17 | File | /debug/pprof |
Medium |
18 | File | /dottie.js |
Medium |
19 | File | /env |
Low |
20 | File | /forms/doLogin |
High |
21 | File | /forum/away.php |
High |
22 | File | /hrm/controller/employee.php |
High |
23 | File | /hrm/employeeview.php |
High |
24 | File | /index.php |
Medium |
25 | File | /index.php?p=admin/actions/users/send-password-reset-email |
High |
26 | File | /librarian/bookdetails.php |
High |
27 | File | /log/webmailattach.php |
High |
28 | File | /login.php?do=login |
High |
29 | File | /m4pdf/pdf.php |
High |
30 | File | /mc |
Low |
31 | File | /mhds/clinic/view_details.php |
High |
32 | File | /modules/projects/vw_files.php |
High |
33 | File | /php-opos/index.php |
High |
34 | File | /project/tasks/list |
High |
35 | File | /protocol/iscgwtunnel/uploadiscgwrouteconf.php |
High |
36 | File | /public/login.htm |
High |
37 | ... | ... | ... |
There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
References
The following list contains external sources which discuss the actor and the associated activities:
- https://bazaar.abuse.ch/sample/0e37236baf4ffd32c94711ba767810af3d24049cd9fb9e5c21535839c05f2491/
- https://bazaar.abuse.ch/sample/01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5/
- https://bazaar.abuse.ch/sample/088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22/
- https://bazaar.abuse.ch/sample/5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0/
- https://bazaar.abuse.ch/sample/6e78ffba1483bbf0e751244631d8f992492e4832733ac516c333164ec2ee417f/
- https://bazaar.abuse.ch/sample/8fda4c4de4cb7ec3c461887cec086d3385d8809cdfb302af310ab70c340c12ac/
- https://bazaar.abuse.ch/sample/38a01d1adc7e746287feeb38522ee9f8899dd487cc5393203148589d1a820e26/
- https://bazaar.abuse.ch/sample/71a5ee88580fb5ab41db8fe42ba2197cfaeed46ff40b4d8942ced0d5eda9d2b3/
- https://bazaar.abuse.ch/sample/81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77/
- https://bazaar.abuse.ch/sample/94dfc86b7314e9b0981a4e3667d5b82711ab82a3079f2441788bb9523249a7eb/
- https://bazaar.abuse.ch/sample/97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27/
- https://bazaar.abuse.ch/sample/210e03682a3d02a4ed1787cab12d998629314fb1999e594e4f00cb0b54ca9b94/
- https://bazaar.abuse.ch/sample/342c6f896cfd65506ce1940e8c9902e47f2921830ca8085d1e2847fc7b7cb102/
- https://bazaar.abuse.ch/sample/1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c/
- https://bazaar.abuse.ch/sample/57923313973c7955afed23ce377688c7eb1cc088423f0678206b3fb16bd433ec/
- https://bazaar.abuse.ch/sample/a072edeb8887bb0354b6126b03a641633e9e514d1feadc59f5feb97b2dd615fc/
- https://bazaar.abuse.ch/sample/af3fcc4d0646a3a2c27512b07a0c84428ced10606e28e248ecfcd8c2569d85d8/
- https://bazaar.abuse.ch/sample/c7e6c31cbe36b1c92d7be9f7b1928c2d9e444abc84aa78241fd800784edd4c71/
- https://bazaar.abuse.ch/sample/cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54/
- https://bazaar.abuse.ch/sample/d2122f044167ecb831d202ce7829d2e50a902266f7e290e42b5ff432e8879b9a/
- https://bazaar.abuse.ch/sample/e040cad9eb0815e34d1133d52e15d5a254fabbff250972329303d0cc1da15c35/
- https://bazaar.abuse.ch/sample/e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4/
- https://bazaar.abuse.ch/sample/e387b4d5f18119293154fe71b36bdc460382539496dae504885afb529d110077/
- https://bazaar.abuse.ch/sample/f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5/
- https://blog.morphisec.com/trickbot-emotet-delivery-through-word-macro
- https://blog.talosintelligence.com/2018/01/threat-round-up-1229-0105.html
- https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-0628-0705.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html
- https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html
- https://blog.talosintelligence.com/2019/08/threat-roundup-0809-0816.html
- https://blog.talosintelligence.com/2019/08/threat-roundup-0823-0830.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1004-1011.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html
- https://blog.talosintelligence.com/2019/10/threat-roundup-1018-1025.html
- https://blog.talosintelligence.com/2019/11/threat-roundup-1101-1108.html
- https://blog.talosintelligence.com/2019/11/threat-roundup-1115-1122.html
- https://blog.talosintelligence.com/2019/12/threat-roundup-1213-1220.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0110-0117.html
- https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
- https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html
- https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html
- https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
- https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
- https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
- https://blog.talosintelligence.com/2021/04/threat-roundup-0416-0423.html
- https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
- https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
- https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
- https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
- https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
- https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
- https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
- https://blog.talosintelligence.com/2022/05/threat-roundup-0513-0520.html
- https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html
- https://blog.talosintelligence.com/2022/06/threat-roundup-0617-0624.html
- https://blog.talosintelligence.com/2022/08/threat-roundup-0805-0812.html
- https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html
- https://blog.talosintelligence.com/threat-roundup-0106-0113/
- https://blog.talosintelligence.com/threat-roundup-0127-0203/
- https://blog.talosintelligence.com/threat-roundup-0310-0317/
- https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/
- https://blogs.blackberry.com/en/2019/09/blackberry-cylance-vs-trickbot-infostealer-malware
- https://blogs.infoblox.com/cyber-threat-intelligence/ransomware-attacks-target-healthcare-sector/
- https://community.blueliv.com/#!/s/611a51a282df413eb235470a
- https://community.blueliv.com/#!/s/60414fc982df413eaf34607d
- https://ddanchev.blogspot.com/2023/02/exposing-trickbots-bitzlato.html
- https://feodotracker.abuse.ch/downloads/ipblocklist.csv
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-19%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-21%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-08%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-22%20Trickbot%20IOCs
- https://github.com/executemalware/Malware-IOCs/blob/main/2021-12-09%20Trickbot%20IOCs
- https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/
- https://isc.sans.edu/forums/diary/Emotet+malspam+is+back/25330/
- https://isc.sans.edu/forums/diary/German+language+malspam+pushes+yet+another+wave+of+Trickbot/25594/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+gtag+rob13/27112/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+malware+on+Friday+20180511/23653/
- https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/
- https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
- https://isc.sans.edu/forums/diary/Trickbot+gtag+red5+distributed+as+a+DLL+file/25918/
- https://pastebin.com/AynCmBXq
- https://pastebin.com/Cyt0hwDX
- https://pastebin.com/fuiyABK2
- https://pastebin.com/j7jPxYaF
- https://pastebin.com/rgi0Xcwg
- https://pastebin.com/td9yY4EJ
- https://pastebin.com/TU5327mm
- https://pastebin.com/WxHma06Z
- https://pastebin.com/Xu7GcQBs
- https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/
- https://securelist.com/trickbot-module-descriptions/104603/
- https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
- https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/
- https://thedfirreport.com/2020/04/30/tricky-pyxie/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://threatfox.abuse.ch
- https://twitter.com/dark0pcodes/status/1338932562966753281
- https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
- https://www.cyber45.com
- https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html
Literature
The following articles explain our unique predictive cyber threat intelligence:
- VulDB Cyber Threat Intelligence Documentation
- Cyber Threat Intelligence - Early Anticipation of Attacks
License
(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!