Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cyber_threat_intelligence/actors/TrickBot/README.md

26 KiB
Raw Blame History

TrickBot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot

Campaigns

The following campaigns are known and can be associated with TrickBot:

  • AnchorMail

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:

There are 5 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.

ID IP address Hostname Campaign Confidence
1 3.209.171.143 ec2-3-209-171-143.compute-1.amazonaws.com - Medium
2 3.217.175.153 ec2-3-217-175-153.compute-1.amazonaws.com - Medium
3 3.224.145.145 ec2-3-224-145-145.compute-1.amazonaws.com - Medium
4 3.231.23.10 ec2-3-231-23-10.compute-1.amazonaws.com - Medium
5 5.1.81.68 mx4.tarifvergleichbhv.net - High
6 5.2.70.145 merlinsbeard.co.uk - High
7 5.2.72.84 cipixia.com - High
8 5.2.75.93 - - High
9 5.2.75.167 coms.a9v34.com.cn - High
10 5.2.76.122 mx3.ximple.eu - High
11 5.2.78.118 - - High
12 5.34.177.50 unallocated.layer6.net - High
13 5.34.178.126 yhlas111410.pserver.ru - High
14 5.39.47.22 mail.dmgs.site - High
15 5.53.124.49 dgbtechnologies.com - High
16 5.59.205.32 dhcp-32-205-59-5.metro86.ru - High
17 5.133.179.108 5-133-179-108.freeucouponsnow.ru - High
18 5.149.253.99 - - High
19 5.152.175.57 - - High
20 5.182.210.30 realestatepromotion.ru - High
21 5.182.210.109 - - High
22 5.182.210.132 - - High
23 5.182.210.178 mail.rainingdreams.to - High
24 5.182.210.226 - - High
25 5.182.210.230 - - High
26 5.182.210.246 - - High
27 5.182.210.254 n01-nlam.kdktech.com - High
28 5.182.211.44 - - High
29 5.196.247.14 ip14.ip-5-196-247.eu - High
30 5.199.173.152 - - High
31 5.230.22.40 - - High
32 5.255.96.217 vps11.host1.be - High
33 5.255.96.218 - - High
34 8.247.119.126 - - High
35 8.253.38.248 - - High
36 8.253.140.118 - - High
37 8.253.141.249 - - High
38 8.253.154.236 - - High
39 14.241.244.60 - - High
40 18.213.79.189 ec2-18-213-79-189.compute-1.amazonaws.com - Medium
41 18.233.90.151 ec2-18-233-90-151.compute-1.amazonaws.com - Medium
42 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
43 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
44 23.3.125.111 a23-3-125-111.deploy.static.akamaitechnologies.com - High
45 23.19.31.135 - - High
46 23.19.227.147 - - High
47 23.20.220.174 ec2-23-20-220-174.compute-1.amazonaws.com - Medium
48 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
49 23.21.48.44 ec2-23-21-48-44.compute-1.amazonaws.com - Medium
50 23.21.121.219 ec2-23-21-121-219.compute-1.amazonaws.com - Medium
51 23.21.252.4 ec2-23-21-252-4.compute-1.amazonaws.com - Medium
52 23.23.83.153 ec2-23-23-83-153.compute-1.amazonaws.com - Medium
53 23.23.243.154 ec2-23-23-243-154.compute-1.amazonaws.com - Medium
54 23.46.150.43 a23-46-150-43.deploy.static.akamaitechnologies.com - High
55 23.46.150.58 a23-46-150-58.deploy.static.akamaitechnologies.com - High
56 23.46.150.81 a23-46-150-81.deploy.static.akamaitechnologies.com - High
57 23.62.6.161 a23-62-6-161.deploy.static.akamaitechnologies.com - High
58 23.62.6.170 a23-62-6-170.deploy.static.akamaitechnologies.com - High
59 23.94.233.210 23-94-233-210-host.colocrossing.com - High
60 23.95.97.59 23-95-97-59-host.colocrossing.com - High
61 23.95.231.187 23-95-231-187-host.colocrossing.com - High
62 23.96.30.229 - - High
63 23.160.192.125 unknown.ip-xfer.net - High
64 23.160.193.106 unknown.ip-xfer.net - High
65 23.202.231.166 a23-202-231-166.deploy.static.akamaitechnologies.com - High
66 23.217.138.107 a23-217-138-107.deploy.static.akamaitechnologies.com - High
67 24.162.214.166 cpe-24-162-214-166.elp.res.rr.com - High
68 27.72.107.215 dynamic-adsl.viettel.vn - High
69 27.147.173.227 173.227.cetus.link3.net - High
70 30.10.121.157 - - High
71 31.131.21.184 - - High
72 31.131.26.122 - - High
73 31.134.60.181 31-134-60-181.telico.pl - High
74 31.134.124.90 - - High
75 31.172.177.90 poczta.mp-lift.pl - High
76 31.184.253.6 - - High
77 31.184.253.37 models9.vixgrafica.de - High
78 31.202.132.22 - - High
79 31.211.85.110 - - High
80 31.214.138.207 f0a4213918138.rev.snt.net.pl - High
81 34.117.59.81 81.59.117.34.bc.googleusercontent.com - Medium
82 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
83 34.196.181.158 ec2-34-196-181-158.compute-1.amazonaws.com - Medium
84 34.198.132.204 ec2-34-198-132-204.compute-1.amazonaws.com - Medium
85 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com - Medium
86 36.37.176.6 - - High
87 36.66.115.180 - - High
88 36.66.188.251 - - High
89 36.89.85.103 - - High
90 36.89.106.69 - - High
91 36.89.191.119 - - High
92 36.89.193.181 - - High
93 36.89.193.235 - - High
94 36.89.228.201 - - High
95 36.89.243.241 - - High
96 36.91.45.10 - - High
97 36.91.87.227 - - High
98 36.91.88.164 - - High
99 36.91.117.231 - - High
100 36.91.186.235 - - High
101 36.94.27.124 - - High
102 36.94.33.102 - - High
103 36.94.100.202 - - High
104 36.95.23.89 - - High
105 36.95.27.243 - - High
106 37.7.123.244 apn-37-7-123-244.dynamic.gprs.plus.pl - High
107 37.44.212.179 - - High
108 37.44.212.216 - - High
109 37.59.183.142 - - High
110 37.228.70.134 - - High
111 37.228.117.146 metobor.ru - High
112 37.228.117.250 janome.ru - High
113 37.230.112.146 audiotop.ru - High
114 37.230.114.93 admin1.fvds.ru - High
115 37.230.114.248 kosmolot.com - High
116 37.230.115.129 dvcarry.fvds.ru - High
117 37.230.115.133 wdai.io - High
118 37.230.115.138 i2.com - High
119 37.230.115.171 geobrox.com - High
120 37.230.115.184 21922vdscom.com - High
121 38.132.99.174 - - High
122 41.77.134.250 cliente6386477933.clubnet.mz - High
123 41.175.22.226 - - High
124 41.243.29.182 182-29-243-41.r.airtel.cd - High
125 43.245.216.116 - - High
126 45.5.152.39 - - High
127 45.6.16.68 - - High
128 45.14.226.115 - - High
129 45.36.99.184 cpe-45-36-99-184.triad.res.rr.com - High
130 45.66.11.116 vm1488716.2ssd.had.wf - High
131 45.80.148.30 - - High
132 45.89.127.92 - - High
133 45.115.172.105 - - High
134 45.125.1.34 45.125.1.34.static.xtom.hk - High
135 45.127.222.8 - - High
136 45.137.151.198 ourdiaspora.net - High
137 45.138.158.32 - - High
138 45.142.213.58 vm372119.pq.hosting - High
139 45.144.113.168 - - High
140 45.148.120.153 - - High
141 45.148.120.195 pe195.peryon.web.tr - High
142 45.155.173.242 - - High
143 45.160.145.11 - - High
144 45.160.145.179 - - High
145 45.160.145.216 - - High
146 45.167.249.126 - - High
147 45.178.142.14 - - High
148 45.201.134.202 - - High
149 45.224.214.34 clientes-214-34.intercommtech.com.br - High
150 45.229.71.211 static-45-229-71-211.extrememt.com.br - High
151 45.234.248.154 45.-234.248-154.rev.voanet.br - High
152 46.4.167.250 ip-subnet46-4-167.unassigned.theideahosting.net - High
153 46.8.21.10 53980.web.hosting-russia.ru - High
154 46.8.21.113 64403.web.hosting-russia.ru - High
155 46.30.41.229 vm494526.eurodir.ru - High
156 46.30.45.208 vm418209.eurodir.ru - High
157 46.99.175.149 - - High
158 46.99.175.217 - - High
159 46.99.188.223 - - High
160 46.209.140.220 - - High
161 46.237.117.193 - - High
162 46.254.128.174 46.254.128.174.lanultra.net - High
163 49.156.34.134 - - High
164 49.176.188.184 static-n49-176-188-184.bla2.nsw.optusnet.com.au - High
165 50.16.229.140 ec2-50-16-229-140.compute-1.amazonaws.com - Medium
166 50.19.247.198 ec2-50-19-247-198.compute-1.amazonaws.com - Medium
167 51.38.101.194 - - High
168 51.68.247.62 ip62.ip-51-68-247.eu - High
169 51.77.92.215 - - High
170 51.81.112.144 - - High
171 51.81.113.25 - - High
172 51.89.73.159 theladbible.site - High
173 51.89.115.101 secure-3111.buzztary.com - High
174 51.89.115.108 coms.jt120.com.cn - High
175 51.89.115.110 pocket-usage.nationfox.net - High
176 51.89.115.112 brides-crude.nationfox.net - High
177 51.89.115.116 tombe.nationfox.net - High
178 51.89.115.121 mail1.cmailer.online - High
179 51.89.115.124 mta.ga-emailcamel.com - High
180 51.89.177.20 ip20.ip-51-89-177.eu - High
181 51.159.23.217 jambold.co.uk - High
182 51.254.25.115 ip115.ip-51-254-25.eu - High
183 51.254.69.244 - - High
184 51.254.83.17 ip17.ip-51-254-83.eu - High
185 51.254.164.243 amortizserv.info - High
186 51.254.164.244 y9gs.gaurented.com - High
187 51.254.164.245 ip245.ip-51-254-164.eu - High
188 51.254.164.249 ip249.ip-51-254-164.eu - High
189 52.0.197.231 ec2-52-0-197-231.compute-1.amazonaws.com - Medium
190 52.20.78.240 ec2-52-20-78-240.compute-1.amazonaws.com - Medium
191 52.20.197.7 ec2-52-20-197-7.compute-1.amazonaws.com - Medium
192 52.44.169.135 ec2-52-44-169-135.compute-1.amazonaws.com - Medium
193 52.55.255.113 ec2-52-55-255-113.compute-1.amazonaws.com - Medium
194 ... ... ... ...

There are 773 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-94 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 21 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File %ProgramData%\GOG.com High
2 File /admin/addemployee.php High
3 File /admin/del.php High
4 File /admin/delete.php High
5 File /admin/delstu.php High
6 File /admin/login.php High
7 File /admin/products/controller.php?action=add High
8 File /advanced-tools/nova/bin/netwatch High
9 File /assets Low
10 File /blog/post/edit High
11 File /categories/view_category.php High
12 File /cgi-bin/ExportSettings.sh High
13 File /cgi-bin/wlogin.cgi High
14 File /classes/Master.php?f=delete_img High
15 File /debug/pprof Medium
16 File /etc/ciel.cfg High
17 File /etc/init0.d/S80telnetd.sh High
18 File /etc/shadow.sample High
19 File /fax/fax_send.php High
20 File /forum/away.php High
21 File /framework/mod/db/DBMapper.xml High
22 File /goform/addRouting High
23 File /goform/Diagnosis High
24 File /goform/doReboot High
25 File /goform/form2userconfig.cgi High
26 File /goform/form2Wan.cgi High
27 File /goform/formWifiBasicSet High
28 File /goform/NTPSyncWithHost High
29 File /goform/SetIpMacBind High
30 ... ... ...

There are 257 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!