361 lines
26 KiB
Markdown
361 lines
26 KiB
Markdown
# TrickBot - Cyber Threat Intelligence
|
|
|
|
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TrickBot](https://vuldb.com/?actor.trickbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
|
|
|
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.trickbot](https://vuldb.com/?actor.trickbot)
|
|
|
|
## Campaigns
|
|
|
|
The following _campaigns_ are known and can be associated with TrickBot:
|
|
|
|
* AnchorMail
|
|
|
|
## Countries
|
|
|
|
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
|
|
|
|
* [VN](https://vuldb.com/?country.vn)
|
|
* [CN](https://vuldb.com/?country.cn)
|
|
* [US](https://vuldb.com/?country.us)
|
|
* ...
|
|
|
|
There are 5 more country items available. Please use our online service to access the data.
|
|
|
|
## IOC - Indicator of Compromise
|
|
|
|
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.
|
|
|
|
ID | IP address | Hostname | Campaign | Confidence
|
|
-- | ---------- | -------- | -------- | ----------
|
|
1 | [3.209.171.143](https://vuldb.com/?ip.3.209.171.143) | ec2-3-209-171-143.compute-1.amazonaws.com | - | Medium
|
|
2 | [3.217.175.153](https://vuldb.com/?ip.3.217.175.153) | ec2-3-217-175-153.compute-1.amazonaws.com | - | Medium
|
|
3 | [3.224.145.145](https://vuldb.com/?ip.3.224.145.145) | ec2-3-224-145-145.compute-1.amazonaws.com | - | Medium
|
|
4 | [3.231.23.10](https://vuldb.com/?ip.3.231.23.10) | ec2-3-231-23-10.compute-1.amazonaws.com | - | Medium
|
|
5 | [5.1.81.68](https://vuldb.com/?ip.5.1.81.68) | mx4.tarifvergleichbhv.net | - | High
|
|
6 | [5.2.70.145](https://vuldb.com/?ip.5.2.70.145) | merlinsbeard.co.uk | - | High
|
|
7 | [5.2.72.84](https://vuldb.com/?ip.5.2.72.84) | cipixia.com | - | High
|
|
8 | [5.2.75.93](https://vuldb.com/?ip.5.2.75.93) | - | - | High
|
|
9 | [5.2.75.167](https://vuldb.com/?ip.5.2.75.167) | coms.a9v34.com.cn | - | High
|
|
10 | [5.2.76.122](https://vuldb.com/?ip.5.2.76.122) | mx3.ximple.eu | - | High
|
|
11 | [5.2.78.118](https://vuldb.com/?ip.5.2.78.118) | - | - | High
|
|
12 | [5.34.177.50](https://vuldb.com/?ip.5.34.177.50) | unallocated.layer6.net | - | High
|
|
13 | [5.34.178.126](https://vuldb.com/?ip.5.34.178.126) | yhlas111410.pserver.ru | - | High
|
|
14 | [5.39.47.22](https://vuldb.com/?ip.5.39.47.22) | mail.dmgs.site | - | High
|
|
15 | [5.53.124.49](https://vuldb.com/?ip.5.53.124.49) | dgbtechnologies.com | - | High
|
|
16 | [5.59.205.32](https://vuldb.com/?ip.5.59.205.32) | dhcp-32-205-59-5.metro86.ru | - | High
|
|
17 | [5.133.179.108](https://vuldb.com/?ip.5.133.179.108) | 5-133-179-108.freeucouponsnow.ru | - | High
|
|
18 | [5.149.253.99](https://vuldb.com/?ip.5.149.253.99) | - | - | High
|
|
19 | [5.152.175.57](https://vuldb.com/?ip.5.152.175.57) | - | - | High
|
|
20 | [5.182.210.30](https://vuldb.com/?ip.5.182.210.30) | realestatepromotion.ru | - | High
|
|
21 | [5.182.210.109](https://vuldb.com/?ip.5.182.210.109) | - | - | High
|
|
22 | [5.182.210.132](https://vuldb.com/?ip.5.182.210.132) | - | - | High
|
|
23 | [5.182.210.178](https://vuldb.com/?ip.5.182.210.178) | mail.rainingdreams.to | - | High
|
|
24 | [5.182.210.226](https://vuldb.com/?ip.5.182.210.226) | - | - | High
|
|
25 | [5.182.210.230](https://vuldb.com/?ip.5.182.210.230) | - | - | High
|
|
26 | [5.182.210.246](https://vuldb.com/?ip.5.182.210.246) | - | - | High
|
|
27 | [5.182.210.254](https://vuldb.com/?ip.5.182.210.254) | n01-nlam.kdktech.com | - | High
|
|
28 | [5.182.211.44](https://vuldb.com/?ip.5.182.211.44) | - | - | High
|
|
29 | [5.196.247.14](https://vuldb.com/?ip.5.196.247.14) | ip14.ip-5-196-247.eu | - | High
|
|
30 | [5.199.173.152](https://vuldb.com/?ip.5.199.173.152) | - | - | High
|
|
31 | [5.230.22.40](https://vuldb.com/?ip.5.230.22.40) | - | - | High
|
|
32 | [5.255.96.217](https://vuldb.com/?ip.5.255.96.217) | vps11.host1.be | - | High
|
|
33 | [5.255.96.218](https://vuldb.com/?ip.5.255.96.218) | - | - | High
|
|
34 | [8.247.119.126](https://vuldb.com/?ip.8.247.119.126) | - | - | High
|
|
35 | [8.253.38.248](https://vuldb.com/?ip.8.253.38.248) | - | - | High
|
|
36 | [8.253.140.118](https://vuldb.com/?ip.8.253.140.118) | - | - | High
|
|
37 | [8.253.141.249](https://vuldb.com/?ip.8.253.141.249) | - | - | High
|
|
38 | [8.253.154.236](https://vuldb.com/?ip.8.253.154.236) | - | - | High
|
|
39 | [14.241.244.60](https://vuldb.com/?ip.14.241.244.60) | - | - | High
|
|
40 | [18.213.79.189](https://vuldb.com/?ip.18.213.79.189) | ec2-18-213-79-189.compute-1.amazonaws.com | - | Medium
|
|
41 | [18.233.90.151](https://vuldb.com/?ip.18.233.90.151) | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium
|
|
42 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High
|
|
43 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High
|
|
44 | [23.3.125.111](https://vuldb.com/?ip.23.3.125.111) | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High
|
|
45 | [23.19.31.135](https://vuldb.com/?ip.23.19.31.135) | - | - | High
|
|
46 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | - | High
|
|
47 | [23.20.220.174](https://vuldb.com/?ip.23.20.220.174) | ec2-23-20-220-174.compute-1.amazonaws.com | - | Medium
|
|
48 | [23.21.27.29](https://vuldb.com/?ip.23.21.27.29) | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium
|
|
49 | [23.21.48.44](https://vuldb.com/?ip.23.21.48.44) | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium
|
|
50 | [23.21.121.219](https://vuldb.com/?ip.23.21.121.219) | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium
|
|
51 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
|
52 | [23.23.83.153](https://vuldb.com/?ip.23.23.83.153) | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium
|
|
53 | [23.23.243.154](https://vuldb.com/?ip.23.23.243.154) | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium
|
|
54 | [23.46.150.43](https://vuldb.com/?ip.23.46.150.43) | a23-46-150-43.deploy.static.akamaitechnologies.com | - | High
|
|
55 | [23.46.150.58](https://vuldb.com/?ip.23.46.150.58) | a23-46-150-58.deploy.static.akamaitechnologies.com | - | High
|
|
56 | [23.46.150.81](https://vuldb.com/?ip.23.46.150.81) | a23-46-150-81.deploy.static.akamaitechnologies.com | - | High
|
|
57 | [23.62.6.161](https://vuldb.com/?ip.23.62.6.161) | a23-62-6-161.deploy.static.akamaitechnologies.com | - | High
|
|
58 | [23.62.6.170](https://vuldb.com/?ip.23.62.6.170) | a23-62-6-170.deploy.static.akamaitechnologies.com | - | High
|
|
59 | [23.94.233.210](https://vuldb.com/?ip.23.94.233.210) | 23-94-233-210-host.colocrossing.com | - | High
|
|
60 | [23.95.97.59](https://vuldb.com/?ip.23.95.97.59) | 23-95-97-59-host.colocrossing.com | - | High
|
|
61 | [23.95.231.187](https://vuldb.com/?ip.23.95.231.187) | 23-95-231-187-host.colocrossing.com | - | High
|
|
62 | [23.96.30.229](https://vuldb.com/?ip.23.96.30.229) | - | - | High
|
|
63 | [23.160.192.125](https://vuldb.com/?ip.23.160.192.125) | unknown.ip-xfer.net | - | High
|
|
64 | [23.160.193.106](https://vuldb.com/?ip.23.160.193.106) | unknown.ip-xfer.net | - | High
|
|
65 | [23.202.231.166](https://vuldb.com/?ip.23.202.231.166) | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High
|
|
66 | [23.217.138.107](https://vuldb.com/?ip.23.217.138.107) | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High
|
|
67 | [24.162.214.166](https://vuldb.com/?ip.24.162.214.166) | cpe-24-162-214-166.elp.res.rr.com | - | High
|
|
68 | [27.72.107.215](https://vuldb.com/?ip.27.72.107.215) | dynamic-adsl.viettel.vn | - | High
|
|
69 | [27.147.173.227](https://vuldb.com/?ip.27.147.173.227) | 173.227.cetus.link3.net | - | High
|
|
70 | [30.10.121.157](https://vuldb.com/?ip.30.10.121.157) | - | - | High
|
|
71 | [31.131.21.184](https://vuldb.com/?ip.31.131.21.184) | - | - | High
|
|
72 | [31.131.26.122](https://vuldb.com/?ip.31.131.26.122) | - | - | High
|
|
73 | [31.134.60.181](https://vuldb.com/?ip.31.134.60.181) | 31-134-60-181.telico.pl | - | High
|
|
74 | [31.134.124.90](https://vuldb.com/?ip.31.134.124.90) | - | - | High
|
|
75 | [31.172.177.90](https://vuldb.com/?ip.31.172.177.90) | poczta.mp-lift.pl | - | High
|
|
76 | [31.184.253.6](https://vuldb.com/?ip.31.184.253.6) | - | - | High
|
|
77 | [31.184.253.37](https://vuldb.com/?ip.31.184.253.37) | models9.vixgrafica.de | - | High
|
|
78 | [31.202.132.22](https://vuldb.com/?ip.31.202.132.22) | - | - | High
|
|
79 | [31.211.85.110](https://vuldb.com/?ip.31.211.85.110) | - | - | High
|
|
80 | [31.214.138.207](https://vuldb.com/?ip.31.214.138.207) | f0a4213918138.rev.snt.net.pl | - | High
|
|
81 | [34.117.59.81](https://vuldb.com/?ip.34.117.59.81) | 81.59.117.34.bc.googleusercontent.com | - | Medium
|
|
82 | [34.192.250.175](https://vuldb.com/?ip.34.192.250.175) | ec2-34-192-250-175.compute-1.amazonaws.com | - | Medium
|
|
83 | [34.196.181.158](https://vuldb.com/?ip.34.196.181.158) | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium
|
|
84 | [34.198.132.204](https://vuldb.com/?ip.34.198.132.204) | ec2-34-198-132-204.compute-1.amazonaws.com | - | Medium
|
|
85 | [34.233.102.38](https://vuldb.com/?ip.34.233.102.38) | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium
|
|
86 | [36.37.176.6](https://vuldb.com/?ip.36.37.176.6) | - | - | High
|
|
87 | [36.66.115.180](https://vuldb.com/?ip.36.66.115.180) | - | - | High
|
|
88 | [36.66.188.251](https://vuldb.com/?ip.36.66.188.251) | - | - | High
|
|
89 | [36.89.85.103](https://vuldb.com/?ip.36.89.85.103) | - | - | High
|
|
90 | [36.89.106.69](https://vuldb.com/?ip.36.89.106.69) | - | - | High
|
|
91 | [36.89.191.119](https://vuldb.com/?ip.36.89.191.119) | - | - | High
|
|
92 | [36.89.193.181](https://vuldb.com/?ip.36.89.193.181) | - | - | High
|
|
93 | [36.89.193.235](https://vuldb.com/?ip.36.89.193.235) | - | - | High
|
|
94 | [36.89.228.201](https://vuldb.com/?ip.36.89.228.201) | - | - | High
|
|
95 | [36.89.243.241](https://vuldb.com/?ip.36.89.243.241) | - | - | High
|
|
96 | [36.91.45.10](https://vuldb.com/?ip.36.91.45.10) | - | - | High
|
|
97 | [36.91.87.227](https://vuldb.com/?ip.36.91.87.227) | - | - | High
|
|
98 | [36.91.88.164](https://vuldb.com/?ip.36.91.88.164) | - | - | High
|
|
99 | [36.91.117.231](https://vuldb.com/?ip.36.91.117.231) | - | - | High
|
|
100 | [36.91.186.235](https://vuldb.com/?ip.36.91.186.235) | - | - | High
|
|
101 | [36.94.27.124](https://vuldb.com/?ip.36.94.27.124) | - | - | High
|
|
102 | [36.94.33.102](https://vuldb.com/?ip.36.94.33.102) | - | - | High
|
|
103 | [36.94.100.202](https://vuldb.com/?ip.36.94.100.202) | - | - | High
|
|
104 | [36.95.23.89](https://vuldb.com/?ip.36.95.23.89) | - | - | High
|
|
105 | [36.95.27.243](https://vuldb.com/?ip.36.95.27.243) | - | - | High
|
|
106 | [37.7.123.244](https://vuldb.com/?ip.37.7.123.244) | apn-37-7-123-244.dynamic.gprs.plus.pl | - | High
|
|
107 | [37.44.212.179](https://vuldb.com/?ip.37.44.212.179) | - | - | High
|
|
108 | [37.44.212.216](https://vuldb.com/?ip.37.44.212.216) | - | - | High
|
|
109 | [37.59.183.142](https://vuldb.com/?ip.37.59.183.142) | - | - | High
|
|
110 | [37.228.70.134](https://vuldb.com/?ip.37.228.70.134) | - | - | High
|
|
111 | [37.228.117.146](https://vuldb.com/?ip.37.228.117.146) | metobor.ru | - | High
|
|
112 | [37.228.117.250](https://vuldb.com/?ip.37.228.117.250) | janome.ru | - | High
|
|
113 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High
|
|
114 | [37.230.114.93](https://vuldb.com/?ip.37.230.114.93) | admin1.fvds.ru | - | High
|
|
115 | [37.230.114.248](https://vuldb.com/?ip.37.230.114.248) | kosmolot.com | - | High
|
|
116 | [37.230.115.129](https://vuldb.com/?ip.37.230.115.129) | dvcarry.fvds.ru | - | High
|
|
117 | [37.230.115.133](https://vuldb.com/?ip.37.230.115.133) | wdai.io | - | High
|
|
118 | [37.230.115.138](https://vuldb.com/?ip.37.230.115.138) | i2.com | - | High
|
|
119 | [37.230.115.171](https://vuldb.com/?ip.37.230.115.171) | geobrox.com | - | High
|
|
120 | [37.230.115.184](https://vuldb.com/?ip.37.230.115.184) | 21922vdscom.com | - | High
|
|
121 | [38.132.99.174](https://vuldb.com/?ip.38.132.99.174) | - | - | High
|
|
122 | [41.77.134.250](https://vuldb.com/?ip.41.77.134.250) | cliente6386477933.clubnet.mz | - | High
|
|
123 | [41.175.22.226](https://vuldb.com/?ip.41.175.22.226) | - | - | High
|
|
124 | [41.243.29.182](https://vuldb.com/?ip.41.243.29.182) | 182-29-243-41.r.airtel.cd | - | High
|
|
125 | [43.245.216.116](https://vuldb.com/?ip.43.245.216.116) | - | - | High
|
|
126 | [45.5.152.39](https://vuldb.com/?ip.45.5.152.39) | - | - | High
|
|
127 | [45.6.16.68](https://vuldb.com/?ip.45.6.16.68) | - | - | High
|
|
128 | [45.14.226.115](https://vuldb.com/?ip.45.14.226.115) | - | - | High
|
|
129 | [45.36.99.184](https://vuldb.com/?ip.45.36.99.184) | cpe-45-36-99-184.triad.res.rr.com | - | High
|
|
130 | [45.66.11.116](https://vuldb.com/?ip.45.66.11.116) | vm1488716.2ssd.had.wf | - | High
|
|
131 | [45.80.148.30](https://vuldb.com/?ip.45.80.148.30) | - | - | High
|
|
132 | [45.89.127.92](https://vuldb.com/?ip.45.89.127.92) | - | - | High
|
|
133 | [45.115.172.105](https://vuldb.com/?ip.45.115.172.105) | - | - | High
|
|
134 | [45.125.1.34](https://vuldb.com/?ip.45.125.1.34) | 45.125.1.34.static.xtom.hk | - | High
|
|
135 | [45.127.222.8](https://vuldb.com/?ip.45.127.222.8) | - | - | High
|
|
136 | [45.137.151.198](https://vuldb.com/?ip.45.137.151.198) | ourdiaspora.net | - | High
|
|
137 | [45.138.158.32](https://vuldb.com/?ip.45.138.158.32) | - | - | High
|
|
138 | [45.142.213.58](https://vuldb.com/?ip.45.142.213.58) | vm372119.pq.hosting | - | High
|
|
139 | [45.144.113.168](https://vuldb.com/?ip.45.144.113.168) | - | - | High
|
|
140 | [45.148.120.153](https://vuldb.com/?ip.45.148.120.153) | - | - | High
|
|
141 | [45.148.120.195](https://vuldb.com/?ip.45.148.120.195) | pe195.peryon.web.tr | - | High
|
|
142 | [45.155.173.242](https://vuldb.com/?ip.45.155.173.242) | - | - | High
|
|
143 | [45.160.145.11](https://vuldb.com/?ip.45.160.145.11) | - | - | High
|
|
144 | [45.160.145.179](https://vuldb.com/?ip.45.160.145.179) | - | - | High
|
|
145 | [45.160.145.216](https://vuldb.com/?ip.45.160.145.216) | - | - | High
|
|
146 | [45.167.249.126](https://vuldb.com/?ip.45.167.249.126) | - | - | High
|
|
147 | [45.178.142.14](https://vuldb.com/?ip.45.178.142.14) | - | - | High
|
|
148 | [45.201.134.202](https://vuldb.com/?ip.45.201.134.202) | - | - | High
|
|
149 | [45.224.214.34](https://vuldb.com/?ip.45.224.214.34) | clientes-214-34.intercommtech.com.br | - | High
|
|
150 | [45.229.71.211](https://vuldb.com/?ip.45.229.71.211) | static-45-229-71-211.extrememt.com.br | - | High
|
|
151 | [45.234.248.154](https://vuldb.com/?ip.45.234.248.154) | 45.-234.248-154.rev.voanet.br | - | High
|
|
152 | [46.4.167.250](https://vuldb.com/?ip.46.4.167.250) | ip-subnet46-4-167.unassigned.theideahosting.net | - | High
|
|
153 | [46.8.21.10](https://vuldb.com/?ip.46.8.21.10) | 53980.web.hosting-russia.ru | - | High
|
|
154 | [46.8.21.113](https://vuldb.com/?ip.46.8.21.113) | 64403.web.hosting-russia.ru | - | High
|
|
155 | [46.30.41.229](https://vuldb.com/?ip.46.30.41.229) | vm494526.eurodir.ru | - | High
|
|
156 | [46.30.45.208](https://vuldb.com/?ip.46.30.45.208) | vm418209.eurodir.ru | - | High
|
|
157 | [46.99.175.149](https://vuldb.com/?ip.46.99.175.149) | - | - | High
|
|
158 | [46.99.175.217](https://vuldb.com/?ip.46.99.175.217) | - | - | High
|
|
159 | [46.99.188.223](https://vuldb.com/?ip.46.99.188.223) | - | - | High
|
|
160 | [46.209.140.220](https://vuldb.com/?ip.46.209.140.220) | - | - | High
|
|
161 | [46.237.117.193](https://vuldb.com/?ip.46.237.117.193) | - | - | High
|
|
162 | [46.254.128.174](https://vuldb.com/?ip.46.254.128.174) | 46.254.128.174.lanultra.net | - | High
|
|
163 | [49.156.34.134](https://vuldb.com/?ip.49.156.34.134) | - | - | High
|
|
164 | [49.176.188.184](https://vuldb.com/?ip.49.176.188.184) | static-n49-176-188-184.bla2.nsw.optusnet.com.au | - | High
|
|
165 | [50.16.229.140](https://vuldb.com/?ip.50.16.229.140) | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium
|
|
166 | [50.19.247.198](https://vuldb.com/?ip.50.19.247.198) | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium
|
|
167 | [51.38.101.194](https://vuldb.com/?ip.51.38.101.194) | - | - | High
|
|
168 | [51.68.247.62](https://vuldb.com/?ip.51.68.247.62) | ip62.ip-51-68-247.eu | - | High
|
|
169 | [51.77.92.215](https://vuldb.com/?ip.51.77.92.215) | - | - | High
|
|
170 | [51.81.112.144](https://vuldb.com/?ip.51.81.112.144) | - | - | High
|
|
171 | [51.81.113.25](https://vuldb.com/?ip.51.81.113.25) | - | - | High
|
|
172 | [51.89.73.159](https://vuldb.com/?ip.51.89.73.159) | theladbible.site | - | High
|
|
173 | [51.89.115.101](https://vuldb.com/?ip.51.89.115.101) | secure-3111.buzztary.com | - | High
|
|
174 | [51.89.115.108](https://vuldb.com/?ip.51.89.115.108) | coms.jt120.com.cn | - | High
|
|
175 | [51.89.115.110](https://vuldb.com/?ip.51.89.115.110) | pocket-usage.nationfox.net | - | High
|
|
176 | [51.89.115.112](https://vuldb.com/?ip.51.89.115.112) | brides-crude.nationfox.net | - | High
|
|
177 | [51.89.115.116](https://vuldb.com/?ip.51.89.115.116) | tombe.nationfox.net | - | High
|
|
178 | [51.89.115.121](https://vuldb.com/?ip.51.89.115.121) | mail1.cmailer.online | - | High
|
|
179 | [51.89.115.124](https://vuldb.com/?ip.51.89.115.124) | mta.ga-emailcamel.com | - | High
|
|
180 | [51.89.177.20](https://vuldb.com/?ip.51.89.177.20) | ip20.ip-51-89-177.eu | - | High
|
|
181 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High
|
|
182 | [51.254.25.115](https://vuldb.com/?ip.51.254.25.115) | ip115.ip-51-254-25.eu | - | High
|
|
183 | [51.254.69.244](https://vuldb.com/?ip.51.254.69.244) | - | - | High
|
|
184 | [51.254.83.17](https://vuldb.com/?ip.51.254.83.17) | ip17.ip-51-254-83.eu | - | High
|
|
185 | [51.254.164.243](https://vuldb.com/?ip.51.254.164.243) | amortizserv.info | - | High
|
|
186 | [51.254.164.244](https://vuldb.com/?ip.51.254.164.244) | y9gs.gaurented.com | - | High
|
|
187 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | - | High
|
|
188 | [51.254.164.249](https://vuldb.com/?ip.51.254.164.249) | ip249.ip-51-254-164.eu | - | High
|
|
189 | [52.0.197.231](https://vuldb.com/?ip.52.0.197.231) | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium
|
|
190 | [52.20.78.240](https://vuldb.com/?ip.52.20.78.240) | ec2-52-20-78-240.compute-1.amazonaws.com | - | Medium
|
|
191 | [52.20.197.7](https://vuldb.com/?ip.52.20.197.7) | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium
|
|
192 | [52.44.169.135](https://vuldb.com/?ip.52.44.169.135) | ec2-52-44-169-135.compute-1.amazonaws.com | - | Medium
|
|
193 | [52.55.255.113](https://vuldb.com/?ip.52.55.255.113) | ec2-52-55-255-113.compute-1.amazonaws.com | - | Medium
|
|
194 | ... | ... | ... | ...
|
|
|
|
There are 773 more IOC items available. Please use our online service to access the data.
|
|
|
|
## TTP - Tactics, Techniques, Procedures
|
|
|
|
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _TrickBot_. This data is unique as it uses our predictive model for actor profiling.
|
|
|
|
ID | Technique | Weakness | Description | Confidence
|
|
-- | --------- | -------- | ----------- | ----------
|
|
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
|
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
|
3 | T1055 | CWE-74 | Injection | High
|
|
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
|
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
|
6 | ... | ... | ... | ...
|
|
|
|
There are 21 more TTP items available. Please use our online service to access the data.
|
|
|
|
## IOA - Indicator of Attack
|
|
|
|
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.
|
|
|
|
ID | Type | Indicator | Confidence
|
|
-- | ---- | --------- | ----------
|
|
1 | File | `%ProgramData%\GOG.com` | High
|
|
2 | File | `/admin/addemployee.php` | High
|
|
3 | File | `/admin/del.php` | High
|
|
4 | File | `/admin/delete.php` | High
|
|
5 | File | `/admin/delstu.php` | High
|
|
6 | File | `/admin/login.php` | High
|
|
7 | File | `/admin/products/controller.php?action=add` | High
|
|
8 | File | `/advanced-tools/nova/bin/netwatch` | High
|
|
9 | File | `/assets` | Low
|
|
10 | File | `/blog/post/edit` | High
|
|
11 | File | `/categories/view_category.php` | High
|
|
12 | File | `/cgi-bin/ExportSettings.sh` | High
|
|
13 | File | `/cgi-bin/wlogin.cgi` | High
|
|
14 | File | `/classes/Master.php?f=delete_img` | High
|
|
15 | File | `/debug/pprof` | Medium
|
|
16 | File | `/etc/ciel.cfg` | High
|
|
17 | File | `/etc/init0.d/S80telnetd.sh` | High
|
|
18 | File | `/etc/shadow.sample` | High
|
|
19 | File | `/fax/fax_send.php` | High
|
|
20 | File | `/forum/away.php` | High
|
|
21 | File | `/framework/mod/db/DBMapper.xml` | High
|
|
22 | File | `/goform/addRouting` | High
|
|
23 | File | `/goform/Diagnosis` | High
|
|
24 | File | `/goform/doReboot` | High
|
|
25 | File | `/goform/form2userconfig.cgi` | High
|
|
26 | File | `/goform/form2Wan.cgi` | High
|
|
27 | File | `/goform/formWifiBasicSet` | High
|
|
28 | File | `/goform/NTPSyncWithHost` | High
|
|
29 | File | `/goform/SetIpMacBind` | High
|
|
30 | ... | ... | ...
|
|
|
|
There are 257 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
|
|
|
## References
|
|
|
|
The following list contains _external sources_ which discuss the actor and the associated activities:
|
|
|
|
* https://blog.morphisec.com/trickbot-emotet-delivery-through-word-macro
|
|
* https://blog.talosintelligence.com/2018/01/threat-round-up-1229-0105.html
|
|
* https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
|
|
* https://blog.talosintelligence.com/2019/07/threat-roundup-0628-0705.html
|
|
* https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html
|
|
* https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html
|
|
* https://blog.talosintelligence.com/2019/08/threat-roundup-0809-0816.html
|
|
* https://blog.talosintelligence.com/2019/08/threat-roundup-0823-0830.html
|
|
* https://blog.talosintelligence.com/2019/10/threat-roundup-1004-1011.html
|
|
* https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html
|
|
* https://blog.talosintelligence.com/2019/10/threat-roundup-1018-1025.html
|
|
* https://blog.talosintelligence.com/2019/11/threat-roundup-1101-1108.html
|
|
* https://blog.talosintelligence.com/2019/11/threat-roundup-1115-1122.html
|
|
* https://blog.talosintelligence.com/2019/12/threat-roundup-1213-1220.html
|
|
* https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html
|
|
* https://blog.talosintelligence.com/2020/01/threat-roundup-0110-0117.html
|
|
* https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
|
|
* https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html
|
|
* https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html
|
|
* https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
|
|
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
|
|
* https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
|
|
* https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
|
|
* https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
|
|
* https://blog.talosintelligence.com/2021/04/threat-roundup-0416-0423.html
|
|
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
|
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
|
|
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
|
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
|
* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
|
|
* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
|
|
* https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
|
|
* https://blog.talosintelligence.com/2022/05/threat-roundup-0513-0520.html
|
|
* https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html
|
|
* https://blog.talosintelligence.com/2022/06/threat-roundup-0617-0624.html
|
|
* https://blog.talosintelligence.com/2022/08/threat-roundup-0805-0812.html
|
|
* https://blogs.blackberry.com/en/2019/09/blackberry-cylance-vs-trickbot-infostealer-malware
|
|
* https://blogs.infoblox.com/cyber-threat-intelligence/ransomware-attacks-target-healthcare-sector/
|
|
* https://community.blueliv.com/#!/s/611a51a282df413eb235470a
|
|
* https://community.blueliv.com/#!/s/60414fc982df413eaf34607d
|
|
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-19%20Trickbot%20IOCs
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20Trickbot%20IOCs
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-21%20Trickbot%20IOCs
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-08%20Trickbot%20IOCs
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-22%20Trickbot%20IOCs
|
|
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-12-09%20Trickbot%20IOCs
|
|
* https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/
|
|
* https://isc.sans.edu/forums/diary/Emotet+malspam+is+back/25330/
|
|
* https://isc.sans.edu/forums/diary/German+language+malspam+pushes+yet+another+wave+of+Trickbot/25594/
|
|
* https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/
|
|
* https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+gtag+rob13/27112/
|
|
* https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+malware+on+Friday+20180511/23653/
|
|
* https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/
|
|
* https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
|
|
* https://isc.sans.edu/forums/diary/Trickbot+gtag+red5+distributed+as+a+DLL+file/25918/
|
|
* https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/
|
|
* https://securelist.com/trickbot-module-descriptions/104603/
|
|
* https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
|
|
* https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/
|
|
* https://thedfirreport.com/2020/04/30/tricky-pyxie/
|
|
* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
|
|
* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
|
|
* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
|
|
* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
|
|
|
|
## Literature
|
|
|
|
The following _articles_ explain our unique predictive cyber threat intelligence:
|
|
|
|
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
|
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
|
|
|
## License
|
|
|
|
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|