Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-07-05 18:01:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
fefe3a088d
cyber_threat_intelligence/actors/TrickBot/README.md
Marc Ruef fefe3a088d Update
2022-05-24 10:19:11 +02:00

24 KiB
Raw Blame History

TrickBot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TrickBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.trickbot

Campaigns

The following campaigns are known and can be associated with TrickBot:

  • AnchorMail

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:

There are 5 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TrickBot.

ID IP address Hostname Campaign Confidence
1 3.224.145.145 ec2-3-224-145-145.compute-1.amazonaws.com - Medium
2 5.1.81.68 mx4.tarifvergleichbhv.net - High
3 5.2.70.145 merlinsbeard.co.uk - High
4 5.2.72.84 cipixia.com - High
5 5.2.75.93 - - High
6 5.2.75.167 coms.a9v34.com.cn - High
7 5.2.76.122 mx3.ximple.eu - High
8 5.34.177.50 unallocated.layer6.net - High
9 5.34.178.126 yhlas111410.pserver.ru - High
10 5.39.47.22 mail.dmgs.site - High
11 5.53.124.49 dgbtechnologies.com - High
12 5.59.205.32 dhcp-32-205-59-5.metro86.ru - High
13 5.133.179.108 5-133-179-108.freeucouponsnow.ru - High
14 5.149.253.99 - - High
15 5.182.210.30 realestatepromotion.ru - High
16 5.182.210.109 - - High
17 5.182.210.132 - - High
18 5.182.210.178 mail.rainingdreams.to - High
19 5.182.210.226 - - High
20 5.182.210.230 - - High
21 5.182.210.246 - - High
22 5.182.210.254 n01-nlam.kdktech.com - High
23 5.182.211.44 - - High
24 5.196.247.14 ip14.ip-5-196-247.eu - High
25 5.230.22.40 - - High
26 5.255.96.217 vps11.host1.be - High
27 5.255.96.218 - - High
28 14.241.244.60 - - High
29 18.213.79.189 ec2-18-213-79-189.compute-1.amazonaws.com - Medium
30 18.233.90.151 ec2-18-233-90-151.compute-1.amazonaws.com - Medium
31 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
32 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
33 23.3.125.111 a23-3-125-111.deploy.static.akamaitechnologies.com - High
34 23.20.220.174 ec2-23-20-220-174.compute-1.amazonaws.com - Medium
35 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
36 23.21.48.44 ec2-23-21-48-44.compute-1.amazonaws.com - Medium
37 23.21.121.219 ec2-23-21-121-219.compute-1.amazonaws.com - Medium
38 23.21.252.4 ec2-23-21-252-4.compute-1.amazonaws.com - Medium
39 23.23.83.153 ec2-23-23-83-153.compute-1.amazonaws.com - Medium
40 23.23.243.154 ec2-23-23-243-154.compute-1.amazonaws.com - Medium
41 23.62.6.161 a23-62-6-161.deploy.static.akamaitechnologies.com - High
42 23.62.6.170 a23-62-6-170.deploy.static.akamaitechnologies.com - High
43 23.94.233.210 23-94-233-210-host.colocrossing.com - High
44 23.95.231.187 23-95-231-187-host.colocrossing.com - High
45 23.96.30.229 - - High
46 23.160.192.125 unknown.ip-xfer.net - High
47 23.160.193.106 unknown.ip-xfer.net - High
48 23.202.231.166 a23-202-231-166.deploy.static.akamaitechnologies.com - High
49 23.217.138.107 a23-217-138-107.deploy.static.akamaitechnologies.com - High
50 24.162.214.166 cpe-24-162-214-166.elp.res.rr.com - High
51 27.72.107.215 dynamic-adsl.viettel.vn - High
52 27.147.173.227 173.227.cetus.link3.net - High
53 31.131.26.122 - - High
54 31.134.60.181 31-134-60-181.telico.pl - High
55 31.134.124.90 - - High
56 31.172.177.90 poczta.mp-lift.pl - High
57 31.184.253.6 - - High
58 31.184.253.37 models9.vixgrafica.de - High
59 31.202.132.22 - - High
60 31.211.85.110 - - High
61 31.214.138.207 f0a4213918138.rev.snt.net.pl - High
62 34.117.59.81 81.59.117.34.bc.googleusercontent.com - Medium
63 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
64 34.196.181.158 ec2-34-196-181-158.compute-1.amazonaws.com - Medium
65 34.198.132.204 ec2-34-198-132-204.compute-1.amazonaws.com - Medium
66 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com - Medium
67 36.37.176.6 - - High
68 36.66.115.180 - - High
69 36.89.85.103 - - High
70 36.89.191.119 - - High
71 36.89.193.181 - - High
72 36.89.193.235 - - High
73 36.89.228.201 - - High
74 36.91.45.10 - - High
75 36.91.88.164 - - High
76 36.91.117.231 - - High
77 36.91.186.235 - - High
78 36.94.27.124 - - High
79 36.94.33.102 - - High
80 36.94.100.202 - - High
81 36.95.23.89 - - High
82 36.95.27.243 - - High
83 37.44.212.179 - - High
84 37.44.212.216 - - High
85 37.59.183.142 - - High
86 37.228.70.134 - - High
87 37.228.117.146 metobor.ru - High
88 37.228.117.250 janome.ru - High
89 37.230.112.146 audiotop.ru - High
90 37.230.114.93 admin1.fvds.ru - High
91 37.230.114.248 kosmolot.com - High
92 37.230.115.129 dvcarry.fvds.ru - High
93 37.230.115.133 wdai.io - High
94 37.230.115.138 i2.com - High
95 37.230.115.171 geobrox.com - High
96 37.230.115.184 21922vdscom.com - High
97 38.132.99.174 - - High
98 41.77.134.250 cliente6386477933.clubnet.mz - High
99 41.243.29.182 182-29-243-41.r.airtel.cd - High
100 43.245.216.116 - - High
101 45.5.152.39 - - High
102 45.6.16.68 - - High
103 45.14.226.115 - - High
104 45.36.99.184 cpe-45-36-99-184.triad.res.rr.com - High
105 45.66.11.116 vm1488716.2ssd.had.wf - High
106 45.80.148.30 - - High
107 45.115.172.105 - - High
108 45.125.1.34 45.125.1.34.static.xtom.hk - High
109 45.127.222.8 - - High
110 45.137.151.198 ourdiaspora.net - High
111 45.138.158.32 - - High
112 45.142.213.58 vm372119.pq.hosting - High
113 45.148.120.153 - - High
114 45.148.120.195 pe195.peryon.web.tr - High
115 45.155.173.242 - - High
116 45.160.145.11 - - High
117 45.160.145.179 - - High
118 45.160.145.216 - - High
119 45.167.249.126 - - High
120 45.178.142.14 - - High
121 45.201.134.202 - - High
122 45.224.214.34 clientes-214-34.intercommtech.com.br - High
123 45.229.71.211 static-45-229-71-211.extrememt.com.br - High
124 45.234.248.154 45.-234.248-154.rev.voanet.br - High
125 46.4.167.250 ip-subnet46-4-167.unassigned.theideahosting.net - High
126 46.8.21.10 53980.web.hosting-russia.ru - High
127 46.8.21.113 64403.web.hosting-russia.ru - High
128 46.30.41.229 vm494526.eurodir.ru - High
129 46.30.45.208 vm418209.eurodir.ru - High
130 46.99.175.217 - - High
131 46.209.140.220 - - High
132 46.254.128.174 46.254.128.174.lanultra.net - High
133 49.156.34.134 - - High
134 50.16.229.140 ec2-50-16-229-140.compute-1.amazonaws.com - Medium
135 50.19.247.198 ec2-50-19-247-198.compute-1.amazonaws.com - Medium
136 51.38.101.194 - - High
137 51.68.247.62 ip62.ip-51-68-247.eu - High
138 51.77.92.215 - - High
139 51.81.112.144 - - High
140 51.89.73.159 theladbible.site - High
141 51.89.115.101 secure-3111.buzztary.com - High
142 51.89.115.108 coms.jt120.com.cn - High
143 51.89.115.110 pocket-usage.nationfox.net - High
144 51.89.115.112 brides-crude.nationfox.net - High
145 51.89.115.116 tombe.nationfox.net - High
146 51.89.115.121 mail1.cmailer.online - High
147 51.89.115.124 mta.ga-emailcamel.com - High
148 51.89.177.20 ip20.ip-51-89-177.eu - High
149 51.159.23.217 jambold.co.uk - High
150 51.254.69.244 - - High
151 51.254.83.17 ip17.ip-51-254-83.eu - High
152 51.254.164.243 amortizserv.info - High
153 51.254.164.244 y9gs.gaurented.com - High
154 51.254.164.245 ip245.ip-51-254-164.eu - High
155 51.254.164.249 ip249.ip-51-254-164.eu - High
156 52.0.197.231 ec2-52-0-197-231.compute-1.amazonaws.com - Medium
157 52.20.197.7 ec2-52-20-197-7.compute-1.amazonaws.com - Medium
158 52.44.169.135 ec2-52-44-169-135.compute-1.amazonaws.com - Medium
159 52.55.255.113 ec2-52-55-255-113.compute-1.amazonaws.com - Medium
160 52.202.139.131 ec2-52-202-139-131.compute-1.amazonaws.com - Medium
161 52.204.109.97 ec2-52-204-109-97.compute-1.amazonaws.com - Medium
162 52.206.161.133 ec2-52-206-161-133.compute-1.amazonaws.com - Medium
163 52.206.178.1 ec2-52-206-178-1.compute-1.amazonaws.com - Medium
164 54.39.106.25 ns560342.ip-54-39-106.net - High
165 54.204.36.156 ec2-54-204-36-156.compute-1.amazonaws.com - Medium
166 54.221.253.252 ec2-54-221-253-252.compute-1.amazonaws.com - Medium
167 ... ... ... ...

There are 664 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
2 T1068 CWE-250, CWE-264, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 6 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TrickBot. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /acms/admin/?page=transactions/manage_transaction High
2 File /acms/admin/cargo_types/manage_cargo_type.php High
3 File /acms/admin/cargo_types/view_cargo_type.php High
4 File /acms/classes/Master.php?f=delete_cargo High
5 File /acms/classes/Master.php?f=delete_cargo_type High
6 File /acms/classes/Master.php?f=delete_img High
7 File /admin.php?id=siteoptions&social=display&value=0&sid=2 High
8 File /admin.php?id=siteoptions&social=edit&sid=2 High
9 File /admin/inbox.php&action=delete High
10 File /admin/inbox.php&action=read High
11 File /admin/new-content High
12 File /admin/pagerole.php&action=display&value=1 High
13 File /admin/pagerole.php&action=edit High
14 File /admin/posts.php High
15 File /admin/posts.php&action=delete High
16 File /admin/siteoptions.php&action=displaygoal&value=1&roleid=1 High
17 File /admin/siteoptions.php&social=remove&sid=2 High
18 File /admin/uesrs.php&&action=delete&userid=4 High
19 File /admin/uesrs.php&action=display&value=Hide High
20 File /admin/uesrs.php&action=display&value=Show High
21 File /admin/uesrs.php&action=type&userrole=Admin&userid=3 High
22 File /admin/uesrs.php&action=type&userrole=User High
23 File /api/students/me/messages/ High
24 File /cgi-bin/login.cgi High
25 File /cgi-bin/luci/api/auth High
26 File /cgi-bin/luci/api/diagnose High
27 File /cgi-bin/luci/api/switch High
28 ... ... ...

There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!