Trickbot IOC Feed

Trickbot is a banking trojan targeting users in the USA and Europe. It’s was designed for the primary purpose of perpetrating fraud, and known to be spammed out from the Necurs botnet using similar techniques to Dridex and Locky.

Recent Trickbot distribution campaigns have focused on two major tactics. The first is the use of macro-enabled documents spawning PowerShell commands to download the final payload. These documents are distribute attached to spam emails. The second distribution technique has the Necurs botnet sending out loader malware which distributes either Locky or Trickbot based on the geo-location of the victim. Precisionsec experts examined one of the more recent loaders, known as QTLoader, on our blog.

In addition to the data below, our private Trickbot IOC feed contains additional data including C&C, proxy, gtag and configuration information.

Latest Trickbot IOCs

URL/IP Date Added
http://altarek.com/jersey/gromobon.png 2017-11-16 20:29:25
http://transfercar24.de/prontorin.png 2017-11-16 16:34:14
https://banklinemail.com/8d6ba737-775e8bdc-f95f16f3-1b460259.doc 2017-11-15 15:22:17
http://altarek.com/case/poronsad.png 2017-11-15 14:00:17
http://aperhu.com/ser111517.png 2017-11-15 12:00:20
http://b7center.com/wholesale/bigrun.png 2017-11-15 02:58:30
http://profrapor.com/HGste3dd? 2017-11-14 19:37:28
http://lhelectrique.com/logo.png 2017-11-14 18:30:16
http://numdex.be/HGste3dd? 2017-11-14 17:23:40
http://nieuwsbrief.pilisoft.be/HGste3dd? 2017-11-14 17:23:39