{ "id": "988ed226-8a3e-4f13-b47a-bda9389549b6", "created_at": "2026-04-06T00:18:36.532402Z", "updated_at": "2026-04-10T03:21:55.150594Z", "deleted_at": null, "sha1_hash": "fe38ef4cf65e6c05aea77f4533efdbff0e735aff", "title": "Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 312028, "plain_text": "Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119\r\nPublished: 2018-01-29 · Archived: 2026-04-05 23:18:05 UTC\r\nHere are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing\r\n22nd January 2018. This analysis covers 1,302 unique C2 IP addresses used in 255 mcconfs across 118 versions, with\r\na highest version of 1000119.\r\nThe following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The\r\nflatter the line, the more frequently versions are discovered.)\r\nSeven versions were discovered in the week commencing 22th January 2018 (A-1000116, A-1000117, A-1000118, A-1000119, B-1000027, B-1000028, and B-1000029), two the week before, and four the week before that. Four of the\r\ndiscovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000119.\r\nThree shared versions extend the six repeats from the last two months, where low (1000021 to 1000026) version numbers\r\nare reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)\r\nThe following graph shows the number of server entries using ports:\r\n443 (HTTPS);\r\n445 (IBM AS Server Mapper) -- INACTIVE;\r\n449 (Cray Network Semaphore Server); and \r\n451 (SMB) -- INACTIVE.\r\nThis week's iteration A configs increased the count of C2 server entries back to a level last seen at the start of January. The\r\niteration B configs seen continue the low C2 server count which has typified iteration B.\r\nThe following table shows the top 25 servers (of  1,302 unique) used within the 118 versions. This table changes for the first\r\ntime in five weeks with the introduction of 94[.]127[.]111[.]14[:]449 into the top 25 due to its use between versions 1000109\r\nand 1000116.\r\nhttps://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html\r\nPage 1 of 3\n\nThe following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 255 mcconfs\r\nanalysed. \r\n97 C2 servers were used in the mcconfs from this week, of which 84 (87%) were new. The BGP prefix registrations for the\r\nC2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short\r\nto allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 64xRU,\r\n10xNL, 3xIN, 3xLU, 2xPL, 1xCH, and 1xUS.\r\nThe following map shows the geographical location of 85 (scanned by Shodan) of the 97 IP addresses used in the analysed\r\nconfigs.\r\nFive of these servers are MikroTik devices (historically a favourite of TrickBot), one is an ER-X and one is a NanoStation\r\nLoco M5.\r\n49 are running OpenSSH, 25 are running nginx, 16 are running Apache, eight are running Exim, eight are running Postfix,\r\nfour are running MySQL, four are running ProFTPD, one is running ARK, one is running Dropbear SSH, one is running\r\nIIS, one is running Squid Proxy -- with some servers running as many as four of these products.\r\nhttps://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html\r\nPage 2 of 3\n\nThe following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.\r\nFinally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.\r\nThanks\r\nto @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudD\r\n@MalwareSecrets for sharing the mcconfs.\r\nSource: https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html\r\nhttps://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html\r\nPage 3 of 3\n\nFive of these servers Loco M5. are MikroTik devices (historically a favourite of TrickBot), one is an ER-X and one is a NanoStation\n49 are running OpenSSH, 25 are running nginx, 16 are running Apache, eight are running Exim, eight are running Postfix,\nfour are running MySQL, four are running ProFTPD, one is running ARK, one is running Dropbear SSH, one is running\nIIS, one is running Squid Proxy--with some servers running as many as four of these products. \n Page 2 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html" ], "report_names": [ "weekly-trickbot-analysis-end-of-wc-22.html" ], "threat_actors": [], "ts_created_at": 1775434716, "ts_updated_at": 1775791315, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe38ef4cf65e6c05aea77f4533efdbff0e735aff.pdf", "text": "https://archive.orkl.eu/fe38ef4cf65e6c05aea77f4533efdbff0e735aff.txt", "img": "https://archive.orkl.eu/fe38ef4cf65e6c05aea77f4533efdbff0e735aff.jpg" } }