.. | ||
README.md |
IcedID - Cyber Threat Intelligence
These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as IcedID. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.icedid
Campaigns
The following campaigns are known and can be associated with IcedID:
- Cobalt Strike
- Nokoyawa
Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:
There are 16 more country items available. Please use our online service to access the data.
IOC - Indicator of Compromise
These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID.
ID | IP address | Hostname | Campaign | Confidence |
---|---|---|---|---|
1 | 2.56.177.14 | 2-56-177-14.serversfinder.com | - | High |
2 | 2.56.177.122 | 2-56-177-122.serversfinder.com | - | High |
3 | 2.56.177.183 | 2-56-177-183.serversfinder.com | - | High |
4 | 3.82.225.224 | ec2-3-82-225-224.compute-1.amazonaws.com | - | Medium |
5 | 3.95.241.204 | ec2-3-95-241-204.compute-1.amazonaws.com | - | Medium |
6 | 3.104.41.163 | ec2-3-104-41-163.ap-southeast-2.compute.amazonaws.com | - | Medium |
7 | 3.105.92.116 | ec2-3-105-92-116.ap-southeast-2.compute.amazonaws.com | - | Medium |
8 | 5.2.65.217 | - | - | High |
9 | 5.2.67.119 | - | - | High |
10 | 5.2.70.56 | - | - | High |
11 | 5.2.70.89 | - | - | High |
12 | 5.2.74.83 | - | - | High |
13 | 5.2.75.126 | - | - | High |
14 | 5.2.75.189 | - | - | High |
15 | 5.2.76.156 | - | - | High |
16 | 5.2.77.232 | - | - | High |
17 | 5.2.78.150 | - | - | High |
18 | 5.2.79.7 | - | - | High |
19 | 5.2.79.218 | - | - | High |
20 | 5.34.180.162 | - | - | High |
21 | 5.34.181.34 | vds-842965.hosted-by-itldc.com | - | High |
22 | 5.34.181.44 | vds-950771.hosted-by-itldc.com | - | High |
23 | 5.39.63.101 | - | - | High |
24 | 5.39.63.102 | - | - | High |
25 | 5.39.222.193 | - | - | High |
26 | 5.39.223.131 | - | - | High |
27 | 5.39.223.134 | - | - | High |
28 | 5.61.32.172 | - | - | High |
29 | 5.61.34.133 | mta3.mailup.ru | - | High |
30 | 5.61.34.153 | - | - | High |
31 | 5.61.36.120 | - | - | High |
32 | 5.61.36.180 | - | - | High |
33 | 5.61.37.89 | mailer.ampm.casino | - | High |
34 | 5.61.37.224 | - | - | High |
35 | 5.61.40.78 | - | - | High |
36 | 5.61.42.115 | 0.0.0.0 | - | High |
37 | 5.61.42.123 | stirok.ru | - | High |
38 | 5.61.42.128 | - | - | High |
39 | 5.61.43.172 | - | - | High |
40 | 5.61.43.191 | b3.bareandblushy.com | - | High |
41 | 5.61.44.146 | - | - | High |
42 | 5.61.44.218 | - | - | High |
43 | 5.61.44.234 | - | - | High |
44 | 5.61.45.179 | - | - | High |
45 | 5.61.46.161 | - | - | High |
46 | 5.61.46.164 | - | - | High |
47 | 5.61.61.35 | - | - | High |
48 | 5.135.255.246 | - | - | High |
49 | 5.144.132.47 | 47-132-144-5.static.hostiran.name | - | High |
50 | 5.149.252.179 | hnh7.arenal.xyz | - | High |
51 | 5.181.27.192 | gcl-lon.com | - | High |
52 | 5.181.80.213 | ip-80-213-bullethost.net | - | High |
53 | 5.181.80.215 | anelpones.xyz | - | High |
54 | 5.181.80.218 | ip-80-218-bullethost.net | - | High |
55 | 5.181.159.39 | 5-181-159-39.mivocloud.com | - | High |
56 | 5.181.159.41 | no-rdns.mivocloud.com | - | High |
57 | 5.181.159.51 | no-rdns.mivocloud.com | - | High |
58 | 5.181.159.54 | no-rdns.mivocloud.com | - | High |
59 | 5.181.159.55 | no-rdns.mivocloud.com | - | High |
60 | 5.188.0.52 | saycain.example.com | - | High |
61 | 5.188.93.137 | free.ds | - | High |
62 | 5.196.103.145 | - | - | High |
63 | 5.196.196.251 | - | - | High |
64 | 5.196.196.252 | - | - | High |
65 | 5.199.162.56 | - | - | High |
66 | 5.199.162.81 | - | - | High |
67 | 5.199.162.123 | - | - | High |
68 | 5.199.162.162 | - | - | High |
69 | 5.199.162.166 | - | - | High |
70 | 5.199.162.174 | - | - | High |
71 | 5.199.162.235 | - | - | High |
72 | 5.199.168.14 | - | - | High |
73 | 5.199.168.24 | - | - | High |
74 | 5.199.168.34 | - | - | High |
75 | 5.199.168.125 | - | - | High |
76 | 5.199.168.213 | - | - | High |
77 | 5.199.168.214 | - | - | High |
78 | 5.199.168.255 | - | - | High |
79 | 5.199.173.20 | - | - | High |
80 | 5.199.173.24 | - | - | High |
81 | 5.199.173.27 | - | - | High |
82 | 5.199.173.29 | - | - | High |
83 | 5.199.173.51 | - | - | High |
84 | 5.199.173.107 | - | - | High |
85 | 5.199.173.120 | - | - | High |
86 | 5.199.173.141 | - | - | High |
87 | 5.199.173.150 | - | - | High |
88 | 5.199.173.162 | - | - | High |
89 | 5.199.173.173 | - | - | High |
90 | 5.199.173.210 | - | - | High |
91 | 5.199.173.217 | - | - | High |
92 | 5.199.173.233 | - | - | High |
93 | 5.199.173.234 | - | - | High |
94 | 5.199.174.189 | - | - | High |
95 | 5.199.174.232 | - | - | High |
96 | 5.199.174.234 | - | - | High |
97 | 5.206.224.50 | ko.pro | - | High |
98 | 5.206.224.239 | aqualisbra.com | - | High |
99 | 5.206.227.5 | jiojoip.com | - | High |
100 | 5.230.57.30 | - | - | High |
101 | 5.230.57.194 | - | - | High |
102 | 5.230.66.157 | - | - | High |
103 | 5.230.67.128 | placeholder.noezserver.de | - | High |
104 | 5.230.67.227 | placeholder.noezserver.de | - | High |
105 | 5.230.68.22 | pleasantly.autocraftz.biz | - | High |
106 | 5.230.68.48 | ounahiskills.co.uk | - | High |
107 | 5.230.68.66 | fracturedprunesurfcitync.com | - | High |
108 | 5.230.68.163 | placeholder.noezserver.de | - | High |
109 | 5.230.68.190 | ua190.ualist.com | - | High |
110 | 5.230.70.43 | placeholder.noezserver.de | - | High |
111 | 5.230.70.57 | placeholder.noezserver.de | - | High |
112 | 5.230.70.135 | placeholder.noezserver.de | - | High |
113 | 5.230.70.140 | placeholder.noezserver.de | - | High |
114 | 5.230.70.146 | placeholder.noezserver.de | - | High |
115 | 5.230.71.72 | placeholder.noezserver.de | - | High |
116 | 5.230.72.37 | placeholder.noezserver.de | - | High |
117 | 5.230.72.131 | placeholder.noezserver.de | - | High |
118 | 5.230.72.158 | placeholder.noezserver.de | - | High |
119 | 5.230.73.61 | placeholder.noezserver.de | - | High |
120 | 5.230.73.139 | - | - | High |
121 | 5.230.73.157 | - | - | High |
122 | 5.230.73.172 | - | - | High |
123 | 5.230.73.200 | placeholder.noezserver.de | - | High |
124 | 5.230.73.244 | placeholder.noezserver.de | - | High |
125 | 5.230.74.71 | - | - | High |
126 | 5.230.74.153 | placeholder.noezserver.de | - | High |
127 | 5.230.74.202 | - | - | High |
128 | 5.230.74.203 | - | - | High |
129 | 5.230.74.223 | placeholder.noezserver.de | - | High |
130 | 5.230.74.242 | - | - | High |
131 | 5.230.75.11 | - | - | High |
132 | 5.230.75.134 | placeholder.noezserver.de | - | High |
133 | 5.230.75.188 | - | - | High |
134 | 5.230.75.247 | ma247.manidatravel.com | - | High |
135 | 5.230.76.44 | - | - | High |
136 | 5.230.76.198 | - | - | High |
137 | 5.230.78.208 | - | - | High |
138 | 5.252.23.141 | mail.exclusive-meetingg.com | - | High |
139 | 5.252.177.10 | no-rdns.mivocloud.com | - | High |
140 | 5.252.177.13 | no-rdns.mivocloud.com | - | High |
141 | 5.252.177.59 | no-rdns.mivocloud.com | - | High |
142 | 5.252.177.65 | no-rdns.mivocloud.com | - | High |
143 | 5.252.177.103 | no-rdns.mivocloud.com | - | High |
144 | 5.252.177.106 | bestsevenreviews.com | - | High |
145 | 5.252.177.107 | no-rdns.mivocloud.com | - | High |
146 | 5.252.177.233 | 5-252-177-233.mivocloud.com | - | High |
147 | 5.252.178.142 | no-rdns.mivocloud.com | - | High |
148 | 5.255.98.45 | - | - | High |
149 | 5.255.98.126 | - | - | High |
150 | 5.255.99.21 | - | - | High |
151 | 5.255.99.51 | - | - | High |
152 | 5.255.99.108 | - | - | High |
153 | 5.255.100.8 | - | - | High |
154 | 5.255.100.32 | - | - | High |
155 | 5.255.100.55 | - | - | High |
156 | 5.255.100.65 | - | - | High |
157 | 5.255.100.207 | chronostech.io | - | High |
158 | 5.255.100.250 | - | - | High |
159 | 5.255.101.31 | - | - | High |
160 | 5.255.101.68 | - | - | High |
161 | 5.255.102.88 | - | - | High |
162 | 5.255.102.167 | - | - | High |
163 | 5.255.103.75 | - | - | High |
164 | 5.255.103.108 | - | - | High |
165 | 5.255.103.144 | - | - | High |
166 | 5.255.103.245 | - | - | High |
167 | 5.255.104.11 | - | - | High |
168 | 5.255.104.22 | - | - | High |
169 | 5.255.104.45 | - | - | High |
170 | 5.255.104.52 | - | - | High |
171 | 5.255.104.93 | - | - | High |
172 | 5.255.104.97 | - | - | High |
173 | 5.255.104.113 | - | - | High |
174 | 5.255.104.120 | - | - | High |
175 | 5.255.104.130 | - | - | High |
176 | 5.255.104.143 | - | - | High |
177 | 5.255.104.145 | - | - | High |
178 | 5.255.104.153 | - | - | High |
179 | 5.255.104.184 | - | - | High |
180 | 5.255.104.220 | - | - | High |
181 | 5.255.104.233 | - | - | High |
182 | 5.255.105.55 | - | - | High |
183 | 5.255.105.239 | - | - | High |
184 | 5.255.106.72 | - | - | High |
185 | 5.255.106.78 | smtp.gespollas.com | - | High |
186 | 5.255.106.136 | - | - | High |
187 | 5.255.106.240 | - | - | High |
188 | 5.255.107.149 | - | - | High |
189 | 5.255.109.46 | - | - | High |
190 | 5.255.109.175 | - | - | High |
191 | 5.255.110.177 | - | - | High |
192 | 5.255.111.220 | - | - | High |
193 | 5.255.113.157 | - | - | High |
194 | 5.255.115.226 | - | - | High |
195 | 5.255.119.21 | - | - | High |
196 | 5.255.120.33 | - | - | High |
197 | 5.255.122.79 | - | - | High |
198 | 5.255.124.55 | - | - | High |
199 | 6.43.51.17 | - | - | High |
200 | 8.39.147.62 | vyc1.achlycole.org.uk | - | High |
201 | 13.52.121.66 | ec2-13-52-121-66.us-west-1.compute.amazonaws.com | - | Medium |
202 | 13.57.55.155 | ec2-13-57-55-155.us-west-1.compute.amazonaws.com | - | Medium |
203 | 13.237.1.27 | ec2-13-237-1-27.ap-southeast-2.compute.amazonaws.com | - | Medium |
204 | 13.237.195.116 | ec2-13-237-195-116.ap-southeast-2.compute.amazonaws.com | - | Medium |
205 | 23.82.128.186 | - | - | High |
206 | 23.82.128.215 | - | - | High |
207 | 23.88.35.240 | static.240.35.88.23.clients.your-server.de | - | High |
208 | 23.106.124.26 | - | - | High |
209 | 23.106.124.168 | - | - | High |
210 | 23.106.124.181 | - | - | High |
211 | 23.106.215.93 | - | - | High |
212 | 23.160.193.140 | unknown.ip-xfer.net | - | High |
213 | 23.164.240.130 | - | - | High |
214 | 23.227.202.165 | 23-227-202-165.static.hvvc.us | - | High |
215 | 23.227.203.131 | 23-227-203-131.static.hvvc.us | - | High |
216 | 23.227.206.161 | 23-227-206-161.static.hvvc.us | - | High |
217 | 23.227.206.195 | 23-227-206-195.static.hvvc.us | - | High |
218 | 23.254.202.234 | hwsrv-1055605.hostwindsdns.com | - | High |
219 | 23.254.211.137 | hwsrv-1045976.hostwindsdns.com | - | High |
220 | 23.254.224.115 | hwsrv-1031288.hostwindsdns.com | - | High |
221 | 23.254.224.148 | client-23-254-224-148.hostwindsdns.com | - | High |
222 | 23.254.226.152 | hwsrv-1069457.hostwindsdns.com | - | High |
223 | 23.254.229.208 | hwsrv-1015537.hostwindsdns.com | - | High |
224 | 23.254.253.106 | WIN-KP9WSUDC4N.com | - | High |
225 | 31.13.195.119 | sm.cfconsult.net | - | High |
226 | 31.13.195.127 | - | - | High |
227 | 31.24.224.12 | 1f18e00c.setaptr.net | - | High |
228 | 31.24.228.170 | 31.24.228.170.static.midphase.com | - | High |
229 | 31.184.199.11 | dalesmanager.com | - | High |
230 | 37.1.192.40 | - | - | High |
231 | 37.1.193.136 | webcomdition.com | - | High |
232 | 37.1.195.84 | - | - | High |
233 | 37.1.195.238 | autoreflash.com | - | High |
234 | 37.1.205.217 | - | - | High |
235 | 37.1.208.48 | reveltip.com | - | High |
236 | 37.1.213.234 | - | - | High |
237 | 37.1.221.209 | - | - | High |
238 | 37.46.129.17 | info50.fvds.ru | - | High |
239 | 37.61.229.95 | zeno.igorclark.net | - | High |
240 | 37.120.222.100 | - | - | High |
241 | 37.221.115.12 | - | - | High |
242 | 37.235.55.75 | 75.55.235.37.in-addr.arpa | - | High |
243 | 37.235.55.103 | 103.55.235.37.in-addr.arpa | - | High |
244 | 37.235.56.30 | 30.56.235.37.in-addr.arpa | - | High |
245 | 37.235.56.37 | 37.56.235.37.in-addr.arpa | - | High |
246 | 37.235.56.94 | 94.56.235.37.in-addr.arpa | - | High |
247 | 37.235.56.185 | 185.56.235.37.in-addr.arpa | - | High |
248 | 37.252.5.228 | - | - | High |
249 | 37.252.6.77 | - | - | High |
250 | 37.252.10.231 | - | - | High |
251 | 37.252.11.170 | - | - | High |
252 | 37.252.11.221 | - | - | High |
253 | 38.180.0.89 | - | - | High |
254 | 38.180.8.107 | - | - | High |
255 | 38.180.8.169 | - | - | High |
256 | 38.180.34.14 | - | - | High |
257 | 39.104.16.102 | - | - | High |
258 | 39.104.17.212 | - | - | High |
259 | 39.104.23.152 | - | - | High |
260 | 39.104.27.24 | - | - | High |
261 | 39.104.72.59 | - | - | High |
262 | 39.104.94.83 | - | - | High |
263 | 39.104.164.115 | - | - | High |
264 | 45.8.158.140 | mail.aeoncard-co-jp.com | - | High |
265 | 45.11.19.121 | - | - | High |
266 | 45.11.19.168 | - | - | High |
267 | 45.11.182.61 | - | - | High |
268 | 45.11.182.114 | - | - | High |
269 | 45.11.182.115 | - | - | High |
270 | 45.11.182.117 | - | - | High |
271 | 45.11.182.118 | - | - | High |
272 | 45.11.182.119 | - | - | High |
273 | 45.11.182.120 | - | - | High |
274 | 45.11.182.121 | - | - | High |
275 | 45.12.109.136 | kemp.strongwallsys.com | - | High |
276 | 45.12.109.195 | ryan.earthbroadcasting.com | - | High |
277 | 45.12.109.221 | weaver.earthbroadcasting.com | - | High |
278 | 45.12.139.90 | - | - | High |
279 | 45.15.161.254 | - | - | High |
280 | 45.41.204.5 | fastshipus.xyz | - | High |
281 | 45.55.42.13 | - | - | High |
282 | 45.55.53.206 | - | - | High |
283 | 45.55.56.244 | - | - | High |
284 | 45.61.136.6 | - | - | High |
285 | 45.61.136.22 | - | - | High |
286 | 45.61.136.193 | - | - | High |
287 | 45.61.137.95 | - | - | High |
288 | 45.61.137.119 | - | - | High |
289 | 45.61.137.158 | - | - | High |
290 | 45.61.137.159 | - | - | High |
291 | 45.61.137.220 | svenska.re | - | High |
292 | 45.61.137.225 | - | - | High |
293 | 45.61.138.12 | - | - | High |
294 | 45.61.138.171 | - | - | High |
295 | 45.61.138.175 | - | - | High |
296 | 45.61.138.181 | - | - | High |
297 | 45.61.138.227 | - | - | High |
298 | 45.61.139.138 | - | - | High |
299 | 45.61.139.144 | - | - | High |
300 | 45.61.139.179 | - | - | High |
301 | 45.61.139.196 | - | - | High |
302 | 45.61.139.232 | - | - | High |
303 | 45.61.139.235 | - | - | High |
304 | 45.61.139.243 | - | - | High |
305 | 45.66.248.7 | mta0.burjeela.gq | - | High |
306 | 45.66.248.37 | mta0.quarrantinereport-center.gq | - | High |
307 | 45.66.248.64 | 0n3reye0i0.alyanova.com | - | High |
308 | 45.66.248.69 | outbound5.imaille.com | - | High |
309 | 45.66.248.71 | - | - | High |
310 | 45.66.248.79 | mta0.coldspikes.autos | - | High |
311 | 45.66.248.119 | finixdeal.com | Nokoyawa | High |
312 | 45.66.248.148 | QuanTs.defaultproduct.com | - | High |
313 | 45.66.248.244 | mta0.axminster-carpets.cf | - | High |
314 | 45.66.249.26 | 8axj5rsx1e.marketingforbreweries.com | - | High |
315 | 45.66.249.221 | mta0.lizengeneering.com | - | High |
316 | 45.67.231.235 | am-tun2.warwish.pro | - | High |
317 | 45.82.247.87 | - | - | High |
318 | 45.82.247.121 | - | - | High |
319 | 45.82.247.148 | prostatehealth.click | - | High |
320 | 45.82.251.34 | - | - | High |
321 | 45.82.251.36 | - | - | High |
322 | 45.82.251.44 | - | - | High |
323 | 45.86.229.46 | - | - | High |
324 | 45.86.229.94 | - | - | High |
325 | 45.86.229.105 | 1lf7cf33e.northernstarmarketing.com | - | High |
326 | 45.86.229.180 | - | - | High |
327 | 45.86.229.253 | 32l.edUcated-352.insuranceforourfamily.com | - | High |
328 | 45.86.230.43 | google.com | - | High |
329 | 45.86.230.141 | mta0.ungho.cf | - | High |
330 | 45.86.230.149 | - | - | High |
331 | 45.86.230.181 | - | - | High |
332 | 45.86.231.210 | - | - | High |
333 | 45.87.154.181 | vm.solutions | - | High |
334 | 45.88.221.211 | - | - | High |
335 | 45.89.98.138 | ruiz.thegamersnet.com | - | High |
336 | 45.89.107.120 | d120.lifedigitz.com | - | High |
337 | 45.92.162.84 | butler.egnerarch.com | - | High |
338 | 45.92.163.123 | vars-long-kks.currishfine.com | - | High |
339 | 45.92.163.233 | landing-messy.samewaged.com | - | High |
340 | 45.92.163.238 | sup-size.samewaged.com | - | High |
341 | 45.95.11.125 | vm324206.pq.hosting | - | High |
342 | 45.129.99.241 | 354851-vds-mamozw.gmhost.pp.ua | - | High |
343 | 45.129.199.13 | - | - | High |
344 | 45.129.199.26 | - | - | High |
345 | 45.129.199.67 | - | - | High |
346 | 45.129.199.92 | - | - | High |
347 | 45.138.172.179 | - | - | High |
348 | 45.138.172.240 | - | - | High |
349 | ... | ... | ... | ... |
There are 1390 more IOC items available. Please use our online service to access the data.
TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by IcedID. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence |
---|---|---|---|---|
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High |
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High |
3 | T1055 | CWE-74 | Injection | High |
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High |
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High |
6 | T1068 | CWE-264, CWE-266, CWE-269, CWE-284 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | High |
7 | ... | ... | ... | ... |
There are 22 more TTP items available. Please use our online service to access the data.
IOA - Indicator of Attack
These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by IcedID. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence |
---|---|---|---|
1 | File | /admin/about-us.php |
High |
2 | File | /admin/save.php |
High |
3 | File | /admin/sys_sql_query.php |
High |
4 | File | /api/baskets/{name} |
High |
5 | File | /api/download |
High |
6 | File | /api/v1/terminal/sessions/?limit=1 |
High |
7 | File | /bitrix/admin/ldap_server_edit.php |
High |
8 | File | /category.php |
High |
9 | File | /categorypage.php |
High |
10 | File | /cgi-bin/luci/api/wireless |
High |
11 | File | /cgi-bin/vitogate.cgi |
High |
12 | File | /company/store |
High |
13 | File | /Content/Template/root/reverse-shell.aspx |
High |
14 | File | /Controller/Ajaxfileupload.ashx |
High |
15 | File | /core/conditions/AbstractWrapper.java |
High |
16 | File | /csms/?page=contact_us |
High |
17 | File | /dcim/rack-roles/ |
High |
18 | File | /etc/passwd |
Medium |
19 | File | /fcgi/scrut_fcgi.fcgi |
High |
20 | File | /forum/away.php |
High |
21 | File | /h/ |
Low |
22 | File | /HNAP1 |
Low |
23 | File | /home/cavesConsole |
High |
24 | File | /index.php |
Medium |
25 | File | /index.php?app=main&func=passport&action=login |
High |
26 | File | /index.php?page=category_list |
High |
27 | File | /jeecg-boot/sys/common/upload |
High |
28 | File | /jobinfo/ |
Medium |
29 | File | /mhds/clinic/view_details.php |
High |
30 | File | /PreviewHandler.ashx |
High |
31 | File | /recipe-result |
High |
32 | File | /register.do |
Medium |
33 | File | /RPS2019Service/status.html |
High |
34 | File | /scripts/unlock_tasks.php |
High |
35 | File | /Service/ImageStationDataService.asmx |
High |
36 | File | /ServletAPI/accounts/login |
High |
37 | File | /sicweb-ajax/tmproot/ |
High |
38 | File | /spip.php |
Medium |
39 | File | /squashfs-root/etc_ro/custom.conf |
High |
40 | File | /staff/edit_book_details.php |
High |
41 | File | /student/bookdetails.php |
High |
42 | File | /subsys/net/l2/wifi/wifi_shell.c |
High |
43 | File | /SysManage/AddUpdateRole.aspx |
High |
44 | ... | ... | ... |
There are 379 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
References
The following list contains external sources which discuss the actor and the associated activities:
- https://bazaar.abuse.ch/sample/38b742be48b426b5c89408092fb6ebdd93eefcb584b131abd9c7e3561641c3f1/
- https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/
- https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
- https://cert.gov.ua/article/39609
dc6b5bafaa/IcedID_07_20_2021.txt
e6d13ab2a0/IcedID_07_02_2021.txt
b6d8ebfced/IcedID_07_28_2021.txt
4550a14e8f/IcedID_06_07_2021.txt
- https://github.com/A-dd-Y/secops/blob/main/MalwareIOC/mwdb-icedid-c2.txt
- https://isc.sans.edu/diary/28974
- https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
- https://isc.sans.edu/forums/diary/Analysis+from+March+2021+Traffic+Analysis+Quiz/27232/
- https://isc.sans.edu/forums/diary/Emotet+infection+with+IcedID+banking+Trojan/24312/
- https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
- https://isc.sans.edu/forums/diary/Malspam+links+to+passwordprotected+Word+docs+that+push+IcedID+Bokbot/24428/
- https://isc.sans.edu/forums/diary/Malspam+with+links+to+Word+docs+pushes+IcedID+Bokbot/25640/
- https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/
- https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/
- https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
- https://raw.githubusercontent.com/pan-unit42/tweets/master/2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
- https://raw.githubusercontent.com/pan-unit42/tweets/master/2022-08-29-IOCs-for-Monster-Libra-TA551-IcedID-with-Cobalt-Stike.txt
- https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/
- https://sandnet.abuse.ch/report/5d9c2b17f30765462ff5e3eaa0931885/
- https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
- https://threatfox.abuse.ch
- https://tria.ge/220106-tlm53abdc7
- https://tria.ge/220112-fqpb2abca2
- https://tria.ge/220222-31shrsfdg2
- https://tria.ge/220224-svsw8seebr
- https://twitter.com/1ZRR4H/status/1441951333347729409
- https://twitter.com/Kostastsale/status/1615733462388047872
- https://twitter.com/malware_traffic/status/1577779933895659520
- https://twitter.com/teamcymru_S2/status/1576997553169522689
- https://twitter.com/TheDFIRReport/status/1376496307888611333
- https://www.cyber45.com
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html
- https://www.malware-traffic-analysis.net/2019/05/01/index.html
- https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
Literature
The following articles explain our unique predictive cyber threat intelligence:
- VulDB Cyber Threat Intelligence Documentation
- Cyber Threat Intelligence - Early Anticipation of Attacks
License
(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!