Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-28 09:53:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
5e84854492
cyber_threat_intelligence/actors/IcedID
History
Marc Ruef 5e84854492 Update October 2023
2023-10-27 13:52:44 +02:00
..
README.md Update October 2023 2023-10-27 13:52:44 +02:00

README.md

IcedID - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as IcedID. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.icedid

Campaigns

The following campaigns are known and can be associated with IcedID:

  • Cobalt Strike
  • Nokoyawa

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:

There are 16 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID.

ID IP address Hostname Campaign Confidence
1 2.56.177.14 2-56-177-14.serversfinder.com - High
2 2.56.177.122 2-56-177-122.serversfinder.com - High
3 2.56.177.183 2-56-177-183.serversfinder.com - High
4 3.82.225.224 ec2-3-82-225-224.compute-1.amazonaws.com - Medium
5 3.95.241.204 ec2-3-95-241-204.compute-1.amazonaws.com - Medium
6 3.104.41.163 ec2-3-104-41-163.ap-southeast-2.compute.amazonaws.com - Medium
7 3.105.92.116 ec2-3-105-92-116.ap-southeast-2.compute.amazonaws.com - Medium
8 5.2.65.217 - - High
9 5.2.67.119 - - High
10 5.2.70.56 - - High
11 5.2.70.89 - - High
12 5.2.74.83 - - High
13 5.2.75.126 - - High
14 5.2.75.189 - - High
15 5.2.76.156 - - High
16 5.2.77.232 - - High
17 5.2.78.150 - - High
18 5.2.79.7 - - High
19 5.2.79.218 - - High
20 5.34.180.162 - - High
21 5.34.181.34 vds-842965.hosted-by-itldc.com - High
22 5.34.181.44 vds-950771.hosted-by-itldc.com - High
23 5.39.63.101 - - High
24 5.39.63.102 - - High
25 5.39.222.193 - - High
26 5.39.223.131 - - High
27 5.39.223.134 - - High
28 5.61.32.172 - - High
29 5.61.34.133 mta3.mailup.ru - High
30 5.61.34.153 - - High
31 5.61.36.120 - - High
32 5.61.36.180 - - High
33 5.61.37.89 mailer.ampm.casino - High
34 5.61.37.224 - - High
35 5.61.40.78 - - High
36 5.61.42.115 0.0.0.0 - High
37 5.61.42.123 stirok.ru - High
38 5.61.42.128 - - High
39 5.61.43.172 - - High
40 5.61.43.191 b3.bareandblushy.com - High
41 5.61.44.146 - - High
42 5.61.44.218 - - High
43 5.61.44.234 - - High
44 5.61.45.179 - - High
45 5.61.46.161 - - High
46 5.61.46.164 - - High
47 5.61.61.35 - - High
48 5.135.255.246 - - High
49 5.144.132.47 47-132-144-5.static.hostiran.name - High
50 5.149.252.179 hnh7.arenal.xyz - High
51 5.181.27.192 gcl-lon.com - High
52 5.181.80.213 ip-80-213-bullethost.net - High
53 5.181.80.215 anelpones.xyz - High
54 5.181.80.218 ip-80-218-bullethost.net - High
55 5.181.159.39 5-181-159-39.mivocloud.com - High
56 5.181.159.41 no-rdns.mivocloud.com - High
57 5.181.159.51 no-rdns.mivocloud.com - High
58 5.181.159.54 no-rdns.mivocloud.com - High
59 5.181.159.55 no-rdns.mivocloud.com - High
60 5.188.0.52 saycain.example.com - High
61 5.188.93.137 free.ds - High
62 5.196.103.145 - - High
63 5.196.196.251 - - High
64 5.196.196.252 - - High
65 5.199.162.56 - - High
66 5.199.162.81 - - High
67 5.199.162.123 - - High
68 5.199.162.162 - - High
69 5.199.162.166 - - High
70 5.199.162.174 - - High
71 5.199.162.235 - - High
72 5.199.168.14 - - High
73 5.199.168.24 - - High
74 5.199.168.34 - - High
75 5.199.168.125 - - High
76 5.199.168.213 - - High
77 5.199.168.214 - - High
78 5.199.168.255 - - High
79 5.199.173.20 - - High
80 5.199.173.24 - - High
81 5.199.173.27 - - High
82 5.199.173.29 - - High
83 5.199.173.51 - - High
84 5.199.173.107 - - High
85 5.199.173.120 - - High
86 5.199.173.141 - - High
87 5.199.173.150 - - High
88 5.199.173.162 - - High
89 5.199.173.173 - - High
90 5.199.173.210 - - High
91 5.199.173.217 - - High
92 5.199.173.233 - - High
93 5.199.173.234 - - High
94 5.199.174.189 - - High
95 5.199.174.232 - - High
96 5.199.174.234 - - High
97 5.206.224.50 ko.pro - High
98 5.206.224.239 aqualisbra.com - High
99 5.206.227.5 jiojoip.com - High
100 5.230.57.30 - - High
101 5.230.57.194 - - High
102 5.230.66.157 - - High
103 5.230.67.128 placeholder.noezserver.de - High
104 5.230.67.227 placeholder.noezserver.de - High
105 5.230.68.22 pleasantly.autocraftz.biz - High
106 5.230.68.48 ounahiskills.co.uk - High
107 5.230.68.66 fracturedprunesurfcitync.com - High
108 5.230.68.163 placeholder.noezserver.de - High
109 5.230.68.190 ua190.ualist.com - High
110 5.230.70.43 placeholder.noezserver.de - High
111 5.230.70.57 placeholder.noezserver.de - High
112 5.230.70.135 placeholder.noezserver.de - High
113 5.230.70.140 placeholder.noezserver.de - High
114 5.230.70.146 placeholder.noezserver.de - High
115 5.230.71.72 placeholder.noezserver.de - High
116 5.230.72.37 placeholder.noezserver.de - High
117 5.230.72.131 placeholder.noezserver.de - High
118 5.230.72.158 placeholder.noezserver.de - High
119 5.230.73.61 placeholder.noezserver.de - High
120 5.230.73.139 - - High
121 5.230.73.157 - - High
122 5.230.73.172 - - High
123 5.230.73.200 placeholder.noezserver.de - High
124 5.230.73.244 placeholder.noezserver.de - High
125 5.230.74.71 - - High
126 5.230.74.153 placeholder.noezserver.de - High
127 5.230.74.202 - - High
128 5.230.74.203 - - High
129 5.230.74.223 placeholder.noezserver.de - High
130 5.230.74.242 - - High
131 5.230.75.11 - - High
132 5.230.75.134 placeholder.noezserver.de - High
133 5.230.75.188 - - High
134 5.230.75.247 ma247.manidatravel.com - High
135 5.230.76.44 - - High
136 5.230.76.198 - - High
137 5.230.78.208 - - High
138 5.252.23.141 mail.exclusive-meetingg.com - High
139 5.252.177.10 no-rdns.mivocloud.com - High
140 5.252.177.13 no-rdns.mivocloud.com - High
141 5.252.177.59 no-rdns.mivocloud.com - High
142 5.252.177.65 no-rdns.mivocloud.com - High
143 5.252.177.103 no-rdns.mivocloud.com - High
144 5.252.177.106 bestsevenreviews.com - High
145 5.252.177.107 no-rdns.mivocloud.com - High
146 5.252.177.233 5-252-177-233.mivocloud.com - High
147 5.252.178.142 no-rdns.mivocloud.com - High
148 5.255.98.45 - - High
149 5.255.98.126 - - High
150 5.255.99.21 - - High
151 5.255.99.51 - - High
152 5.255.99.108 - - High
153 5.255.100.8 - - High
154 5.255.100.32 - - High
155 5.255.100.55 - - High
156 5.255.100.65 - - High
157 5.255.100.207 chronostech.io - High
158 5.255.100.250 - - High
159 5.255.101.31 - - High
160 5.255.101.68 - - High
161 5.255.102.88 - - High
162 5.255.102.167 - - High
163 5.255.103.75 - - High
164 5.255.103.108 - - High
165 5.255.103.144 - - High
166 5.255.103.245 - - High
167 5.255.104.11 - - High
168 5.255.104.22 - - High
169 5.255.104.45 - - High
170 5.255.104.52 - - High
171 5.255.104.93 - - High
172 5.255.104.97 - - High
173 5.255.104.113 - - High
174 5.255.104.120 - - High
175 5.255.104.130 - - High
176 5.255.104.143 - - High
177 5.255.104.145 - - High
178 5.255.104.153 - - High
179 5.255.104.184 - - High
180 5.255.104.220 - - High
181 5.255.104.233 - - High
182 5.255.105.55 - - High
183 5.255.105.239 - - High
184 5.255.106.72 - - High
185 5.255.106.78 smtp.gespollas.com - High
186 5.255.106.136 - - High
187 5.255.106.240 - - High
188 5.255.107.149 - - High
189 5.255.109.46 - - High
190 5.255.109.175 - - High
191 5.255.110.177 - - High
192 5.255.111.220 - - High
193 5.255.113.157 - - High
194 5.255.115.226 - - High
195 5.255.119.21 - - High
196 5.255.120.33 - - High
197 5.255.122.79 - - High
198 5.255.124.55 - - High
199 6.43.51.17 - - High
200 8.39.147.62 vyc1.achlycole.org.uk - High
201 13.52.121.66 ec2-13-52-121-66.us-west-1.compute.amazonaws.com - Medium
202 13.57.55.155 ec2-13-57-55-155.us-west-1.compute.amazonaws.com - Medium
203 13.237.1.27 ec2-13-237-1-27.ap-southeast-2.compute.amazonaws.com - Medium
204 13.237.195.116 ec2-13-237-195-116.ap-southeast-2.compute.amazonaws.com - Medium
205 23.82.128.186 - - High
206 23.82.128.215 - - High
207 23.88.35.240 static.240.35.88.23.clients.your-server.de - High
208 23.106.124.26 - - High
209 23.106.124.168 - - High
210 23.106.124.181 - - High
211 23.106.215.93 - - High
212 23.160.193.140 unknown.ip-xfer.net - High
213 23.164.240.130 - - High
214 23.227.202.165 23-227-202-165.static.hvvc.us - High
215 23.227.203.131 23-227-203-131.static.hvvc.us - High
216 23.227.206.161 23-227-206-161.static.hvvc.us - High
217 23.227.206.195 23-227-206-195.static.hvvc.us - High
218 23.254.202.234 hwsrv-1055605.hostwindsdns.com - High
219 23.254.211.137 hwsrv-1045976.hostwindsdns.com - High
220 23.254.224.115 hwsrv-1031288.hostwindsdns.com - High
221 23.254.224.148 client-23-254-224-148.hostwindsdns.com - High
222 23.254.226.152 hwsrv-1069457.hostwindsdns.com - High
223 23.254.229.208 hwsrv-1015537.hostwindsdns.com - High
224 23.254.253.106 WIN-KP9WSUDC4N.com - High
225 31.13.195.119 sm.cfconsult.net - High
226 31.13.195.127 - - High
227 31.24.224.12 1f18e00c.setaptr.net - High
228 31.24.228.170 31.24.228.170.static.midphase.com - High
229 31.184.199.11 dalesmanager.com - High
230 37.1.192.40 - - High
231 37.1.193.136 webcomdition.com - High
232 37.1.195.84 - - High
233 37.1.195.238 autoreflash.com - High
234 37.1.205.217 - - High
235 37.1.208.48 reveltip.com - High
236 37.1.213.234 - - High
237 37.1.221.209 - - High
238 37.46.129.17 info50.fvds.ru - High
239 37.61.229.95 zeno.igorclark.net - High
240 37.120.222.100 - - High
241 37.221.115.12 - - High
242 37.235.55.75 75.55.235.37.in-addr.arpa - High
243 37.235.55.103 103.55.235.37.in-addr.arpa - High
244 37.235.56.30 30.56.235.37.in-addr.arpa - High
245 37.235.56.37 37.56.235.37.in-addr.arpa - High
246 37.235.56.94 94.56.235.37.in-addr.arpa - High
247 37.235.56.185 185.56.235.37.in-addr.arpa - High
248 37.252.5.228 - - High
249 37.252.6.77 - - High
250 37.252.10.231 - - High
251 37.252.11.170 - - High
252 37.252.11.221 - - High
253 38.180.0.89 - - High
254 38.180.8.107 - - High
255 38.180.8.169 - - High
256 38.180.34.14 - - High
257 39.104.16.102 - - High
258 39.104.17.212 - - High
259 39.104.23.152 - - High
260 39.104.27.24 - - High
261 39.104.72.59 - - High
262 39.104.94.83 - - High
263 39.104.164.115 - - High
264 45.8.158.140 mail.aeoncard-co-jp.com - High
265 45.11.19.121 - - High
266 45.11.19.168 - - High
267 45.11.182.61 - - High
268 45.11.182.114 - - High
269 45.11.182.115 - - High
270 45.11.182.117 - - High
271 45.11.182.118 - - High
272 45.11.182.119 - - High
273 45.11.182.120 - - High
274 45.11.182.121 - - High
275 45.12.109.136 kemp.strongwallsys.com - High
276 45.12.109.195 ryan.earthbroadcasting.com - High
277 45.12.109.221 weaver.earthbroadcasting.com - High
278 45.12.139.90 - - High
279 45.15.161.254 - - High
280 45.41.204.5 fastshipus.xyz - High
281 45.55.42.13 - - High
282 45.55.53.206 - - High
283 45.55.56.244 - - High
284 45.61.136.6 - - High
285 45.61.136.22 - - High
286 45.61.136.193 - - High
287 45.61.137.95 - - High
288 45.61.137.119 - - High
289 45.61.137.158 - - High
290 45.61.137.159 - - High
291 45.61.137.220 svenska.re - High
292 45.61.137.225 - - High
293 45.61.138.12 - - High
294 45.61.138.171 - - High
295 45.61.138.175 - - High
296 45.61.138.181 - - High
297 45.61.138.227 - - High
298 45.61.139.138 - - High
299 45.61.139.144 - - High
300 45.61.139.179 - - High
301 45.61.139.196 - - High
302 45.61.139.232 - - High
303 45.61.139.235 - - High
304 45.61.139.243 - - High
305 45.66.248.7 mta0.burjeela.gq - High
306 45.66.248.37 mta0.quarrantinereport-center.gq - High
307 45.66.248.64 0n3reye0i0.alyanova.com - High
308 45.66.248.69 outbound5.imaille.com - High
309 45.66.248.71 - - High
310 45.66.248.79 mta0.coldspikes.autos - High
311 45.66.248.119 finixdeal.com Nokoyawa High
312 45.66.248.148 QuanTs.defaultproduct.com - High
313 45.66.248.244 mta0.axminster-carpets.cf - High
314 45.66.249.26 8axj5rsx1e.marketingforbreweries.com - High
315 45.66.249.221 mta0.lizengeneering.com - High
316 45.67.231.235 am-tun2.warwish.pro - High
317 45.82.247.87 - - High
318 45.82.247.121 - - High
319 45.82.247.148 prostatehealth.click - High
320 45.82.251.34 - - High
321 45.82.251.36 - - High
322 45.82.251.44 - - High
323 45.86.229.46 - - High
324 45.86.229.94 - - High
325 45.86.229.105 1lf7cf33e.northernstarmarketing.com - High
326 45.86.229.180 - - High
327 45.86.229.253 32l.edUcated-352.insuranceforourfamily.com - High
328 45.86.230.43 google.com - High
329 45.86.230.141 mta0.ungho.cf - High
330 45.86.230.149 - - High
331 45.86.230.181 - - High
332 45.86.231.210 - - High
333 45.87.154.181 vm.solutions - High
334 45.88.221.211 - - High
335 45.89.98.138 ruiz.thegamersnet.com - High
336 45.89.107.120 d120.lifedigitz.com - High
337 45.92.162.84 butler.egnerarch.com - High
338 45.92.163.123 vars-long-kks.currishfine.com - High
339 45.92.163.233 landing-messy.samewaged.com - High
340 45.92.163.238 sup-size.samewaged.com - High
341 45.95.11.125 vm324206.pq.hosting - High
342 45.129.99.241 354851-vds-mamozw.gmhost.pp.ua - High
343 45.129.199.13 - - High
344 45.129.199.26 - - High
345 45.129.199.67 - - High
346 45.129.199.92 - - High
347 45.138.172.179 - - High
348 45.138.172.240 - - High
349 ... ... ... ...

There are 1390 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23 Pathname Traversal High
2 T1040 CWE-294 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 T1068 CWE-264, CWE-266, CWE-269, CWE-284 J2EE Misconfiguration: Weak Access Permissions for EJB Methods High
7 ... ... ... ...

There are 22 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin/about-us.php High
2 File /admin/save.php High
3 File /admin/sys_sql_query.php High
4 File /api/baskets/{name} High
5 File /api/download High
6 File /api/v1/terminal/sessions/?limit=1 High
7 File /bitrix/admin/ldap_server_edit.php High
8 File /category.php High
9 File /categorypage.php High
10 File /cgi-bin/luci/api/wireless High
11 File /cgi-bin/vitogate.cgi High
12 File /company/store High
13 File /Content/Template/root/reverse-shell.aspx High
14 File /Controller/Ajaxfileupload.ashx High
15 File /core/conditions/AbstractWrapper.java High
16 File /csms/?page=contact_us High
17 File /dcim/rack-roles/ High
18 File /etc/passwd Medium
19 File /fcgi/scrut_fcgi.fcgi High
20 File /forum/away.php High
21 File /h/ Low
22 File /HNAP1 Low
23 File /home/cavesConsole High
24 File /index.php Medium
25 File /index.php?app=main&func=passport&action=login High
26 File /index.php?page=category_list High
27 File /jeecg-boot/sys/common/upload High
28 File /jobinfo/ Medium
29 File /mhds/clinic/view_details.php High
30 File /PreviewHandler.ashx High
31 File /recipe-result High
32 File /register.do Medium
33 File /RPS2019Service/status.html High
34 File /scripts/unlock_tasks.php High
35 File /Service/ImageStationDataService.asmx High
36 File /ServletAPI/accounts/login High
37 File /sicweb-ajax/tmproot/ High
38 File /spip.php Medium
39 File /squashfs-root/etc_ro/custom.conf High
40 File /staff/edit_book_details.php High
41 File /student/bookdetails.php High
42 File /subsys/net/l2/wifi/wifi_shell.c High
43 File /SysManage/AddUpdateRole.aspx High
44 ... ... ...

There are 379 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!