Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-27 09:28:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
9acd7aff46
cyber_threat_intelligence/actors/IcedID
History
Marc Ruef 819a7a8241 Update January 2024
2024-01-26 07:53:33 +01:00
..
README.md Update January 2024 2024-01-26 07:53:33 +01:00

README.md

IcedID - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as IcedID. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.icedid

Campaigns

The following campaigns are known and can be associated with IcedID:

  • Cobalt Strike
  • Nokoyawa

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:

There are 18 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID.

ID IP address Hostname Campaign Confidence
1 2.56.177.14 2-56-177-14.serversfinder.com - High
2 2.56.177.122 2-56-177-122.serversfinder.com - High
3 2.56.177.183 2-56-177-183.serversfinder.com - High
4 3.82.225.224 ec2-3-82-225-224.compute-1.amazonaws.com - Medium
5 3.89.127.205 ec2-3-89-127-205.compute-1.amazonaws.com - Medium
6 3.90.105.242 ec2-3-90-105-242.compute-1.amazonaws.com - Medium
7 3.95.241.204 ec2-3-95-241-204.compute-1.amazonaws.com - Medium
8 3.104.41.163 ec2-3-104-41-163.ap-southeast-2.compute.amazonaws.com - Medium
9 3.105.92.116 ec2-3-105-92-116.ap-southeast-2.compute.amazonaws.com - Medium
10 5.2.65.217 - - High
11 5.2.67.119 - - High
12 5.2.70.56 - - High
13 5.2.70.89 - - High
14 5.2.74.83 - - High
15 5.2.75.126 - - High
16 5.2.75.189 - - High
17 5.2.76.156 - - High
18 5.2.77.232 - - High
19 5.2.78.150 - - High
20 5.2.79.7 - - High
21 5.2.79.218 - - High
22 5.34.180.162 - - High
23 5.34.181.34 vds-842965.hosted-by-itldc.com - High
24 5.34.181.44 vds-950771.hosted-by-itldc.com - High
25 5.39.63.101 - - High
26 5.39.63.102 - - High
27 5.39.222.193 - - High
28 5.39.223.131 - - High
29 5.39.223.134 - - High
30 5.61.32.172 - - High
31 5.61.34.133 mta3.mailup.ru - High
32 5.61.34.153 - - High
33 5.61.36.120 - - High
34 5.61.36.180 - - High
35 5.61.37.89 mailer.ampm.casino - High
36 5.61.37.224 - - High
37 5.61.40.78 - - High
38 5.61.42.115 0.0.0.0 - High
39 5.61.42.123 stirok.ru - High
40 5.61.42.128 - - High
41 5.61.43.172 - - High
42 5.61.43.191 b3.bareandblushy.com - High
43 5.61.44.146 - - High
44 5.61.44.218 - - High
45 5.61.44.234 - - High
46 5.61.45.179 - - High
47 5.61.46.161 - - High
48 5.61.46.164 - - High
49 5.61.61.35 - - High
50 5.135.255.246 - - High
51 5.144.132.47 47-132-144-5.static.hostiran.name - High
52 5.146.45.129 ip-005-146-045-129.um05.pools.vodafone-ip.de - High
53 5.149.252.179 hnh7.arenal.xyz - High
54 5.180.114.36 36.114.180.5.in-addr.arpa - High
55 5.180.114.52 52.114.180.5.in-addr.arpa - High
56 5.180.114.88 88.114.180.5.in-addr.arpa - High
57 5.180.114.165 165.114.180.5.in-addr.arpa - High
58 5.180.114.171 171.114.180.5.in-addr.arpa - High
59 5.180.114.190 190.114.180.5.in-addr.arpa - High
60 5.181.27.192 gcl-lon.com - High
61 5.181.80.213 ip-80-213-bullethost.net - High
62 5.181.80.215 anelpones.xyz - High
63 5.181.80.218 ip-80-218-bullethost.net - High
64 5.181.159.39 5-181-159-39.mivocloud.com - High
65 5.181.159.41 no-rdns.mivocloud.com - High
66 5.181.159.51 no-rdns.mivocloud.com - High
67 5.181.159.54 no-rdns.mivocloud.com - High
68 5.181.159.55 no-rdns.mivocloud.com - High
69 5.182.27.71 s322800.cloud.flynet.pro - High
70 5.188.0.52 saycain.example.com - High
71 5.188.93.137 free.ds - High
72 5.189.253.223 minsipak.fr - High
73 5.196.103.145 - - High
74 5.196.196.251 - - High
75 5.196.196.252 - - High
76 5.199.162.56 - - High
77 5.199.162.81 - - High
78 5.199.162.123 - - High
79 5.199.162.162 - - High
80 5.199.162.166 - - High
81 5.199.162.174 - - High
82 5.199.162.235 - - High
83 5.199.168.14 - - High
84 5.199.168.24 - - High
85 5.199.168.34 - - High
86 5.199.168.125 - - High
87 5.199.168.213 - - High
88 5.199.168.214 - - High
89 5.199.168.255 - - High
90 5.199.173.20 - - High
91 5.199.173.24 - - High
92 5.199.173.27 - - High
93 5.199.173.29 - - High
94 5.199.173.51 - - High
95 5.199.173.107 - - High
96 5.199.173.120 - - High
97 5.199.173.141 - - High
98 5.199.173.150 - - High
99 5.199.173.162 - - High
100 5.199.173.173 - - High
101 5.199.173.210 - - High
102 5.199.173.217 - - High
103 5.199.173.233 - - High
104 5.199.173.234 - - High
105 5.199.174.189 - - High
106 5.199.174.232 - - High
107 5.199.174.234 - - High
108 5.206.224.50 ko.pro - High
109 5.206.224.239 aqualisbra.com - High
110 5.206.227.5 jiojoip.com - High
111 5.230.57.30 - - High
112 5.230.57.194 - - High
113 5.230.66.157 - - High
114 5.230.67.128 placeholder.noezserver.de - High
115 5.230.67.227 placeholder.noezserver.de - High
116 5.230.68.22 pleasantly.autocraftz.biz - High
117 5.230.68.48 ounahiskills.co.uk - High
118 5.230.68.66 fracturedprunesurfcitync.com - High
119 5.230.68.163 placeholder.noezserver.de - High
120 5.230.68.190 ua190.ualist.com - High
121 5.230.70.43 placeholder.noezserver.de - High
122 5.230.70.57 placeholder.noezserver.de - High
123 5.230.70.135 placeholder.noezserver.de - High
124 5.230.70.140 placeholder.noezserver.de - High
125 5.230.70.146 placeholder.noezserver.de - High
126 5.230.71.72 placeholder.noezserver.de - High
127 5.230.72.37 placeholder.noezserver.de - High
128 5.230.72.131 placeholder.noezserver.de - High
129 5.230.72.158 placeholder.noezserver.de - High
130 5.230.73.61 placeholder.noezserver.de - High
131 5.230.73.139 - - High
132 5.230.73.157 - - High
133 5.230.73.172 - - High
134 5.230.73.200 placeholder.noezserver.de - High
135 5.230.73.244 placeholder.noezserver.de - High
136 5.230.74.71 - - High
137 5.230.74.102 placeholder.noezserver.de - High
138 5.230.74.153 placeholder.noezserver.de - High
139 5.230.74.202 - - High
140 5.230.74.203 - - High
141 5.230.74.223 placeholder.noezserver.de - High
142 5.230.74.242 - - High
143 5.230.75.11 - - High
144 5.230.75.134 placeholder.noezserver.de - High
145 5.230.75.188 - - High
146 5.230.75.247 ma247.manidatravel.com - High
147 5.230.76.44 - - High
148 5.230.76.198 - - High
149 5.230.78.208 - - High
150 5.252.23.141 mail.exclusive-meetingg.com - High
151 5.252.177.10 no-rdns.mivocloud.com - High
152 5.252.177.13 no-rdns.mivocloud.com - High
153 5.252.177.59 no-rdns.mivocloud.com - High
154 5.252.177.65 no-rdns.mivocloud.com - High
155 5.252.177.103 no-rdns.mivocloud.com - High
156 5.252.177.106 bestsevenreviews.com - High
157 5.252.177.107 no-rdns.mivocloud.com - High
158 5.252.177.233 5-252-177-233.mivocloud.com - High
159 5.252.178.142 no-rdns.mivocloud.com - High
160 5.255.98.45 - - High
161 5.255.98.126 - - High
162 5.255.99.21 - - High
163 5.255.99.51 - - High
164 5.255.99.108 - - High
165 5.255.100.8 - - High
166 5.255.100.32 - - High
167 5.255.100.55 - - High
168 5.255.100.65 - - High
169 5.255.100.207 chronostech.io - High
170 5.255.100.250 - - High
171 5.255.101.31 - - High
172 5.255.101.68 - - High
173 5.255.102.88 - - High
174 5.255.102.167 - - High
175 5.255.103.16 - - High
176 5.255.103.75 - - High
177 5.255.103.108 - - High
178 5.255.103.144 - - High
179 5.255.103.245 - - High
180 5.255.104.11 - - High
181 5.255.104.22 - - High
182 5.255.104.45 - - High
183 5.255.104.52 - - High
184 5.255.104.93 - - High
185 5.255.104.97 - - High
186 5.255.104.113 - - High
187 5.255.104.120 - - High
188 5.255.104.130 - - High
189 5.255.104.143 - - High
190 5.255.104.145 - - High
191 5.255.104.153 - - High
192 5.255.104.184 - - High
193 5.255.104.220 - - High
194 5.255.104.233 - - High
195 5.255.105.55 - - High
196 5.255.105.239 - - High
197 5.255.106.72 - - High
198 5.255.106.78 smtp.gespollas.com - High
199 5.255.106.136 - - High
200 5.255.106.240 - - High
201 5.255.107.149 - - High
202 5.255.109.46 - - High
203 5.255.109.175 - - High
204 5.255.110.177 - - High
205 5.255.111.220 - - High
206 5.255.113.157 - - High
207 5.255.115.226 - - High
208 5.255.119.21 - - High
209 5.255.120.33 - - High
210 5.255.122.79 - - High
211 5.255.124.55 - - High
212 6.43.51.17 - - High
213 8.39.147.62 vyc1.achlycole.org.uk - High
214 13.52.121.66 ec2-13-52-121-66.us-west-1.compute.amazonaws.com - Medium
215 13.57.55.155 ec2-13-57-55-155.us-west-1.compute.amazonaws.com - Medium
216 13.237.1.27 ec2-13-237-1-27.ap-southeast-2.compute.amazonaws.com - Medium
217 13.237.195.116 ec2-13-237-195-116.ap-southeast-2.compute.amazonaws.com - Medium
218 14.99.115.211 - - High
219 15.236.140.116 ec2-15-236-140-116.eu-west-3.compute.amazonaws.com - Medium
220 23.82.128.186 - - High
221 23.82.128.215 - - High
222 23.88.35.240 static.240.35.88.23.clients.your-server.de - High
223 23.106.124.26 - - High
224 23.106.124.168 - - High
225 23.106.124.181 - - High
226 23.106.215.93 - - High
227 23.160.193.140 unknown.ip-xfer.net - High
228 23.164.240.130 - - High
229 23.227.202.165 23-227-202-165.static.hvvc.us - High
230 23.227.203.131 23-227-203-131.static.hvvc.us - High
231 23.227.206.161 23-227-206-161.static.hvvc.us - High
232 23.227.206.195 23-227-206-195.static.hvvc.us - High
233 23.254.202.234 hwsrv-1055605.hostwindsdns.com - High
234 23.254.211.137 hwsrv-1045976.hostwindsdns.com - High
235 23.254.224.115 hwsrv-1031288.hostwindsdns.com - High
236 23.254.224.148 client-23-254-224-148.hostwindsdns.com - High
237 23.254.226.152 hwsrv-1069457.hostwindsdns.com - High
238 23.254.229.208 hwsrv-1015537.hostwindsdns.com - High
239 23.254.253.106 WIN-KP9WSUDC4N.com - High
240 31.13.195.119 sm.cfconsult.net - High
241 31.13.195.127 - - High
242 31.24.224.12 1f18e00c.setaptr.net - High
243 31.24.228.170 31.24.228.170.static.midphase.com - High
244 31.184.199.11 dalesmanager.com - High
245 35.212.196.32 32.196.212.35.bc.googleusercontent.com - Medium
246 37.1.192.40 - - High
247 37.1.193.136 webcomdition.com - High
248 37.1.195.84 - - High
249 37.1.195.238 autoreflash.com - High
250 37.1.205.217 - - High
251 37.1.208.48 reveltip.com - High
252 37.1.213.234 - - High
253 37.1.221.209 - - High
254 37.46.129.17 info50.fvds.ru - High
255 37.61.229.95 zeno.igorclark.net - High
256 37.120.222.100 - - High
257 37.221.115.12 - - High
258 37.235.55.75 75.55.235.37.in-addr.arpa - High
259 37.235.55.103 103.55.235.37.in-addr.arpa - High
260 37.235.56.30 30.56.235.37.in-addr.arpa - High
261 37.235.56.37 37.56.235.37.in-addr.arpa - High
262 37.235.56.94 94.56.235.37.in-addr.arpa - High
263 37.235.56.185 185.56.235.37.in-addr.arpa - High
264 37.252.5.228 - - High
265 37.252.6.77 - - High
266 37.252.10.231 - - High
267 37.252.11.170 - - High
268 37.252.11.221 - - High
269 38.180.0.89 - - High
270 38.180.8.107 - - High
271 38.180.8.169 - - High
272 38.180.34.14 - - High
273 39.104.16.102 - - High
274 39.104.17.212 - - High
275 39.104.23.152 - - High
276 39.104.27.24 - - High
277 39.104.57.145 - - High
278 39.104.72.59 - - High
279 39.104.94.83 - - High
280 39.104.164.115 - - High
281 45.8.158.140 mail.aeoncard-co-jp.com - High
282 45.11.19.121 - - High
283 45.11.19.168 - - High
284 45.11.182.61 - - High
285 45.11.182.114 - - High
286 45.11.182.115 - - High
287 45.11.182.117 - - High
288 45.11.182.118 - - High
289 45.11.182.119 - - High
290 45.11.182.120 - - High
291 45.11.182.121 - - High
292 45.12.109.136 kemp.strongwallsys.com - High
293 45.12.109.195 ryan.earthbroadcasting.com - High
294 45.12.109.221 weaver.earthbroadcasting.com - High
295 45.12.139.90 - - High
296 45.15.161.254 - - High
297 45.41.204.5 fastshipus.xyz - High
298 45.55.42.13 - - High
299 45.55.53.206 - - High
300 45.55.56.244 - - High
301 45.61.136.6 - - High
302 45.61.136.22 - - High
303 45.61.136.193 - - High
304 45.61.137.95 - - High
305 45.61.137.97 - - High
306 45.61.137.119 - - High
307 45.61.137.158 - - High
308 45.61.137.159 - - High
309 45.61.137.220 svenska.re - High
310 45.61.137.225 - - High
311 45.61.138.12 - - High
312 45.61.138.149 - - High
313 45.61.138.171 - - High
314 45.61.138.175 - - High
315 45.61.138.181 - - High
316 45.61.138.227 - - High
317 45.61.139.138 - - High
318 45.61.139.144 - - High
319 45.61.139.179 - - High
320 45.61.139.196 - - High
321 45.61.139.232 - - High
322 45.61.139.235 - - High
323 45.61.139.243 - - High
324 45.66.248.7 mta0.burjeela.gq - High
325 45.66.248.37 mta0.quarrantinereport-center.gq - High
326 45.66.248.64 0n3reye0i0.alyanova.com - High
327 45.66.248.69 outbound5.imaille.com - High
328 45.66.248.71 - - High
329 45.66.248.79 mta0.coldspikes.autos - High
330 45.66.248.119 finixdeal.com Nokoyawa High
331 45.66.248.148 QuanTs.defaultproduct.com - High
332 45.66.248.244 mta0.axminster-carpets.cf - High
333 45.66.249.26 8axj5rsx1e.marketingforbreweries.com - High
334 45.66.249.221 mta0.lizengeneering.com - High
335 45.67.231.235 am-tun2.warwish.pro - High
336 45.82.247.87 - - High
337 45.82.247.121 - - High
338 45.82.247.148 prostatehealth.click - High
339 45.82.251.34 - - High
340 45.82.251.36 - - High
341 45.82.251.44 - - High
342 45.85.117.196 naskal.de - High
343 45.86.229.46 - - High
344 45.86.229.94 - - High
345 45.86.229.105 1lf7cf33e.northernstarmarketing.com - High
346 45.86.229.180 - - High
347 45.86.229.253 32l.edUcated-352.insuranceforourfamily.com - High
348 45.86.230.43 google.com - High
349 45.86.230.141 mta0.ungho.cf - High
350 45.86.230.149 - - High
351 45.86.230.181 - - High
352 45.86.231.210 - - High
353 45.87.154.181 vm.solutions - High
354 45.88.221.211 - - High
355 45.89.98.138 ruiz.thegamersnet.com - High
356 45.89.107.120 d120.lifedigitz.com - High
357 45.92.162.84 butler.egnerarch.com - High
358 45.92.163.123 vars-long-kks.currishfine.com - High
359 45.92.163.233 landing-messy.samewaged.com - High
360 45.92.163.238 sup-size.samewaged.com - High
361 45.95.11.125 vm324206.pq.hosting - High
362 45.129.99.241 354851-vds-mamozw.gmhost.pp.ua - High
363 45.129.199.13 - - High
364 45.129.199.15 server2.divslabs.com - High
365 45.129.199.26 - - High
366 45.129.199.67 - - High
367 45.129.199.75 - - High
368 45.129.199.92 - - High
369 45.129.199.158 - - High
370 45.129.199.169 mta0.agungpodomoroland.co - High
371 45.129.199.172 - - High
372 45.129.199.250 mta0.fatimia-group.cc - High
373 45.138.172.179 - - High
374 45.138.172.240 - - High
375 ... ... ... ...

There are 1497 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-425 Pathname Traversal High
2 T1040 CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 21 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File %SYSTEMDRIVE%\node_modules\.bin\wmic.exe High
2 File //proc/kcore Medium
3 File /admin/action/delete-vaccine.php High
4 File /admin/index2.html High
5 File /admin/save.php High
6 File /api/admin/system/store/order/list High
7 File /api/download High
8 File /api/v1/alerts High
9 File /api/v1/terminal/sessions/?limit=1 High
10 File /app/index/controller/Common.php High
11 File /app/options.py High
12 File /b2b-supermarket/shopping-cart High
13 File /bitrix/admin/ldap_server_edit.php High
14 File /category.php High
15 File /categorypage.php High
16 File /cgi-bin/vitogate.cgi High
17 File /change-language/de_DE High
18 File /debug/pprof Medium
19 File /dist/index.js High
20 File /etc/shadow.sample High
21 File /fcgi/scrut_fcgi.fcgi High
22 File /forms/doLogin High
23 File /forum/away.php High
24 File /geoserver/gwc/rest.html High
25 File /goform/formSysCmd High
26 File /HNAP1 Low
27 File /home/cavesConsole High
28 File /hosts/firewall/ip High
29 File /index.php/ccm/system/file/upload High
30 File /jeecg-boot/sys/common/upload High
31 File /listplace/user/ticket/create High
32 File /log/decodmail.php High
33 File /mhds/clinic/view_details.php High
34 File /oauth/idp/.well-known/openid-configuration High
35 File /OA_HTML/cabo/jsps/a.jsp High
36 File /php/ping.php High
37 File /proxy Low
38 File /rest/api/latest/projectvalidate/key High
39 File /RPS2019Service/status.html High
40 File /s/index.php?action=statistics High
41 File /scripts/unlock_tasks.php High
42 File /setting Medium
43 File /sicweb-ajax/tmproot/ High
44 ... ... ...

There are 376 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2024 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!