57 KiB
IcedID - Cyber Threat Intelligence
These indicators were reported, collected, and generated during the VulDB CTI analysis of the campaign known as IcedID. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor
Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:
There are 18 more country items available. Please use our online service to access the data.
Actors
These actors are associated with IcedID or other actors linked to the campaign.
ID | Actor | Confidence |
---|---|---|
1 | IcedID | High |
2 | UAC-0098 | High |
3 | TA551 | High |
4 | ... | ... |
There are 2 more actor items available. Please use our online service to access the data.
IOC - Indicator of Compromise
These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID.
ID | IP address | Hostname | Actor | Confidence |
---|---|---|---|---|
1 | 2.56.177.14 | 2-56-177-14.serversfinder.com | IcedID | High |
2 | 2.56.177.122 | 2-56-177-122.serversfinder.com | IcedID | High |
3 | 2.56.177.183 | 2-56-177-183.serversfinder.com | IcedID | High |
4 | 3.82.225.224 | ec2-3-82-225-224.compute-1.amazonaws.com | IcedID | Medium |
5 | 3.89.127.205 | ec2-3-89-127-205.compute-1.amazonaws.com | IcedID | Medium |
6 | 3.90.105.242 | ec2-3-90-105-242.compute-1.amazonaws.com | IcedID | Medium |
7 | 3.95.241.204 | ec2-3-95-241-204.compute-1.amazonaws.com | IcedID | Medium |
8 | 3.104.41.163 | ec2-3-104-41-163.ap-southeast-2.compute.amazonaws.com | IcedID | Medium |
9 | 3.105.92.116 | ec2-3-105-92-116.ap-southeast-2.compute.amazonaws.com | IcedID | Medium |
10 | 5.2.65.217 | - | IcedID | High |
11 | 5.2.67.119 | - | IcedID | High |
12 | 5.2.70.56 | - | IcedID | High |
13 | 5.2.70.89 | - | IcedID | High |
14 | 5.2.74.83 | - | IcedID | High |
15 | 5.2.75.126 | - | IcedID | High |
16 | 5.2.75.189 | - | IcedID | High |
17 | 5.2.76.156 | - | IcedID | High |
18 | 5.2.77.232 | - | IcedID | High |
19 | 5.2.78.150 | - | IcedID | High |
20 | 5.2.79.7 | - | IcedID | High |
21 | 5.2.79.218 | - | IcedID | High |
22 | 5.34.180.162 | - | IcedID | High |
23 | 5.34.181.34 | vds-842965.hosted-by-itldc.com | IcedID | High |
24 | 5.34.181.44 | vds-950771.hosted-by-itldc.com | IcedID | High |
25 | 5.39.63.101 | - | IcedID | High |
26 | 5.39.63.102 | - | IcedID | High |
27 | 5.39.218.210 | - | IcedID Downloader | High |
28 | 5.39.222.193 | - | IcedID | High |
29 | 5.39.223.131 | - | IcedID | High |
30 | 5.39.223.134 | - | IcedID | High |
31 | 5.61.32.172 | - | IcedID | High |
32 | 5.61.34.133 | mta3.mailup.ru | IcedID | High |
33 | 5.61.34.153 | - | IcedID | High |
34 | 5.61.36.120 | - | IcedID | High |
35 | 5.61.36.180 | - | IcedID | High |
36 | 5.61.37.89 | mailer.ampm.casino | IcedID | High |
37 | 5.61.37.224 | - | IcedID | High |
38 | 5.61.40.78 | - | IcedID | High |
39 | 5.61.42.115 | 0.0.0.0 | IcedID | High |
40 | 5.61.42.123 | stirok.ru | IcedID | High |
41 | 5.61.42.128 | - | IcedID | High |
42 | 5.61.43.172 | - | IcedID | High |
43 | 5.61.43.191 | b3.bareandblushy.com | IcedID | High |
44 | 5.61.44.146 | - | IcedID | High |
45 | 5.61.44.218 | - | IcedID | High |
46 | 5.61.44.234 | - | IcedID | High |
47 | 5.61.45.179 | - | IcedID | High |
48 | 5.61.46.161 | - | IcedID | High |
49 | 5.61.46.164 | - | IcedID | High |
50 | 5.61.61.35 | - | IcedID | High |
51 | 5.135.255.246 | - | IcedID | High |
52 | 5.144.132.47 | 47-132-144-5.static.hostiran.name | IcedID | High |
53 | 5.146.45.129 | ip-005-146-045-129.um05.pools.vodafone-ip.de | IcedID | High |
54 | 5.149.252.179 | hnh7.arenal.xyz | IcedID | High |
55 | 5.180.114.36 | 36.114.180.5.in-addr.arpa | IcedID | High |
56 | 5.180.114.52 | 52.114.180.5.in-addr.arpa | IcedID | High |
57 | 5.180.114.88 | 88.114.180.5.in-addr.arpa | IcedID | High |
58 | 5.180.114.165 | 165.114.180.5.in-addr.arpa | IcedID | High |
59 | 5.180.114.171 | 171.114.180.5.in-addr.arpa | IcedID | High |
60 | 5.180.114.190 | 190.114.180.5.in-addr.arpa | IcedID | High |
61 | 5.181.27.192 | gcl-lon.com | IcedID | High |
62 | 5.181.80.125 | ip-80-125-bullethost.net | IcedID Downloader | High |
63 | 5.181.80.213 | ip-80-213-bullethost.net | IcedID | High |
64 | 5.181.80.214 | - | IcedID Downloader | High |
65 | 5.181.80.215 | anelpones.xyz | IcedID | High |
66 | 5.181.80.218 | ip-80-218-bullethost.net | IcedID | High |
67 | 5.181.80.224 | - | IcedID Downloader | High |
68 | 5.181.159.39 | 5-181-159-39.mivocloud.com | IcedID | High |
69 | 5.181.159.41 | no-rdns.mivocloud.com | IcedID | High |
70 | 5.181.159.51 | no-rdns.mivocloud.com | IcedID | High |
71 | 5.181.159.54 | no-rdns.mivocloud.com | IcedID | High |
72 | 5.181.159.55 | no-rdns.mivocloud.com | IcedID | High |
73 | 5.182.27.71 | s322800.cloud.flynet.pro | IcedID | High |
74 | 5.188.0.52 | saycain.example.com | IcedID | High |
75 | 5.188.93.137 | free.ds | IcedID | High |
76 | 5.189.253.164 | slamco.fr | IcedID | High |
77 | 5.189.253.223 | minsipak.fr | IcedID | High |
78 | 5.196.103.145 | - | IcedID | High |
79 | 5.196.103.151 | - | IcedID Downloader | High |
80 | 5.196.196.251 | - | IcedID | High |
81 | 5.196.196.252 | - | IcedID | High |
82 | 5.196.196.253 | - | IcedID Downloader | High |
83 | 5.196.196.255 | - | IcedID Downloader | High |
84 | 5.199.162.56 | - | IcedID | High |
85 | 5.199.162.81 | - | IcedID | High |
86 | 5.199.162.123 | - | IcedID Downloader | High |
87 | 5.199.162.162 | - | IcedID Downloader | High |
88 | 5.199.162.166 | - | IcedID | High |
89 | 5.199.162.174 | - | IcedID Downloader | High |
90 | 5.199.162.235 | - | IcedID Downloader | High |
91 | 5.199.168.14 | - | IcedID | High |
92 | 5.199.168.24 | - | IcedID | High |
93 | 5.199.168.34 | - | IcedID | High |
94 | 5.199.168.125 | - | IcedID | High |
95 | 5.199.168.213 | - | IcedID | High |
96 | 5.199.168.214 | - | IcedID | High |
97 | 5.199.168.255 | - | IcedID | High |
98 | 5.199.173.20 | - | IcedID Downloader | High |
99 | 5.199.173.24 | - | IcedID Downloader | High |
100 | 5.199.173.27 | - | IcedID | High |
101 | 5.199.173.29 | - | IcedID Downloader | High |
102 | 5.199.173.51 | - | IcedID | High |
103 | 5.199.173.107 | - | IcedID Downloader | High |
104 | 5.199.173.120 | - | IcedID | High |
105 | 5.199.173.141 | - | IcedID Downloader | High |
106 | 5.199.173.150 | - | IcedID | High |
107 | 5.199.173.162 | - | IcedID | High |
108 | 5.199.173.173 | - | IcedID | High |
109 | 5.199.173.210 | - | IcedID | High |
110 | 5.199.173.217 | - | IcedID | High |
111 | 5.199.173.233 | - | IcedID | High |
112 | 5.199.173.234 | - | IcedID | High |
113 | 5.199.174.189 | - | IcedID | High |
114 | 5.199.174.232 | - | IcedID Downloader | High |
115 | 5.199.174.234 | - | IcedID | High |
116 | 5.206.224.50 | ko.pro | IcedID | High |
117 | 5.206.224.239 | aqualisbra.com | IcedID | High |
118 | 5.206.227.5 | jiojoip.com | IcedID | High |
119 | 5.230.44.226 | - | IcedID | High |
120 | 5.230.57.30 | - | IcedID | High |
121 | 5.230.57.194 | - | IcedID | High |
122 | 5.230.66.157 | - | IcedID | High |
123 | 5.230.67.128 | placeholder.noezserver.de | IcedID | High |
124 | 5.230.67.227 | placeholder.noezserver.de | IcedID | High |
125 | 5.230.68.22 | pleasantly.autocraftz.biz | IcedID | High |
126 | 5.230.68.48 | ounahiskills.co.uk | IcedID | High |
127 | 5.230.68.66 | fracturedprunesurfcitync.com | IcedID | High |
128 | 5.230.68.163 | placeholder.noezserver.de | IcedID | High |
129 | 5.230.68.190 | ua190.ualist.com | IcedID | High |
130 | 5.230.70.43 | placeholder.noezserver.de | IcedID | High |
131 | 5.230.70.57 | placeholder.noezserver.de | IcedID | High |
132 | 5.230.70.135 | placeholder.noezserver.de | IcedID | High |
133 | 5.230.70.140 | placeholder.noezserver.de | IcedID | High |
134 | 5.230.70.146 | placeholder.noezserver.de | IcedID | High |
135 | 5.230.71.72 | placeholder.noezserver.de | IcedID | High |
136 | 5.230.72.37 | placeholder.noezserver.de | IcedID | High |
137 | 5.230.72.131 | placeholder.noezserver.de | IcedID | High |
138 | 5.230.72.158 | placeholder.noezserver.de | IcedID | High |
139 | 5.230.73.61 | placeholder.noezserver.de | IcedID | High |
140 | 5.230.73.139 | - | IcedID | High |
141 | 5.230.73.157 | - | IcedID | High |
142 | 5.230.73.172 | - | IcedID | High |
143 | 5.230.73.200 | placeholder.noezserver.de | IcedID | High |
144 | 5.230.73.244 | placeholder.noezserver.de | IcedID | High |
145 | 5.230.74.71 | - | IcedID | High |
146 | 5.230.74.102 | placeholder.noezserver.de | IcedID | High |
147 | 5.230.74.153 | placeholder.noezserver.de | IcedID | High |
148 | 5.230.74.202 | - | IcedID | High |
149 | 5.230.74.203 | - | IcedID | High |
150 | 5.230.74.223 | placeholder.noezserver.de | IcedID | High |
151 | 5.230.74.242 | - | IcedID | High |
152 | 5.230.75.11 | - | IcedID | High |
153 | 5.230.75.134 | placeholder.noezserver.de | IcedID | High |
154 | 5.230.75.188 | - | IcedID | High |
155 | 5.230.75.247 | ma247.manidatravel.com | IcedID | High |
156 | 5.230.76.44 | - | IcedID | High |
157 | 5.230.76.198 | - | IcedID | High |
158 | 5.230.78.208 | - | IcedID | High |
159 | 5.231.0.34 | - | IcedID | High |
160 | 5.252.23.141 | mail.exclusive-meetingg.com | IcedID | High |
161 | 5.252.177.10 | no-rdns.mivocloud.com | IcedID | High |
162 | 5.252.177.13 | no-rdns.mivocloud.com | IcedID | High |
163 | 5.252.177.59 | no-rdns.mivocloud.com | IcedID | High |
164 | 5.252.177.65 | no-rdns.mivocloud.com | IcedID | High |
165 | 5.252.177.103 | no-rdns.mivocloud.com | IcedID | High |
166 | 5.252.177.106 | bestsevenreviews.com | IcedID | High |
167 | 5.252.177.107 | no-rdns.mivocloud.com | IcedID | High |
168 | 5.252.177.233 | 5-252-177-233.mivocloud.com | IcedID | High |
169 | 5.252.178.142 | no-rdns.mivocloud.com | IcedID | High |
170 | 5.255.98.45 | - | IcedID | High |
171 | 5.255.98.126 | - | IcedID | High |
172 | 5.255.99.21 | - | IcedID | High |
173 | 5.255.99.51 | - | IcedID | High |
174 | 5.255.99.108 | - | IcedID | High |
175 | 5.255.100.8 | - | IcedID | High |
176 | 5.255.100.32 | - | IcedID | High |
177 | 5.255.100.55 | - | IcedID | High |
178 | 5.255.100.65 | - | IcedID | High |
179 | 5.255.100.207 | chronostech.io | IcedID | High |
180 | 5.255.100.250 | - | IcedID | High |
181 | 5.255.101.31 | - | IcedID | High |
182 | 5.255.101.68 | - | IcedID | High |
183 | 5.255.102.88 | - | IcedID | High |
184 | 5.255.102.167 | - | IcedID | High |
185 | 5.255.103.16 | - | IcedID | High |
186 | 5.255.103.75 | - | IcedID | High |
187 | 5.255.103.108 | - | IcedID | High |
188 | 5.255.103.144 | - | IcedID | High |
189 | 5.255.103.245 | - | IcedID | High |
190 | 5.255.104.11 | - | IcedID | High |
191 | 5.255.104.22 | - | IcedID | High |
192 | 5.255.104.45 | - | IcedID | High |
193 | 5.255.104.52 | - | IcedID | High |
194 | 5.255.104.93 | - | IcedID | High |
195 | 5.255.104.97 | - | IcedID | High |
196 | 5.255.104.113 | - | IcedID | High |
197 | 5.255.104.120 | - | IcedID | High |
198 | 5.255.104.130 | - | IcedID | High |
199 | 5.255.104.143 | - | IcedID | High |
200 | 5.255.104.145 | - | IcedID | High |
201 | 5.255.104.153 | - | IcedID | High |
202 | 5.255.104.184 | - | IcedID | High |
203 | 5.255.104.220 | - | IcedID | High |
204 | 5.255.104.233 | - | IcedID | High |
205 | 5.255.105.55 | - | IcedID | High |
206 | 5.255.105.239 | - | IcedID | High |
207 | 5.255.106.72 | - | IcedID | High |
208 | 5.255.106.78 | smtp.gespollas.com | IcedID | High |
209 | 5.255.106.136 | - | IcedID | High |
210 | 5.255.106.240 | - | IcedID | High |
211 | 5.255.107.149 | - | IcedID | High |
212 | 5.255.109.46 | - | IcedID | High |
213 | 5.255.109.175 | - | IcedID | High |
214 | 5.255.110.177 | - | IcedID | High |
215 | 5.255.111.220 | - | IcedID | High |
216 | 5.255.113.157 | - | IcedID | High |
217 | 5.255.115.226 | - | IcedID | High |
218 | 5.255.119.21 | - | IcedID | High |
219 | 5.255.120.33 | - | IcedID | High |
220 | 5.255.122.79 | - | IcedID | High |
221 | 5.255.124.55 | - | IcedID | High |
222 | 6.43.51.17 | - | IcedID | High |
223 | 8.39.147.62 | vyc1.achlycole.org.uk | IcedID | High |
224 | 13.52.121.66 | ec2-13-52-121-66.us-west-1.compute.amazonaws.com | IcedID | Medium |
225 | 13.57.55.155 | ec2-13-57-55-155.us-west-1.compute.amazonaws.com | IcedID | Medium |
226 | 13.237.1.27 | ec2-13-237-1-27.ap-southeast-2.compute.amazonaws.com | IcedID | Medium |
227 | 13.237.195.116 | ec2-13-237-195-116.ap-southeast-2.compute.amazonaws.com | IcedID | Medium |
228 | 14.99.115.211 | - | IcedID | High |
229 | 15.236.140.116 | ec2-15-236-140-116.eu-west-3.compute.amazonaws.com | IcedID | Medium |
230 | 23.82.128.186 | - | IcedID | High |
231 | 23.82.128.215 | - | IcedID | High |
232 | 23.88.35.240 | static.240.35.88.23.clients.your-server.de | IcedID | High |
233 | 23.88.37.159 | static.159.37.88.23.clients.your-server.de | IcedID Downloader | High |
234 | 23.106.124.26 | - | IcedID | High |
235 | 23.106.124.168 | - | IcedID | High |
236 | 23.106.124.181 | - | IcedID | High |
237 | 23.106.215.93 | - | IcedID | High |
238 | 23.160.193.140 | unknown.ip-xfer.net | IcedID | High |
239 | 23.164.240.130 | - | IcedID | High |
240 | 23.227.202.165 | 23-227-202-165.static.hvvc.us | IcedID | High |
241 | 23.227.203.131 | 23-227-203-131.static.hvvc.us | IcedID | High |
242 | 23.227.206.161 | 23-227-206-161.static.hvvc.us | IcedID | High |
243 | 23.227.206.195 | 23-227-206-195.static.hvvc.us | IcedID | High |
244 | 23.254.202.234 | hwsrv-1055605.hostwindsdns.com | IcedID | High |
245 | 23.254.211.137 | hwsrv-1045976.hostwindsdns.com | IcedID | High |
246 | 23.254.224.115 | hwsrv-1031288.hostwindsdns.com | IcedID | High |
247 | 23.254.224.148 | client-23-254-224-148.hostwindsdns.com | IcedID | High |
248 | 23.254.226.152 | hwsrv-1069457.hostwindsdns.com | IcedID | High |
249 | 23.254.229.208 | hwsrv-1015537.hostwindsdns.com | IcedID | High |
250 | 23.254.253.106 | WIN-KP9WSUDC4N.com | IcedID | High |
251 | 31.13.195.119 | sm.cfconsult.net | IcedID | High |
252 | 31.13.195.127 | - | IcedID | High |
253 | 31.24.224.12 | 1f18e00c.setaptr.net | IcedID | High |
254 | 31.24.228.170 | 31.24.228.170.static.midphase.com | IcedID | High |
255 | 31.184.199.11 | dalesmanager.com | IcedID | High |
256 | 35.212.196.32 | 32.196.212.35.bc.googleusercontent.com | IcedID | Medium |
257 | 37.1.192.40 | - | IcedID | High |
258 | 37.1.193.136 | webcomdition.com | IcedID | High |
259 | 37.1.195.84 | - | IcedID | High |
260 | 37.1.195.238 | autoreflash.com | IcedID | High |
261 | 37.1.205.217 | - | IcedID | High |
262 | 37.1.208.48 | reveltip.com | IcedID | High |
263 | 37.1.213.234 | - | IcedID | High |
264 | 37.1.221.209 | - | IcedID | High |
265 | 37.46.129.17 | info50.fvds.ru | IcedID | High |
266 | 37.61.229.95 | zeno.igorclark.net | IcedID | High |
267 | 37.120.222.100 | - | IcedID | High |
268 | 37.221.115.12 | - | IcedID | High |
269 | 37.235.55.75 | 75.55.235.37.in-addr.arpa | IcedID | High |
270 | 37.235.55.103 | 103.55.235.37.in-addr.arpa | IcedID | High |
271 | 37.235.56.30 | 30.56.235.37.in-addr.arpa | IcedID | High |
272 | 37.235.56.37 | 37.56.235.37.in-addr.arpa | IcedID | High |
273 | 37.235.56.94 | 94.56.235.37.in-addr.arpa | IcedID | High |
274 | 37.235.56.185 | 185.56.235.37.in-addr.arpa | IcedID | High |
275 | 37.252.5.228 | - | IcedID | High |
276 | 37.252.6.77 | - | IcedID | High |
277 | 37.252.10.231 | - | IcedID | High |
278 | 37.252.11.170 | - | IcedID | High |
279 | 37.252.11.221 | - | IcedID | High |
280 | 38.180.0.89 | - | IcedID | High |
281 | 38.180.8.107 | - | IcedID | High |
282 | 38.180.8.169 | - | IcedID | High |
283 | 38.180.34.14 | - | IcedID | High |
284 | 39.104.16.102 | - | IcedID | High |
285 | 39.104.17.212 | - | IcedID | High |
286 | 39.104.23.152 | - | IcedID | High |
287 | 39.104.27.24 | - | IcedID | High |
288 | 39.104.57.145 | - | IcedID | High |
289 | 39.104.72.59 | - | IcedID | High |
290 | 39.104.94.83 | - | IcedID | High |
291 | 39.104.164.115 | - | IcedID | High |
292 | 45.8.146.139 | vm580483.stark-industries.solutions | TA551 | High |
293 | 45.8.158.140 | mail.aeoncard-co-jp.com | IcedID | High |
294 | 45.11.19.121 | - | IcedID | High |
295 | 45.11.19.168 | - | IcedID | High |
296 | 45.11.182.61 | - | IcedID | High |
297 | 45.11.182.114 | - | IcedID | High |
298 | 45.11.182.115 | - | IcedID | High |
299 | 45.11.182.117 | - | IcedID | High |
300 | 45.11.182.118 | - | IcedID | High |
301 | 45.11.182.119 | - | IcedID | High |
302 | 45.11.182.120 | - | IcedID | High |
303 | 45.11.182.121 | - | IcedID | High |
304 | 45.12.109.136 | kemp.strongwallsys.com | IcedID | High |
305 | 45.12.109.195 | ryan.earthbroadcasting.com | IcedID | High |
306 | 45.12.109.221 | weaver.earthbroadcasting.com | IcedID | High |
307 | 45.12.139.90 | - | IcedID | High |
308 | 45.15.161.254 | - | IcedID | High |
309 | 45.41.204.5 | fastshipus.xyz | IcedID | High |
310 | 45.55.42.13 | - | IcedID | High |
311 | 45.55.53.206 | - | IcedID | High |
312 | 45.55.56.244 | - | IcedID | High |
313 | 45.61.136.6 | - | IcedID | High |
314 | 45.61.136.22 | - | IcedID | High |
315 | 45.61.136.193 | - | IcedID | High |
316 | 45.61.137.95 | - | IcedID | High |
317 | 45.61.137.97 | - | IcedID | High |
318 | 45.61.137.119 | - | IcedID | High |
319 | 45.61.137.158 | - | IcedID | High |
320 | 45.61.137.159 | - | IcedID | High |
321 | 45.61.137.220 | svenska.re | IcedID | High |
322 | 45.61.137.225 | - | IcedID | High |
323 | 45.61.138.12 | - | IcedID | High |
324 | 45.61.138.149 | - | IcedID | High |
325 | 45.61.138.171 | - | IcedID | High |
326 | 45.61.138.175 | - | IcedID | High |
327 | 45.61.138.181 | - | IcedID | High |
328 | 45.61.138.227 | - | IcedID | High |
329 | 45.61.139.138 | - | IcedID | High |
330 | 45.61.139.144 | - | IcedID | High |
331 | 45.61.139.179 | - | IcedID | High |
332 | 45.61.139.196 | - | IcedID | High |
333 | 45.61.139.232 | - | IcedID | High |
334 | 45.61.139.235 | - | IcedID | High |
335 | 45.61.139.243 | - | IcedID | High |
336 | 45.66.248.7 | mta0.burjeela.gq | IcedID | High |
337 | 45.66.248.37 | mta0.quarrantinereport-center.gq | IcedID | High |
338 | 45.66.248.64 | 0n3reye0i0.alyanova.com | IcedID | High |
339 | 45.66.248.69 | outbound5.imaille.com | IcedID | High |
340 | 45.66.248.71 | - | IcedID | High |
341 | 45.66.248.79 | mta0.coldspikes.autos | IcedID | High |
342 | 45.66.248.119 | finixdeal.com | IcedID | High |
343 | 45.66.248.148 | QuanTs.defaultproduct.com | IcedID | High |
344 | 45.66.248.151 | - | IcedID Downloader | High |
345 | 45.66.248.244 | mta0.axminster-carpets.cf | IcedID | High |
346 | 45.66.249.26 | 8axj5rsx1e.marketingforbreweries.com | IcedID | High |
347 | 45.66.249.221 | mta0.lizengeneering.com | IcedID | High |
348 | 45.67.231.235 | am-tun2.warwish.pro | IcedID | High |
349 | 45.82.247.87 | - | IcedID | High |
350 | 45.82.247.121 | - | IcedID | High |
351 | 45.82.247.148 | prostatehealth.click | IcedID | High |
352 | 45.82.251.34 | - | IcedID | High |
353 | 45.82.251.36 | - | IcedID | High |
354 | 45.82.251.44 | - | IcedID | High |
355 | 45.85.117.196 | naskal.de | IcedID | High |
356 | 45.86.229.46 | - | IcedID Downloader | High |
357 | 45.86.229.94 | - | IcedID Downloader | High |
358 | 45.86.229.105 | 1lf7cf33e.northernstarmarketing.com | IcedID Downloader | High |
359 | 45.86.229.180 | - | IcedID | High |
360 | 45.86.229.251 | - | IcedID Downloader | High |
361 | 45.86.229.253 | 32l.edUcated-352.insuranceforourfamily.com | IcedID | High |
362 | 45.86.230.43 | google.com | IcedID | High |
363 | 45.86.230.141 | mta0.ungho.cf | IcedID | High |
364 | 45.86.230.149 | - | IcedID | High |
365 | 45.86.230.181 | - | IcedID | High |
366 | 45.86.231.210 | - | IcedID | High |
367 | 45.87.154.181 | vm.solutions | IcedID | High |
368 | 45.88.221.211 | - | IcedID | High |
369 | 45.89.98.138 | ruiz.thegamersnet.com | IcedID | High |
370 | 45.89.107.120 | d120.lifedigitz.com | IcedID | High |
371 | 45.92.162.84 | butler.egnerarch.com | IcedID | High |
372 | 45.92.163.123 | vars-long-kks.currishfine.com | IcedID | High |
373 | 45.92.163.233 | landing-messy.samewaged.com | IcedID | High |
374 | 45.92.163.238 | sup-size.samewaged.com | IcedID | High |
375 | 45.95.11.125 | vm324206.pq.hosting | IcedID | High |
376 | 45.129.99.241 | 354851-vds-mamozw.gmhost.pp.ua | IcedID | High |
377 | 45.129.199.13 | - | IcedID | High |
378 | 45.129.199.15 | server2.divslabs.com | IcedID | High |
379 | 45.129.199.26 | - | IcedID | High |
380 | 45.129.199.67 | - | IcedID | High |
381 | 45.129.199.75 | - | IcedID | High |
382 | 45.129.199.92 | - | IcedID | High |
383 | 45.129.199.158 | - | IcedID | High |
384 | 45.129.199.169 | mta0.agungpodomoroland.co | IcedID | High |
385 | 45.129.199.172 | - | IcedID | High |
386 | 45.129.199.250 | mta0.fatimia-group.cc | IcedID | High |
387 | 45.138.172.179 | - | IcedID | High |
388 | 45.138.172.240 | - | IcedID | High |
389 | 45.142.214.176 | vm546665.stark-industries.solutions | IcedID | High |
390 | ... | ... | ... | ... |
There are 1556 more IOC items available. Please use our online service to access the data.
TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used within IcedID. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence |
---|---|---|---|---|
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25, CWE-425 | Pathname Traversal | High |
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High |
3 | T1055 | CWE-74 | Injection | High |
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High |
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High |
6 | ... | ... | ... | ... |
There are 21 more TTP items available. Please use our online service to access the data.
IOA - Indicator of Attack
These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during IcedID. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence |
---|---|---|---|
1 | File | %SYSTEMDRIVE%\node_modules\.bin\wmic.exe |
High |
2 | File | //proc/kcore |
Medium |
3 | File | /admin/action/delete-vaccine.php |
High |
4 | File | /admin/index2.html |
High |
5 | File | /admin/save.php |
High |
6 | File | /api/admin/system/store/order/list |
High |
7 | File | /api/download |
High |
8 | File | /api/v1/alerts |
High |
9 | File | /api/v1/terminal/sessions/?limit=1 |
High |
10 | File | /app/index/controller/Common.php |
High |
11 | File | /app/options.py |
High |
12 | File | /b2b-supermarket/shopping-cart |
High |
13 | File | /bitrix/admin/ldap_server_edit.php |
High |
14 | File | /category.php |
High |
15 | File | /categorypage.php |
High |
16 | File | /cgi-bin/vitogate.cgi |
High |
17 | File | /change-language/de_DE |
High |
18 | File | /debug/pprof |
Medium |
19 | File | /devinfo |
Medium |
20 | File | /dist/index.js |
High |
21 | File | /etc/shadow.sample |
High |
22 | File | /fcgi/scrut_fcgi.fcgi |
High |
23 | File | /forms/doLogin |
High |
24 | File | /forum/away.php |
High |
25 | File | /geoserver/gwc/rest.html |
High |
26 | File | /goform/formSysCmd |
High |
27 | File | /HNAP1 |
Low |
28 | File | /hosts/firewall/ip |
High |
29 | File | /index.php/ccm/system/file/upload |
High |
30 | File | /listplace/user/ticket/create |
High |
31 | File | /log/decodmail.php |
High |
32 | File | /mhds/clinic/view_details.php |
High |
33 | File | /oauth/idp/.well-known/openid-configuration |
High |
34 | File | /OA_HTML/cabo/jsps/a.jsp |
High |
35 | File | /php/ping.php |
High |
36 | File | /proxy |
Low |
37 | File | /rest/api/latest/projectvalidate/key |
High |
38 | File | /RPS2019Service/status.html |
High |
39 | File | /s/index.php?action=statistics |
High |
40 | File | /setting |
Medium |
41 | File | /sicweb-ajax/tmproot/ |
High |
42 | File | /spip.php |
Medium |
43 | ... | ... | ... |
There are 371 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
References
The following list contains external sources which discuss the campaign and the associated activities:
- https://bazaar.abuse.ch/sample/38b742be48b426b5c89408092fb6ebdd93eefcb584b131abd9c7e3561641c3f1/
- https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/
- https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
- https://cert.gov.ua/article/39609
dc6b5bafaa/IcedID_07_20_2021.txt
e6d13ab2a0/IcedID_07_02_2021.txt
b6d8ebfced/IcedID_07_28_2021.txt
4550a14e8f/IcedID_06_07_2021.txt
- https://github.com/A-dd-Y/secops/blob/main/MalwareIOC/mwdb-icedid-c2.txt
- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-09-28-IOCs-for-IcedID-with-KeyholeVNC-and-Cobalt-Strike.txt
- https://infosec.exchange/@malware_traffic/111267554603030001
- https://isc.sans.edu/diary/28974
- https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
- https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884
- https://isc.sans.edu/diary/Monster+Libra+%28TA551Shathak%29+--%3E+IcedID+%28Bokbot%29+--%3E+Cobalt+Strike+%26+DarkVNC/28974
- https://isc.sans.edu/diary/Monster+Libra+%28TA551Shathak%29+pushes+IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28934
- https://isc.sans.edu/forums/diary/Analysis+from+March+2021+Traffic+Analysis+Quiz/27232/
- https://isc.sans.edu/forums/diary/Emotet+infection+with+IcedID+banking+Trojan/24312/
- https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
- https://isc.sans.edu/forums/diary/Malspam+links+to+passwordprotected+Word+docs+that+push+IcedID+Bokbot/24428/
- https://isc.sans.edu/forums/diary/Malspam+with+links+to+Word+docs+pushes+IcedID+Bokbot/25640/
- https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/
- https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/
- https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
- https://raw.githubusercontent.com/pan-unit42/tweets/master/2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
- https://raw.githubusercontent.com/pan-unit42/tweets/master/2022-08-29-IOCs-for-Monster-Libra-TA551-IcedID-with-Cobalt-Stike.txt
- https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/
- https://sandnet.abuse.ch/report/5d9c2b17f30765462ff5e3eaa0931885/
- https://search.censys.io/hosts/46.151.31.220
- https://search.censys.io/hosts/62.84.100.129
- https://search.censys.io/hosts/77.105.142.135
- https://search.censys.io/hosts/109.107.174.154
- https://search.censys.io/hosts/109.107.176.83
- https://search.censys.io/hosts/168.100.10.84
- https://search.censys.io/hosts/168.100.10.176
- https://search.censys.io/hosts/185.36.143.123
- https://search.censys.io/hosts/185.164.163.172
- https://search.censys.io/hosts/193.168.141.152
- https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
- https://threatfox.abuse.ch
- https://tria.ge/220106-tlm53abdc7
- https://tria.ge/220112-fqpb2abca2
- https://tria.ge/220222-31shrsfdg2
- https://tria.ge/220224-svsw8seebr
- https://tria.ge/220309-14yg3sbgg3
- https://tria.ge/220417-3ey4esfhh7
- https://tria.ge/220713-v1h1bshacp
- https://tria.ge/220726-z39naahfg9
- https://twitter.com/1ZRR4H/status/1441951333347729409
- https://twitter.com/Kostastsale/status/1615733462388047872
- https://twitter.com/malware_traffic/status/1577779933895659520
- https://twitter.com/teamcymru_S2/status/1576997553169522689
- https://twitter.com/TheDFIRReport/status/1376496307888611333
- https://www.cyber45.com
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html
- https://www.malware-traffic-analysis.net/2019/05/01/index.html
- https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection
- https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
Literature
The following articles explain our unique predictive cyber threat intelligence:
- VulDB Cyber Threat Intelligence Documentation
- Cyber Threat Intelligence - Early Anticipation of Attacks
License
(c) 1997-2024 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!