Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-29 02:12:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
a4924b8159
cyber_threat_intelligence/actors/Dridex
History
Marc Ruef a4924b8159 Update August 2023
2023-08-01 08:06:09 +02:00
..
README.md Update August 2023 2023-08-01 08:06:09 +02:00

README.md

Dridex - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Dridex. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.dridex

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dridex:

There are 15 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Dridex.

ID IP address Hostname Campaign Confidence
1 1.234.20.244 - - High
2 1.234.21.73 - - High
3 1.235.193.138 - - High
4 2.58.16.87 - - High
5 2.80.178.251 bl19-178-251.dsl.telepac.pt - High
6 2.138.111.86 86.red-2-138-111.dynamicip.rima-tde.net - High
7 3.6.11.148 ec2-3-6-11-148.ap-south-1.compute.amazonaws.com - Medium
8 3.223.115.185 ec2-3-223-115-185.compute-1.amazonaws.com - Medium
9 5.2.70.173 - - High
10 5.9.14.91 es6-pr-no9.icpacs.eu - High
11 5.9.44.37 static.37.44.9.5.clients.your-server.de - High
12 5.9.188.148 mta5.offerteora.com - High
13 5.39.99.208 - - High
14 5.39.222.84 - - High
15 5.39.222.87 - - High
16 5.39.222.102 insideappple.com - High
17 5.44.45.177 miha922.ru - High
18 5.45.179.186 - - High
19 5.79.75.41 hosted-by.leaseweb.com - High
20 5.83.45.48 - - High
21 5.100.228.233 vps.hegeman.com - High
22 5.135.167.231 ks3321292.kimsufi.com - High
23 5.135.182.4 git.dev-sixtrone.com - High
24 5.149.248.19 bmc.srv18.swdc.ams1.nl.fortunix.net - High
25 5.181.158.4 no-rdns.mivocloud.com - High
26 5.181.158.185 eptgaconvic.arveanrackfli.nginpu185tcpy.cyclegakemtirebe.com - High
27 5.181.158.186 iveclot186hefry.salvecra.vedescribeoff.cyclegakemtirebe.com - High
28 5.181.158.187 thrivebeau.ywringimmateg.espen187dsca.cyclegakemtirebe.com - High
29 5.189.144.136 box.wellspring.ltd - High
30 5.189.150.29 vmi40990.contabo.host - High
31 5.189.181.107 vmi354699.contaboserver.net - High
32 5.189.190.214 vmi810936.contaboserver.net - High
33 5.196.204.251 front4.ziofix.net - High
34 5.196.213.55 nas.iris-it.fr - High
35 5.199.162.48 mail.nusipirkti.lt - High
36 5.199.174.90 shared111.mvps.eu - High
37 8.4.9.152 host-8-4-9-152.onlinehorizons.net - High
38 8.210.53.215 - - High
39 8.248.159.254 - - High
40 8.249.217.254 - - High
41 8.249.223.254 - - High
42 8.249.233.254 - - High
43 8.253.45.214 - - High
44 8.253.45.249 - - High
45 8.253.131.120 - - High
46 8.253.131.121 - - High
47 8.253.132.120 - - High
48 8.253.156.121 - - High
49 12.52.64.10 - - High
50 13.32.240.71 server-13-32-240-71.ams50.r.cloudfront.net - High
51 13.224.102.99 server-13-224-102-99.zrh50.r.cloudfront.net - High
52 13.224.195.149 server-13-224-195-149.fra2.r.cloudfront.net - High
53 13.225.87.14 server-13-225-87-14.fra2.r.cloudfront.net - High
54 13.226.211.115 server-13-226-211-115.lax50.r.cloudfront.net - High
55 14.98.183.4 static-4.183.98.14-tataidc.co.in - High
56 18.195.23.231 ec2-18-195-23-231.eu-central-1.compute.amazonaws.com - Medium
57 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
58 23.3.13.153 a23-3-13-153.deploy.static.akamaitechnologies.com - High
59 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
60 23.3.13.155 a23-3-13-155.deploy.static.akamaitechnologies.com - High
61 23.3.13.160 a23-3-13-160.deploy.static.akamaitechnologies.com - High
62 23.21.48.44 ec2-23-21-48-44.compute-1.amazonaws.com - Medium
63 23.46.238.194 a23-46-238-194.deploy.static.akamaitechnologies.com - High
64 23.46.239.17 a23-46-239-17.deploy.static.akamaitechnologies.com - High
65 23.46.239.18 a23-46-239-18.deploy.static.akamaitechnologies.com - High
66 23.148.145.208 geo1n3.yourtekpro.com - High
67 23.160.192.125 unknown.ip-xfer.net - High
68 23.199.71.136 a23-199-71-136.deploy.static.akamaitechnologies.com - High
69 23.199.71.147 a23-199-71-147.deploy.static.akamaitechnologies.com - High
70 23.199.71.169 a23-199-71-169.deploy.static.akamaitechnologies.com - High
71 23.199.71.185 a23-199-71-185.deploy.static.akamaitechnologies.com - High
72 23.199.71.208 a23-199-71-208.deploy.static.akamaitechnologies.com - High
73 23.227.202.174 23-227-202-174.static.hvvc.us - High
74 23.227.203.228 23-227-203-228.static.hvvc.us - High
75 23.227.203.229 23-227-203-229.static.hvvc.us - High
76 23.246.204.126 7e.cc.f617.ip4.static.sl-reverse.com - High
77 23.253.208.162 - - High
78 23.254.211.213 client-23-254-211-213.hostwindsdns.com - High
79 23.254.215.238 hwsrv-900801.hostwindsdns.com - High
80 23.254.217.168 client-23-254-217-168.hostwindsdns.com - High
81 23.254.247.5 hwsrv-936430.hostwindsdns.com - High
82 23.254.247.55 client-23-254-247-55.hostwindsdns.com - High
83 24.40.243.66 24-40-243-66.fidnet.com - High
84 24.229.3.146 - - High
85 27.60.164.164 - - High
86 31.14.41.212 a856-motor.variouloco.com - High
87 31.14.41.213 gain-compress.variouloco.com - High
88 31.14.41.214 a277-exist.variouloco.com - High
89 31.14.41.215 dubaibuildings.com - High
90 31.24.30.65 - - High
91 31.24.158.56 bm.servidoresdedicados.com - High
92 31.41.45.197 andrewhrenov.example.com - High
93 31.42.177.51 antiques.managerpray.uk - High
94 31.42.177.52 touch.managerpray.uk - High
95 31.220.49.39 - - High
96 37.1.208.21 - - High
97 37.1.215.144 - - High
98 37.34.58.210 37-34-58-210.colo.transip.net - High
99 37.49.230.49 - - High
100 37.59.52.64 ns3265174.ip-37-59-52.eu - High
101 37.59.74.180 - - High
102 37.59.103.148 148.ip-37-59-103.eu - High
103 37.120.222.56 - - High
104 37.120.239.185 - - High
105 37.187.114.15 ns328458.ip-37-187-114.eu - High
106 37.187.115.122 ns328855.ip-37-187-115.eu - High
107 37.205.9.252 s1.ithelp24.eu - High
108 37.247.35.130 earthquake.kenic.nl - High
109 37.247.35.132 ns2.djhost.nl - High
110 37.247.35.137 klanten.kenic.nl - High
111 40.122.160.14 - - High
112 41.76.108.46 - - High
113 42.112.35.46 - - High
114 43.229.206.212 212.subnet43-229-206.static.inet.net.id - High
115 43.229.206.214 214.subnet43-229-206.static.inet.net.id - High
116 43.229.206.244 244.subnet43-229-206.static.inet.net.id - High
117 45.32.243.209 45.32.243.209.vultrusercontent.com - High
118 45.33.20.41 45-33-20-41.ip.linodeusercontent.com - High
119 45.33.33.91 45-33-33-91.ip.linodeusercontent.com - High
120 45.33.94.33 45-33-94-33.ip.linodeusercontent.com - High
121 45.55.134.126 - - High
122 45.55.154.235 - - High
123 45.55.180.84 - - High
124 45.56.121.87 45-56-121-87.ip.linodeusercontent.com - High
125 45.58.56.12 - - High
126 45.63.36.79 45.63.36.79.vultrusercontent.com - High
127 45.73.148.28 - - High
128 45.76.176.10 45.76.176.10.vultrusercontent.com - High
129 45.77.0.96 45.77.0.96.vultrusercontent.com - High
130 45.79.8.25 li1107-25.members.linode.com - High
131 45.79.33.48 li1132-48.members.linode.com - High
132 45.79.80.198 45-79-80-198.ip.linodeusercontent.com - High
133 45.79.91.89 li1190-89.members.linode.com - High
134 45.79.248.254 45-79-248-254.ip.linodeusercontent.com - High
135 45.80.173.80 host80-173-80-45.convergenze.it - High
136 45.122.223.13 mx22313.vhost.vn - High
137 45.123.40.54 - - High
138 45.129.96.9 647972-vds-gavenkoa.gmhost.pp.ua - High
139 45.153.241.113 - - High
140 45.177.120.36 mail.netlimit.net.br - High
141 45.184.36.10 - - High
142 46.4.83.131 websrv.inforlandia.pt - High
143 46.4.232.200 static.200.232.4.46.clients.your-server.de - High
144 46.36.217.227 - - High
145 46.41.130.218 - - High
146 46.55.222.10 - - High
147 46.101.90.205 - - High
148 46.101.98.60 - - High
149 46.101.142.214 - - High
150 46.101.175.170 - - High
151 46.101.182.168 - - High
152 46.101.216.218 - - High
153 46.105.131.65 - - High
154 46.105.131.73 dns2.adven.fr - High
155 46.105.131.78 mysql.adven.fr - High
156 46.231.204.10 anb.dnh.net - High
157 50.21.183.143 mail.coopvr.com - High
158 50.28.35.36 lprod03.ilsols.com - High
159 50.116.27.97 50-116-27-97.ip.linodeusercontent.com - High
160 50.116.54.215 50-116-54-215.ip.linodeusercontent.com - High
161 50.116.62.25 inserthero2.inserthero.com - High
162 50.116.109.66 van.vanrise.com - High
163 50.116.111.64 car.careerraiser.com - High
164 50.243.30.51 50-243-30-51-static.hfc.comcastbusiness.net - High
165 50.249.212.98 50-249-212-98-static.hfc.comcastbusiness.net - High
166 51.15.176.55 stockage.chapaux.cloud - High
167 51.38.124.206 206.ip-51-38-124.eu - High
168 51.68.138.110 110.ip-51-68-138.eu - High
169 51.75.24.85 85.ip-51-75-24.eu - High
170 51.75.77.27 vps-4ba9229f.vps.ovh.net - High
171 51.75.162.188 vps-9a7ec249.vps.ovh.net - High
172 51.77.82.110 web001.xwebsrv.de - High
173 51.79.50.122 adriana.mentyx.com - High
174 51.79.166.3 vps-66c10039.vps.ovh.ca - High
175 51.81.254.89 - - High
176 51.83.3.52 shde-2c579.serverlet.com - High
177 51.83.47.27 vps-769ce14c.vps.ovh.net - High
178 51.91.76.89 89.ip-51-91-76.eu - High
179 51.91.156.39 39.ip-51-91-156.eu - High
180 51.159.52.196 51-159-52-196.rev.poneytelecom.eu - High
181 51.178.161.32 srv-web.ffconsulting.com - High
182 51.254.95.252 ip252.ip-51-254-95.eu - High
183 51.254.140.238 238.ip-51-254-140.eu - High
184 51.255.165.160 160.ip-51-255-165.eu - High
185 52.73.70.149 ec2-52-73-70-149.compute-1.amazonaws.com - Medium
186 52.114.132.73 - - High
187 52.222.136.27 server-52-222-136-27.ams50.r.cloudfront.net - High
188 52.222.136.102 server-52-222-136-102.ams50.r.cloudfront.net - High
189 52.222.136.174 server-52-222-136-174.ams50.r.cloudfront.net - High
190 ... ... ... ...

There are 757 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Dridex. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-24, CWE-28 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 19 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dridex. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /?p=products Medium
2 File /admin.php/accessory/filesdel.html High
3 File /admin/?page=user/manage High
4 File /admin/add-new.php High
5 File /admin/doctors.php High
6 File /admin/submit-articles High
7 File /alphaware/summary.php High
8 File /api/ Low
9 File /api/admin/store/product/list High
10 File /api/stl/actions/search High
11 File /api/sys_username_passwd.cmd High
12 File /api/v2/cli/commands High
13 File /apply.cgi Medium
14 File /attachments Medium
15 File /bin/ate Medium
16 File /boat/login.php High
17 File /booking/show_bookings/ High
18 File /bsms_ci/index.php/book High
19 File /cgi-bin Medium
20 File /cgi-bin/supervisor/PwdGrp.cgi High
21 File /cgi-bin/wlogin.cgi High
22 File /context/%2e/WEB-INF/web.xml High
23 File /debug/pprof Medium
24 File /env Low
25 File /etc/hosts Medium
26 File /eval/admin/manage_class.php High
27 File /forum/away.php High
28 File /medicines/profile.php High
29 File /modules/caddyhttp/rewrite/rewrite.go High
30 File /php-sms/admin/?page=user/manage_user High
31 File /proxy Low
32 File /reservation/add_message.php High
33 File /spip.php Medium
34 File /tmp Low
35 File /user/updatePwd High
36 File /vendor/htmlawed/htmlawed/htmLawedTest.php High
37 File /video-sharing-script/watch-video.php High
38 ... ... ...

There are 323 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!