Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-29 02:12:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
a4924b8159
cyber_threat_intelligence/actors/IcedID
History
Marc Ruef a4924b8159 Update August 2023
2023-08-01 08:06:09 +02:00
..
README.md Update August 2023 2023-08-01 08:06:09 +02:00

README.md

IcedID - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as IcedID. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.icedid

Campaigns

The following campaigns are known and can be associated with IcedID:

  • Cobalt Strike
  • Nokoyawa

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:

There are 14 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID.

ID IP address Hostname Campaign Confidence
1 2.56.177.14 2-56-177-14.serversfinder.com - High
2 2.56.177.122 2-56-177-122.serversfinder.com - High
3 5.2.65.217 - - High
4 5.2.67.119 - - High
5 5.2.70.56 - - High
6 5.2.70.89 - - High
7 5.2.74.83 - - High
8 5.2.75.126 - - High
9 5.2.75.189 - - High
10 5.2.76.156 - - High
11 5.2.77.232 - - High
12 5.2.78.150 - - High
13 5.2.79.7 - - High
14 5.2.79.218 - - High
15 5.34.180.162 - - High
16 5.34.181.34 vds-842965.hosted-by-itldc.com - High
17 5.34.181.44 vds-950771.hosted-by-itldc.com - High
18 5.39.63.101 - - High
19 5.39.63.102 - - High
20 5.39.222.193 - - High
21 5.39.223.131 - - High
22 5.39.223.134 - - High
23 5.61.32.172 - - High
24 5.61.34.133 mta3.mailup.ru - High
25 5.61.34.153 - - High
26 5.61.36.120 - - High
27 5.61.36.180 - - High
28 5.61.37.89 mailer.ampm.casino - High
29 5.61.37.224 - - High
30 5.61.40.78 - - High
31 5.61.42.115 0.0.0.0 - High
32 5.61.42.123 stirok.ru - High
33 5.61.42.128 - - High
34 5.61.43.172 - - High
35 5.61.43.191 b3.bareandblushy.com - High
36 5.61.44.146 - - High
37 5.61.44.218 - - High
38 5.61.44.234 - - High
39 5.61.45.179 - - High
40 5.61.46.161 - - High
41 5.61.46.164 - - High
42 5.61.61.35 - - High
43 5.135.255.246 - - High
44 5.144.132.47 47-132-144-5.static.hostiran.name - High
45 5.149.252.179 hnh7.arenal.xyz - High
46 5.181.27.192 gcl-lon.com - High
47 5.181.80.213 ip-80-213-bullethost.net - High
48 5.181.80.215 anelpones.xyz - High
49 5.181.80.218 ip-80-218-bullethost.net - High
50 5.188.0.52 saycain.example.com - High
51 5.188.93.137 free.ds - High
52 5.196.103.145 - - High
53 5.196.196.251 - - High
54 5.196.196.252 - - High
55 5.199.162.56 - - High
56 5.199.162.81 - - High
57 5.199.162.123 - - High
58 5.199.162.162 - - High
59 5.199.162.166 - - High
60 5.199.162.174 - - High
61 5.199.162.235 - - High
62 5.199.168.14 - - High
63 5.199.168.24 - - High
64 5.199.168.34 - - High
65 5.199.168.125 - - High
66 5.199.168.213 - - High
67 5.199.168.214 - - High
68 5.199.168.255 - - High
69 5.199.173.20 - - High
70 5.199.173.24 - - High
71 5.199.173.27 - - High
72 5.199.173.29 - - High
73 5.199.173.51 - - High
74 5.199.173.107 - - High
75 5.199.173.120 - - High
76 5.199.173.141 - - High
77 5.199.173.150 - - High
78 5.199.173.162 - - High
79 5.199.173.173 - - High
80 5.199.173.210 - - High
81 5.199.173.217 - - High
82 5.199.173.233 - - High
83 5.199.173.234 - - High
84 5.199.174.189 - - High
85 5.199.174.232 - - High
86 5.199.174.234 - - High
87 5.206.224.50 ko.pro - High
88 5.206.224.239 aqualisbra.com - High
89 5.206.227.5 jiojoip.com - High
90 5.230.57.30 - - High
91 5.230.57.194 - - High
92 5.230.66.157 - - High
93 5.230.67.128 placeholder.noezserver.de - High
94 5.230.67.227 placeholder.noezserver.de - High
95 5.230.68.22 pleasantly.autocraftz.biz - High
96 5.230.68.48 ounahiskills.co.uk - High
97 5.230.68.66 fracturedprunesurfcitync.com - High
98 5.230.68.163 placeholder.noezserver.de - High
99 5.230.68.190 ua190.ualist.com - High
100 5.230.70.43 placeholder.noezserver.de - High
101 5.230.70.57 placeholder.noezserver.de - High
102 5.230.70.135 placeholder.noezserver.de - High
103 5.230.70.140 placeholder.noezserver.de - High
104 5.230.70.146 placeholder.noezserver.de - High
105 5.230.71.72 placeholder.noezserver.de - High
106 5.230.72.37 placeholder.noezserver.de - High
107 5.230.72.131 placeholder.noezserver.de - High
108 5.230.72.158 placeholder.noezserver.de - High
109 5.230.73.61 placeholder.noezserver.de - High
110 5.230.73.139 - - High
111 5.230.73.157 - - High
112 5.230.73.172 - - High
113 5.230.73.200 placeholder.noezserver.de - High
114 5.230.73.244 placeholder.noezserver.de - High
115 5.230.74.71 - - High
116 5.230.74.153 placeholder.noezserver.de - High
117 5.230.74.202 - - High
118 5.230.74.203 - - High
119 5.230.74.223 placeholder.noezserver.de - High
120 5.230.74.242 - - High
121 5.230.75.11 - - High
122 5.230.75.134 placeholder.noezserver.de - High
123 5.230.75.188 - - High
124 5.230.75.247 ma247.manidatravel.com - High
125 5.230.76.44 - - High
126 5.230.76.198 - - High
127 5.230.78.208 - - High
128 5.252.23.141 mail.exclusive-meetingg.com - High
129 5.252.177.10 no-rdns.mivocloud.com - High
130 5.252.177.13 no-rdns.mivocloud.com - High
131 5.252.177.59 no-rdns.mivocloud.com - High
132 5.252.177.65 no-rdns.mivocloud.com - High
133 5.252.177.103 no-rdns.mivocloud.com - High
134 5.252.177.106 bestsevenreviews.com - High
135 5.252.177.107 no-rdns.mivocloud.com - High
136 5.252.177.233 5-252-177-233.mivocloud.com - High
137 5.252.178.142 no-rdns.mivocloud.com - High
138 5.255.98.126 - - High
139 5.255.99.21 - - High
140 5.255.99.51 - - High
141 5.255.99.108 - - High
142 5.255.100.8 - - High
143 5.255.100.32 - - High
144 5.255.100.55 - - High
145 5.255.100.65 - - High
146 5.255.100.207 chronostech.io - High
147 5.255.100.250 - - High
148 5.255.101.31 - - High
149 5.255.101.68 - - High
150 5.255.102.88 - - High
151 5.255.102.167 - - High
152 5.255.103.75 - - High
153 5.255.103.108 - - High
154 5.255.103.144 - - High
155 5.255.103.245 - - High
156 5.255.104.11 - - High
157 5.255.104.22 - - High
158 5.255.104.45 - - High
159 5.255.104.52 - - High
160 5.255.104.93 - - High
161 5.255.104.97 - - High
162 5.255.104.113 - - High
163 5.255.104.120 - - High
164 5.255.104.130 - - High
165 5.255.104.143 - - High
166 5.255.104.145 - - High
167 5.255.104.153 - - High
168 5.255.104.184 - - High
169 5.255.104.220 - - High
170 5.255.104.233 - - High
171 5.255.105.55 - - High
172 5.255.105.239 - - High
173 5.255.106.72 - - High
174 5.255.106.78 smtp.gespollas.com - High
175 5.255.106.136 - - High
176 5.255.106.240 - - High
177 5.255.107.149 - - High
178 5.255.109.46 - - High
179 5.255.109.175 - - High
180 5.255.110.177 - - High
181 5.255.111.220 - - High
182 5.255.113.157 - - High
183 5.255.115.226 - - High
184 5.255.119.21 - - High
185 5.255.120.33 - - High
186 5.255.122.79 - - High
187 5.255.124.55 - - High
188 6.43.51.17 - - High
189 8.39.147.62 vyc1.achlycole.org.uk - High
190 23.82.128.186 - - High
191 23.82.128.215 - - High
192 23.88.35.240 static.240.35.88.23.clients.your-server.de - High
193 23.106.124.26 - - High
194 23.106.124.168 - - High
195 23.106.124.181 - - High
196 23.106.215.93 - - High
197 23.160.193.140 unknown.ip-xfer.net - High
198 23.227.202.165 23-227-202-165.static.hvvc.us - High
199 23.227.203.131 23-227-203-131.static.hvvc.us - High
200 23.227.206.161 23-227-206-161.static.hvvc.us - High
201 23.227.206.195 23-227-206-195.static.hvvc.us - High
202 23.254.202.234 hwsrv-1055605.hostwindsdns.com - High
203 23.254.211.137 hwsrv-1045976.hostwindsdns.com - High
204 23.254.224.115 hwsrv-1031288.hostwindsdns.com - High
205 23.254.224.148 client-23-254-224-148.hostwindsdns.com - High
206 23.254.226.152 hwsrv-1069457.hostwindsdns.com - High
207 23.254.229.208 hwsrv-1015537.hostwindsdns.com - High
208 23.254.253.106 WIN-KP9WSUDC4N.com - High
209 31.13.195.119 sm.cfconsult.net - High
210 31.13.195.127 - - High
211 31.24.224.12 1f18e00c.setaptr.net - High
212 31.24.228.170 31.24.228.170.static.midphase.com - High
213 31.184.199.11 dalesmanager.com - High
214 37.1.192.40 - - High
215 37.1.193.136 webcomdition.com - High
216 37.1.195.84 - - High
217 37.1.195.238 autoreflash.com - High
218 37.1.205.217 - - High
219 37.1.208.48 reveltip.com - High
220 37.1.213.234 - - High
221 37.1.221.209 - - High
222 37.46.129.17 info50.fvds.ru - High
223 37.61.229.95 zeno.igorclark.net - High
224 37.120.222.100 - - High
225 37.221.115.12 - - High
226 37.235.55.75 75.55.235.37.in-addr.arpa - High
227 37.235.55.103 103.55.235.37.in-addr.arpa - High
228 37.235.56.30 30.56.235.37.in-addr.arpa - High
229 37.235.56.37 37.56.235.37.in-addr.arpa - High
230 37.235.56.94 94.56.235.37.in-addr.arpa - High
231 37.235.56.185 185.56.235.37.in-addr.arpa - High
232 37.252.5.228 - - High
233 37.252.6.77 - - High
234 37.252.10.231 - - High
235 37.252.11.170 - - High
236 37.252.11.221 - - High
237 38.180.0.89 - - High
238 38.180.8.107 - - High
239 38.180.8.169 - - High
240 38.180.34.14 - - High
241 45.11.19.121 - - High
242 45.11.19.168 - - High
243 45.11.182.61 - - High
244 45.11.182.114 - - High
245 45.11.182.115 - - High
246 45.11.182.117 - - High
247 45.11.182.118 - - High
248 45.11.182.119 - - High
249 45.11.182.120 - - High
250 45.11.182.121 - - High
251 45.12.109.136 kemp.strongwallsys.com - High
252 45.12.109.195 ryan.earthbroadcasting.com - High
253 45.12.109.221 weaver.earthbroadcasting.com - High
254 45.12.139.90 - - High
255 45.15.161.254 - - High
256 45.41.204.5 fastshipus.xyz - High
257 45.55.42.13 - - High
258 45.55.53.206 - - High
259 45.55.56.244 - - High
260 45.61.136.6 - - High
261 45.61.136.193 - - High
262 45.61.137.119 - - High
263 45.61.137.159 - - High
264 45.61.137.220 svenska.re - High
265 45.61.138.171 - - High
266 45.61.138.175 - - High
267 45.61.138.181 - - High
268 45.61.138.227 - - High
269 45.61.139.138 - - High
270 45.61.139.144 - - High
271 45.61.139.179 - - High
272 45.61.139.196 - - High
273 45.61.139.235 - - High
274 45.61.139.243 - - High
275 45.66.248.7 mta0.burjeela.gq - High
276 45.66.248.37 mta0.quarrantinereport-center.gq - High
277 45.66.248.69 outbound5.imaille.com - High
278 45.66.248.71 - - High
279 45.66.248.79 mta0.coldspikes.autos - High
280 45.66.248.119 finixdeal.com Nokoyawa High
281 45.66.248.148 QuanTs.defaultproduct.com - High
282 45.66.248.244 mta0.axminster-carpets.cf - High
283 45.66.249.26 8axj5rsx1e.marketingforbreweries.com - High
284 45.66.249.221 mta0.lizengeneering.com - High
285 45.67.231.235 am-tun2.warwish.pro - High
286 45.82.247.87 - - High
287 45.82.247.121 - - High
288 45.82.247.148 prostatehealth.click - High
289 45.82.251.34 - - High
290 45.82.251.36 - - High
291 45.82.251.44 - - High
292 45.86.229.46 - - High
293 45.86.229.94 - - High
294 45.86.229.105 1lf7cf33e.northernstarmarketing.com - High
295 45.86.229.180 - - High
296 45.86.229.253 32l.edUcated-352.insuranceforourfamily.com - High
297 45.86.230.43 google.com - High
298 45.86.230.141 mta0.ungho.cf - High
299 45.86.230.149 - - High
300 45.86.230.181 - - High
301 45.86.231.210 - - High
302 45.87.154.181 vm.solutions - High
303 45.88.221.211 - - High
304 45.89.98.138 ruiz.thegamersnet.com - High
305 45.89.107.120 d120.lifedigitz.com - High
306 45.92.162.84 butler.egnerarch.com - High
307 45.92.163.123 vars-long-kks.currishfine.com - High
308 45.92.163.233 landing-messy.samewaged.com - High
309 ... ... ... ...

There are 1231 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 22 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by IcedID. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File //proc/kcore Medium
2 File /admin.php/Admin/adminadd.html High
3 File /Admin/add-student.php High
4 File /admin/addemployee.php High
5 File /admin/maintenance/view_designation.php High
6 File /admin/settings/save.php High
7 File /admin/userprofile.php High
8 File /api/ Low
9 File /api/baskets/{name} High
10 File /api/RecordingList/DownloadRecord?file= High
11 File /api/sys_username_passwd.cmd High
12 File /apply.cgi Medium
13 File /card_scan.php High
14 File /cgi-bin/wlogin.cgi High
15 File /College/admin/teacher.php High
16 File /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx High
17 File /cwc/login Medium
18 File /dcim/rack-roles/ High
19 File /debug/pprof Medium
20 File /etc/quagga Medium
21 File /forms/doLogin High
22 File /forum/away.php High
23 File /goform/addUserName High
24 File /goform/aspForm High
25 File /goform/delAd High
26 File /goform/wifiSSIDset High
27 File /gpac/src/bifs/unquantize.c High
28 File /h/calendar Medium
29 File /inc/topBarNav.php High
30 File /index.asp Medium
31 File /index.php Medium
32 File /index.php?app=main&func=passport&action=login High
33 File /jfinal_cms/system/role/list High
34 File /kelas/data Medium
35 File /management/api/rcx_management/global_config_query High
36 File /members/view_member.php High
37 File /mkshop/Men/profile.php High
38 File /Moosikay/order.php High
39 File /nova/bin/console High
40 File /nova/bin/detnet High
41 ... ... ...

There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!