Thawing IcedID Out through a DNS Analysis | WhoisXML API

Threat Reports

Thawing IcedID Out through a DNS Analysis

The current threat landscape continuously proves that the theory of evolution also applies to malware. The latest proof? IcedID, which went from being a run-of-the-mill banking trojan to a ransomware dropper.

More than 50 IP addresses and domains were publicly listed1, 2, 3, 4 as IcedID indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:

  • Five unredacted email addresses historically used to register some of the domains identified as IoCs
  • 44 domains registered using some of the registrant email addresses
  • 22 domains resolving to IP addresses tagged as IoCs
  • 33 domains sharing the same IP resolutions as some of the domains classified as IoCs

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
  • [2] https://otx.alienvault.com/pulse/64cb26ac4990112e3f9e662f
  • [3]  https://otx.alienvault.com/pulse/64c5cf320a92c0bdc8ab9068
  • [4]  https://otx.alienvault.com/pulse/6401246d57e5b0d2ff1c6c58
Try our WhoisXML API for free
Get started