www.netresec.com Open in urlscan Pro
2a02:4a8:ac24:137::105:80 Public Scan

Go To Rescan
Add Verdict Report

URL:
https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Submission Tags: test
Submission: On November 01 via api (November 1st 2024, 12:28:52 am UTC) from GB — Scanned from GB

Summary HTTP 19 Redirects Links 23 Behaviour Indicators

Summary

This website contacted 1 IPs in 1 countries across 1 domains to perform 19 HTTP transactions. The main IP is 2a02:4a8:ac24:137::105:80, located in Czech Republic and belongs to ACTIVE24-AS www.active24.cz, CZ. The main domain is www.netresec.com.
TLS certificate: Issued by R11 on September 14th 2024. Valid for: 3 months.

This is the only time www.netresec.com was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

	IP Address		AS Autonomous System
19	2a02:4a8:ac24... 2a02:4a8:ac24:137::105:80		25234 (ACTIVE24-...) (ACTIVE24-AS www.active24.cz)
19	1

19 2a02:4a8:ac24:137::105:80 (Czech Republic)

ASN25234 (ACTIVE24-AS www.active24.cz, CZ)

www.netresec.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
19	netresec.com www.netresec.com	575 KB
19	1

	Domain	Requested by
19	www.netresec.com	www.netresec.com
19	1

This site contains links to these domains. Also see Links.

Domain
netresec.com
www.malware-traffic-analysis.net
infosec.exchange
malware-traffic-analysis.net
blog.group-ib.com
nikpx.github.io
www.rfc-editor.org
twitter.com
www.binarydefense.com
www.virustotal.com
networkforensic.dk
web.archive.org
news.google.com
feeds.feedburner.com
x.com

Subject Issuer	Validity	Valid
www.netresec.com R11	`2024-09-14` - `2024-12-13`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Frame ID: 0A6C90F53E2C0B3CF49E314FABD4EBEB
Requests: 19 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

IcedID BackConnect Protocol

Page Statistics

19
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

575 kB
Transfer

602 kB
Size

0
Cookies

23 Outgoing links

These are links going to different origins than the main page.

URL: https://netresec.com/?b=2296553
Title: Hunting for C2 Traffic

Search URL Search Domain Scan URL

URL: https://www.malware-traffic-analysis.net/2022/10/31/index.html
Title: new pcap

Search URL Search Domain Scan URL

URL: https://infosec.exchange/@malware_traffic/110193427412785661
Title: suggestion in a toot

Search URL Search Domain Scan URL

URL: https://malware-traffic-analysis.net/2022/06/07/index2.html
Title: QakBot

Search URL Search Domain Scan URL

URL: https://malware-traffic-analysis.net/2021/11/05/index.html
Title: Bazar

Search URL Search Domain Scan URL

URL: https://netresec.com/?b=23A41e6
Title: NetworkMiner 2.8.1

Search URL Search Domain Scan URL

URL: https://blog.group-ib.com/icedid
Title: Group-IB

Search URL Search Domain Scan URL

URL: https://nikpx.github.io/malware/analysis/2022/03/09/BokBot
Title: xors

Search URL Search Domain Scan URL

URL: https://www.malware-traffic-analysis.net/2022/06/28/index.html
Title: 2022-06-28 TA578 IcedID

Search URL Search Domain Scan URL

URL: https://www.rfc-editor.org/rfc/rfc1928
Title: RFC1928

Search URL Search Domain Scan URL

URL: https://malware-traffic-analysis.net/2022/10/04/index.html
Title: new capture file

Search URL Search Domain Scan URL

URL: https://twitter.com/malware_traffic/status/1577780925210959882
Title: noted

Search URL Search Domain Scan URL

URL: https://www.rfc-editor.org/rfc/rfc1952
Title: RFC1952

Search URL Search Domain Scan URL

URL: https://www.binarydefense.com/icedid-gziploader-analysis/
Title: fake gzip file headers in payloads

Search URL Search Domain Scan URL

URL: https://www.virustotal.com/gui/file/eb88412c9a0f78dfd515e3c602548aea1aee4e91847289eb58214841350aa12f/detection
Title: a PowerShell script

Search URL Search Domain Scan URL

URL: https://networkforensic.dk/
Title: networkforensic.dk

Search URL Search Domain Scan URL

URL: https://web.archive.org/web/20200530034502/https://reaqta.com/2017/11/short-journey-darkvnc/
Title: A short journey into DarkVNC attack chain

Search URL Search Domain Scan URL

URL: https://netresec.com/?b=232e498
Title: alerts on BackConnect traffic

Search URL Search Domain Scan URL

URL: https://netresec.com/?b=22A38f9
Title: https://netresec.com/?b=22A38f9

Search URL Search Domain Scan URL

URL: https://news.google.com/publications/CAAqBwgKMIKCogswxYy6Aw
Title: Google News

Search URL Search Domain Scan URL

URL: https://feeds.feedburner.com/Netresec-Network-Security-Blog
Title: FeedBurner

Search URL Search Domain Scan URL

URL: https://x.com/netresec
Title: @netresec

Search URL Search Domain Scan URL

URL: https://infosec.exchange/@netresec
Title: @netresec@infosec.exchange

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

19 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 200 Primary Request / Show response
www.netresec.com/ 34 KB
11 KB 146ms
55ms Document
text/html 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to

Full URL

https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),

Reverse DNS

Software

Microsoft-IIS/10.0 / ASP.NET

Resource Hash

2da596e77ba48fb29ce2aec11c4238269d2a067756c1279f471af7e2caa8c36e

Security Headers

Name	Value
Content-Security-Policy	frame-ancestors 'none' ; report-uri https://netresec.report-uri.com/r/d/csp/enforce;
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	1; mode=block

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

Response headers

cache-control: private
content-encoding: gzip
content-security-policy: frame-ancestors 'none' ; report-uri https://netresec.report-uri.com/r/d/csp/enforce;
content-type: text/html; charset=utf-8
date: Fri, 01 Nov 2024 00:28:47 GMT
referrer-policy: no-referrer-when-downgrade
server: Microsoft-IIS/10.0
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-aspnet-version: 4.0.30319
x-content-type-options: nosniff
x-frame-options: DENY
x-powered-by: ASP.NET
x-xss-protection: 1; mode=block

GET
H2 200 style.css
www.netresec.com/ 8 KB
2 KB 40ms
39ms Stylesheet
text/css 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to

Full URL: https://www.netresec.com/style.css
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 0b5cfd0d1c4c87b793472487d99fc2f670d1ed6fe538f88135ce663ba6a7c7c2

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
content-encoding: gzip
etag: "0ee85763d92da1:0"
accept-ranges: bytes
content-length: 1857
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: text/css
last-modified: Fri, 19 Apr 2024 09:39:24 GMT
vary: Accept-Encoding
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 Netresec_Logo_550x140.png
www.netresec.com/images/ 12 KB
12 KB 41ms
40ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/Netresec_Logo_550x140.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: f26e830a61dd6a79024fe2a0796c9a4703bacf00f4105625948349074125df2f

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "02ecdf3d3c1d81:0"
accept-ranges: bytes
content-length: 12356
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 06 Sep 2022 09:35:08 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 Wireshark-IcedID-SOCKS-packet_520x490.png
www.netresec.com/images/ 24 KB
24 KB 82ms
81ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/Wireshark-IcedID-SOCKS-packet_520x490.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 94c3e0c4df513da88f8e026b3fc0f9a2f7061018e4c8bbab91fed80d57082f58

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "0f8adfd62ddd81:0"
accept-ranges: bytes
content-length: 24773
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 11 Oct 2022 11:17:04 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript_advanced-port-scanner_520x543.png
www.netresec.com/images/ 38 KB
38 KB 61ms
59ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript_advanced-port-scanner_520x543.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: d04e1d8b7595fb543ab46a69f0cfb37db1bf7da7c4f0b16e99e66500c151ffc0

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "040b6a06addd81:0"
accept-ranges: bytes
content-length: 39050
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 11 Oct 2022 12:11:44 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 NetworkMiner-2-7-3_proxied-https_520x641.png
www.netresec.com/images/ 54 KB
54 KB 96ms
94ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/NetworkMiner-2-7-3_proxied-https_520x641.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 12a07ddfd2c5d8166d05e79e2941030a30a1e1aa646443e202c7e6248d855f3f

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "0915c87addd81:0"
accept-ranges: bytes
content-length: 55082
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 11 Oct 2022 14:07:22 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader_1-9-4_Services_IcedID-SOCKS-JA3_520x500.png
www.netresec.com/images/ 36 KB
36 KB 137ms
135ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader_1-9-4_Services_IcedID-SOCKS-JA3_520x500.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: f9c1854d01b22d70c88bec611ae12d2028ce49b9c22ab69733a8a7deb70a58b7

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "80fd7e2d40ded81:0"
accept-ranges: bytes
content-length: 37049
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 12 Oct 2022 13:40:23 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript-IcedID_C2_520x303.png
www.netresec.com/images/ 32 KB
32 KB 137ms
135ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript-IcedID_C2_520x303.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: d551f0fde6ea534f1459a4371ea44ec82ea5011ea2e9fb5390886b1923173e6a

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "8015129e7fddd81:0"
accept-ranges: bytes
content-length: 32872
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 11 Oct 2022 14:41:59 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript-IcedID_VNC_520x467.png
www.netresec.com/images/ 26 KB
27 KB 137ms
136ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript-IcedID_VNC_520x467.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: e942688482963e7ca3ff6b4d49278fabb371702b19c752a33ccf543abb838243

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "801e739280ddd81:0"
accept-ranges: bytes
content-length: 27070
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Tue, 11 Oct 2022 14:48:49 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 twitter_malware_traffic-1577780925210959882_520x297.png
www.netresec.com/images/ 68 KB
68 KB 95ms
93ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/twitter_malware_traffic-1577780925210959882_520x297.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: c21fd51a070403d8dd92052c19d82d78e981d574f7f13c798f3f82e75cbf03d2

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "808d3e4510ded81:0"
accept-ranges: bytes
content-length: 69237
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 12 Oct 2022 07:57:27 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript-IcedID_C2-1f8b0808_comments_520x539.png
www.netresec.com/images/ 54 KB
54 KB 139ms
137ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript-IcedID_C2-1f8b0808_comments_520x539.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 3ac2d7c371e236719e1161169e385a2bb8a10b183fa227343a2e2e289a15f7c9

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "0ccf41a20ded81:0"
accept-ranges: bytes
content-length: 54911
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 12 Oct 2022 09:50:48 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript-IcedID_reverse-shell_520x611.png
www.netresec.com/images/ 35 KB
36 KB 142ms
140ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript-IcedID_reverse-shell_520x611.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 4080824593ce5ed9350e778ceef35fdd131dde2b36c483ce5aba5f1a8b768a69

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "0e89c8b22ded81:0"
accept-ranges: bytes
content-length: 36222
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 12 Oct 2022 10:08:16 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 Wireshark-IcedID-C2-FileManager_520x204.png
www.netresec.com/images/ 21 KB
21 KB 143ms
142ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/Wireshark-IcedID-C2-FileManager_520x204.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: a59ff42681cd0dc27170c69289087263145c75bdbfe5558fd7da7a6c913d2895

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "805cffe399eed81:0"
accept-ranges: bytes
content-length: 21778
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 02 Nov 2022 09:02:53 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-IcedID-BackConnect-Flows_520x182.png
www.netresec.com/images/ 15 KB
15 KB 174ms
173ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-IcedID-BackConnect-Flows_520x182.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 043f382cecb82eb78b0bb136b2dec2e63ef3d8e703876b0be856cca81a64f74d

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "80e65cfaa0eed81:0"
accept-ranges: bytes
content-length: 14999
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 02 Nov 2022 09:53:37 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 CapLoader-Transcript-IcedID_file-manager_520x910.png
www.netresec.com/images/ 41 KB
41 KB 175ms
174ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/CapLoader-Transcript-IcedID_file-manager_520x910.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 6c10559f1149f1d6ebcbac4eed37c2538077bb0f96899daf1880d1e26599f849

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "02043ea2eed81:0"
accept-ranges: bytes
content-length: 42361
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Wed, 02 Nov 2022 10:02:40 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 X_100x90.png
www.netresec.com/images/ 11 KB
12 KB 177ms
176ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/X_100x90.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 62071d727027383e432d57ac28f45c0815e376959189785680796441c3829d74

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "80979c1c3019da1:0"
accept-ranges: bytes
content-length: 11701
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Fri, 17 Nov 2023 08:28:59 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 mastodon_100x107.png
www.netresec.com/images/ 3 KB
3 KB 177ms
176ms Image
image/png 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/mastodon_100x107.png
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: e0bbf224d7ef8434a81e7e40d35c0a483026f90397ea60054f2a8561b2d02e8d

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "0b1fc6f62fad81:0"
accept-ranges: bytes
content-length: 3230
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/png
last-modified: Thu, 17 Nov 2022 08:56:10 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 gradient_background.gif
www.netresec.com/images/ 442 B
553 B 154ms
153ms Image
image/gif 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.netresec.com/images/gradient_background.gif
Requested by: Host: www.netresec.com
URL: https://www.netresec.com/style.css
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: 21b7cc1ef2c4de18da0fff436ebd44fd3d6474a4f2b248e7a368179b17036b98

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/style.css

Response headers

cache-control: max-age=691200
etag: "031d9266069d11:0"
accept-ranges: bytes
content-length: 442
date: Fri, 01 Nov 2024 00:28:47 GMT
content-type: image/gif
last-modified: Wed, 17 Feb 2016 08:49:46 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

GET
H2 200 favicon.ico
www.netresec.com/ 88 KB
88 KB 40ms
40ms Other
image/x-icon 2a02:4a8:ac24:137::105:80
ACTIVE24-AS www.a...

General

Check archive.org

Show headers Download Go to

Full URL: https://www.netresec.com/favicon.ico
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:4a8:ac24:137::105:80 , Czech Republic, ASN25234 (ACTIVE24-AS www.active24.cz, CZ),
Reverse DNS
Software: Microsoft-IIS/10.0 / ASP.NET
Resource Hash: dda0619ba5a8918d241dd2475c7ad8e3ef232ed9b1d1e0604bd33bc194ec7b54

Request headers

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer: https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

Response headers

cache-control: max-age=691200
etag: "80f4a2286069d11:0"
accept-ranges: bytes
content-length: 90022
date: Fri, 01 Nov 2024 00:28:48 GMT
content-type: image/x-icon
last-modified: Wed, 17 Feb 2016 08:49:49 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

Verdicts & Comments Add Verdict or Comment

0 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Content-Security-Policy	frame-ancestors 'none' ; report-uri https://netresec.report-uri.com/r/d/csp/enforce;
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	1; mode=block

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

www.netresec.com
2a02:4a8:ac24:137::105:80
043f382cecb82eb78b0bb136b2dec2e63ef3d8e703876b0be856cca81a64f74d
0b5cfd0d1c4c87b793472487d99fc2f670d1ed6fe538f88135ce663ba6a7c7c2
12a07ddfd2c5d8166d05e79e2941030a30a1e1aa646443e202c7e6248d855f3f
21b7cc1ef2c4de18da0fff436ebd44fd3d6474a4f2b248e7a368179b17036b98
2da596e77ba48fb29ce2aec11c4238269d2a067756c1279f471af7e2caa8c36e
3ac2d7c371e236719e1161169e385a2bb8a10b183fa227343a2e2e289a15f7c9
4080824593ce5ed9350e778ceef35fdd131dde2b36c483ce5aba5f1a8b768a69
62071d727027383e432d57ac28f45c0815e376959189785680796441c3829d74
6c10559f1149f1d6ebcbac4eed37c2538077bb0f96899daf1880d1e26599f849
94c3e0c4df513da88f8e026b3fc0f9a2f7061018e4c8bbab91fed80d57082f58
a59ff42681cd0dc27170c69289087263145c75bdbfe5558fd7da7a6c913d2895
c21fd51a070403d8dd92052c19d82d78e981d574f7f13c798f3f82e75cbf03d2
d04e1d8b7595fb543ab46a69f0cfb37db1bf7da7c4f0b16e99e66500c151ffc0
d551f0fde6ea534f1459a4371ea44ec82ea5011ea2e9fb5390886b1923173e6a
dda0619ba5a8918d241dd2475c7ad8e3ef232ed9b1d1e0604bd33bc194ec7b54
e0bbf224d7ef8434a81e7e40d35c0a483026f90397ea60054f2a8561b2d02e8d
e942688482963e7ca3ff6b4d49278fabb371702b19c752a33ccf543abb838243
f26e830a61dd6a79024fe2a0796c9a4703bacf00f4105625948349074125df2f
f9c1854d01b22d70c88bec611ae12d2028ce49b9c22ab69733a8a7deb70a58b7

www.netresec.com Open in urlscan Pro 2a02:4a8:ac24:137::105:80 Public Scan

Summary

urlscan.io Verdict: No classification

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

19 Requests

100 %HTTPS

100 %IPv6

1 Domains

1 Subdomains

1 IPs

1 Countries

575 kBTransfer

602 kBSize

0 Cookies

23 Outgoing links

Redirected requests

19 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

0 JavaScript Global Variables

0 Cookies

Security Headers

Indicators

www.netresec.com Open in urlscan Pro
2a02:4a8:ac24:137::105:80 Public Scan

Screenshot
Live screenshot

Full Image

19
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

575 kB
Transfer

602 kB
Size

0
Cookies

19 HTTP transactions
0 data transactions