104.16.173.80 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.173.80 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001 - Data Obfuscation, T1003 - OS Credential Dumping, T1005 - Data from Local System, T1009 - Binary Padding, T1010 - Application Window Discovery, T1012 - Query Registry, T1027 - Obfuscated Files or Information, T1030 - Data Transfer Size Limits, T1031 - Modify Existing Service, T1036.004 - Masquerade Task or Service, T1036 - Masquerading, T1040 - Network Sniffing, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1064 - Scripting, T1068 - Exploitation for Privilege Escalation, T1070 - Indicator Removal on Host, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1074 - Data Staged, T1081 - Credentials in Files, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1095 - Non-Application Layer Protocol, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110 - Brute Force, T1119 - Automated Collection, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1158 - Hidden Files and Directories, T1185 - Man in the Browser, T1199 - Trusted Relationship, T1218 - Signed Binary Proxy Execution, T1410 - Network Traffic Capture or Redirection, T1443 - Remotely Install Application, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1464 - Jamming or Denial of Service, T1468 - Remotely Track Device Without Authorization, T1498 - Network Denial of Service, T1499 - Endpoint Denial of Service, T1518 - Software Discovery, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1557 - Man-in-the-Middle, T1559 - Inter-Process Communication, T1560 - Archive Collected Data, T1571 - Non-Standard Port, T1583.005 - Botnet, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery, TA0009 - Collection, TA0010 - Exfiltration, TA0011 - Command and Control

• Tags: a9 no, aaaa, aaaa nxdomain, abuse contact, access type, account stealer, acpimofresource, active, active threat, actmsgs1, addpo, addportmapping, address, adobe air, adversary in the middle, aibv hostmaster, akamai, akamaias, akamai as36786, alerts, alf features, alienvault, allocation, all octoseek, all scoreblue, amazons3, analyze, analyzer paste, android windows, antigua, a nxdomain, api ip, apple, apple id phishing, april, arin, as12876 online, as15133 verizon, as15169 google, as16276, as16625, as20446, as20940, as22394 verizon, as22773 cox, as23393, as23969, as3209 vodafone, as3214 xtom, as3320 deutsche, as36081 state, as3842 inmotion, as40676 psychz, as41231, as44273 host, as4766 korea, as47846, as4812, as50069 misaka, as51407 mada, as53667, as6167 verizon, as8068, as8075, as8100, asn as13335, asn as55720, asn asn, asn database, asnone, asnone india, asnone ukraine, asnone united, ate hash, audiologist inc, august, automate, av detections, ave suite, azorult, backdoor, bank, bernhardplein, best current, b file, big tech, binbusybox, binsh binsh, binsh c, block id, body, body xml, brashears, brian sabey, briansabey, browser, browse scan, browsing, brute force, bundled, bv, bvorgid cambridge, cachecontrol, cambridge, campaign, canada unknown, capbgxz, cape, carica la, certificate, certificate city, checks, china, china as4134, china as4837, china telecom, china unknown, christmas, chrome, city, ck id, ck matrix, click, cloudflare, cname, cndigicert, cn note, code, code us, command and control, command decode, communicating, compiler, configure, contact, contacted, contacted urls, contained, contentlength, copy, copy core, copyright, core, country, country united, create, created binsh, create new, creation date, cry kill, cus, cve201717215, CVE-2023-22518, cyber army, dashboard, date, date hash, ddos, dead, dead host, default, delete, deptid23922, deptid23936, deptid24124, destination, detections, detection type, devftwdt101, devsda1 devsda2, dhs, dhs discover, discover, discovery, displayname, dll read, dns, dns resolutions, dock, domain, domain http, domain name, domains, domains top, download, download sample, dropped, ecacc sed5906, email, emails, emotet, english, entries, e procselffd9, eternalblue, et exploit, et trojan, europeberlin, eva120, exact, exe32, execution, expiration, expiration date, exploit, exploit none, fakedout threat, falcon, falcon sandbox, false, february, feeds, feeds ioc, filehash, filehashmd5, filehashsha1, filehashsha256, files, file samples, files deleted, files location, files matching, file system, file type, findwindowa, first, form, formats, formbook, france unknown, frankfurt, full name, function read, gafgyt, gameskinny, gecko, general, general info, generic, geo shanghai, germany, germany unknown, get http, getprocaddress, gmt content, gmt server, gnulinux apt, google safe, goog mal, grabber, graph, great britain, group, guid, hackers, hacktool, hall render, hallrender, hash, hashes, hdaudiomofname, h devsda2, header intel, hiddentear, high, historical ssl, hitmen, hong kong, host, hostname, hostnames, html response, http, httponly, http requests, huawei hg532, huawei remote, hybrid, iana, iana special, ibm, ibm business, icann, icmp traffic, icons library, ids detections, iframe, i lo, incapril, info compiler, install, installer, installer internet, intel, internet, iocs, ioc search, ip address, ip connectivity, ip detections, ip geolocation, ipinfo, ip traffic, ipv4, ireland unknown, issuer, italy unknown, japan as17676, java, javascript, jb, jb country, jody alaska, jody huffines, json, june, kernel context, khtml, kryptos logic, langid1, language, lazarus, levelblue, levelblue labs, libmultipath, linkid252669, link library, little, location london, logic, lolkek, loudoun county, lumma stealer, main, makop, malibot, malicious, malware, malware worm, markmonitor, maze, mb graph, mb pe, mcics, medium, memcommit, memory pattern, memreserve, methodhead, microsoft, miniigd upnp, mirai, mitm, mitre att, modify system, modules, mofresource, mofresourcename, moved, msie, msil, ms visual, msvisualcpp60, ms windows, mtb aug, mtb sep, murderer, name md5, name name, name server, name servers, navmode3, net10464001, net174, net1740000, net192, net1920000, nethandle, netrange, network, newenabled, newexternalport, newinternalport, new ioc, newprotocol, newremotehost, next, next noc, nids, no expiration, nospltezraxuf, nothing number, ns nxdomain, nxdomain, october, octoseek, ommidsf3558, open, open threat, orgabusehandle, orgabuseref, orgdnshandle, orgdnsref, org domains, orgtechhandle, orgtechphone, orgtechref, otx telemetry, packing t1045, page, parent siblings, passive dns, password, password bypass, paste, path, pcap, pdf report, pe32, pe32 compiler, pe32 executable, pegasus, pegasus related, pe resource, pinl2, pinlbtn, p m0755, port, port scan, postalcode, posts, practice, priority, probe ms17010, processes tree, process t1543, products, products id, programfiles, project skynet, pro platform, proxy, pulse pulses, pulses, pulse submit, pulse use, purpose p5, purtroppo, qakbot, qbot, query, ransom, ransomexx, ransomware, ransomworm, rce, read c, realtek sdk, recon, record value, redline stealer, referrer, registrar abuse, registrar apnic, registry, registry keys, regopenkeyexw, regsz, rekhter, related nids, related pulses, r english, report, report registrar abuse, request, request email, resolutions, response, reverse dns, rf cum, risk management, rootkit, route, runtime modules, ryuk, samesitelax, san francisco, say hello, scan endpoints, scanning host, scripting, sddl, search, security, server, server ca, servers, service, settingswpad, sha256, sha2 secure, shell commands, shellexecuteexw, show, showing, show technique, sid339, sign, skynet, smauthreason0, smbds ipc, smugglers gambit, soa nxdomain, soap command, south korea, sp1 ddk, sp6 build, spain unknown, sprint personal, spyware, sql, sreredrum, ssl certificate, standard, startpage, stateprov, stateprovince, status, stealer, stix, strings, subdomains, summary, suricata ipv4, suricata udpv4, surry hills, suspicious, swipp, swipp9-arin, swipper, switch dns, systemd service, t1059, t1064 executes, t1082, T1622 - Debugger Evasion, ta0002 command, ta0004 create, taiwan as3462, target, targeting, targetsmhttps, target tsara brashears, tcpip, teams api, telecom group, template, tesla, test, text, thailand, thebrotherssabey, threat, threat analyzer, threat roundup, tofsee, top source, trojan, trojan features, tsara brashears, type, type33554433, uidtokenhttps, uknown, united, united arab, united kingdom, united states, unknown, unsupported, updater, url analysis, url http, url https, urls, urls http, urls url, ursnif, usbuy no, v3 serial, validity, varrunsshd, verdict, verizon, view, virgin islands, visualizza, vs98, vt report, wannacry, wannacry kill, wcry ransomware, whitelisted, whois domain, whois lookup, whois lookups, whois record, whois whois, win16 ne, win32, win32 dynamic, win32 exe, win64, windir, windows, windows nt, windows server, wirelessdatanetwork, wmi string, worm, write, writeconsolea, writeconsolew, xml, yara detections, yara rule, yed ye, yet ye, yexe ye, ye ye

• JARM: 27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c

• View other sources: Spamhaus VirusTotal

• Contained within other IP sets: hphosts_emd

• Country:
• Network:
• Noticed: 22 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Australia, Belgium, Chile, Germany, Hong Kong, Israel, Italy, Malaysia, Netherlands, Palestine, Qatar, United States of America
• Passive DNS Results: test.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com www.mining.com www.mining.com.cdn.cloudflare.net

Malware Detected on Host

Count: 9349 b3559b1da826ba3ba6898e5b3625b8c153528f982dd0a65c78c88cc7d7488dfd 236c243a9ff0b4507cd9e2f6ee8a532d7e5e0d5fb8f2241dd5498fd4722d4aef 2871b850121f50069232496001c01a86f614172918e9722420da79f55711b0d8 7279dd6a44557c829f537b82a39f3b7d81125b7df294e1f4ea21761015499998 9c6797ad59f40084b0782574865198102d88f32edbf9cc6e7ed4742bb0b3e3e2 f97bb82cc099fa2bbb335a185c27fb43b1759e819a56fe5cf5e59d46521cba12 a65415fd20210714cfdc52776d3e722f090c3352b7f9296cc448cec285e5f1dc 10998ed3253216df177cca6cf3ddab582d2567b5c555be1ec853a25e13cbfa96 87a7fa9f73d664a87563454f920d6bd0d7414607b7043b6704995f7f83e4ef2c 8546bf4688d7bc28ef254a7a837b4696fb901b38469c9f441317ad198dd2dcba

Open Ports Detected

2052 2082 2083 2086 2087 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-22