104.16.57.101 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.57.101 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1012 - Query Registry, T1027 - Obfuscated Files or Information, T1041 - Exfiltration Over C2 Channel, T1043 - Commonly Used Port, T1055 - Process Injection, T1056.001 - Keylogging, T1056 - Input Capture, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1112 - Modify Registry, T1114 - Email Collection, T1140 - Deobfuscate/Decode Files or Information, T1176 - Browser Extensions, T1179 - Hooking, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1560 - Archive Collected Data, T1583.005 - Botnet, T1583 - Acquire Infrastructure, TA0004 - Privilege Escalation, TA0011 - Command and Control

• Tags: $RTD4NQU.exe, 114.114.114.114, aaaa, abuse, abuse cnniccn, accept, accept encoding, acint, active related, adaptivebee, added active, address, adload, a domains, adposhel, adult content, advisory, adware, adwaresig, adwind, aes256gcm, agency, agent, agent tesla, agenttesla, aig.com, aig.rastreator.mx, akamaias, akamaiasn1, alexa, alexa top, algorithm, all octoseek, allow, all search, am, amadey, amazon02, amazonaes, analysis, android, andromeda, anonymizer, api blog, apnic, apnic country, apnic netname, apnic person, apnic whois, appdata, apple, appleaustin, apple engineering, apple hacking, apple ios, apple music, apple phone, apple tv, apple unlocker, application, application/binary, applicunwnt, april, artemis, articles, as13335, as15169, as15169 google, as16509, as20940, as3359, as44273 host, as8075, as852, ascii text, asia pacific, asp.net, assistant, astaroth, atlas, attack, attacker, attorney, august, authentihash, author, author avatar, ave maria, azorult, azureadmyorg, babar, back, bambernek, bandoo, bank, banker, bankerx, banking, basic rsa, bazaloader, b body, beach research, beginstring, behav, beijing, beijing abusec, beijing country, beijing gu, benjamin, betabot, binder, bitminer, blackhat, blackievirus.com, blacklist, blacklist http, blacklist https, bladabindi, blister, blue cloud, bluecloud descr, body, body length, bomb, boost mobile, botnet, botnetwork, br, bradesco, brian, brian sabey, brochure url, brontok, bundled, button, bypass, c2, C2, c2ae, c2 raccoon, cgb stgreater, changelog, channelsurfcli, charles, chase personal, chi2, child pornographer, china cobalt, china telecom, cisco umbrella, citadel, civicalg, civicalg.com, ck id, ck matrix, cl0p, class, cleaner, click, close, cloudflare, cloudflarenet, cloud xcitium, cnc, CNC, cn ca, cnc feodo, cn continent, cnc server, cnnic, cn phone, cobalt strike, collection, collections, colorado, column, com cnt, com laude, command and control, communicating, company limited, compiler, computer, conduit, connection, connector, contact, contacted, contacted urls, content type, control server, copy, copyright, core, count blacklist, country, covid19, covid19 scam, crack, created, create new, creation date, creation_of_an_executable_by_an_executable, critical, critical risk, crypt, cryptinject, csc corporate, cuba, cus cndigicert, cutwail, cve201711882, cve cve20170199, cyber attack, cyber crime, cybercrime, cyber defense, cyber harassment, cyber security, cyber stalking, cyberstalking, cyber threat, cyberthreat, cyber warfare, daisy, daisy coleman, dapato, darklivity podcast, dark power, data, data center, date, dded active, death threats, december, deepscan, defacement, defence, de indicators, dem fin, designer, desktop, detection list, detections type, detplock, dev, developer, digicert global, discord, district, dkey english, dllinject, dns, dnspionage, dns poisoning, dns replication, docs pricing, domain, domains, domaiq, downer, downldr, download, download csv, downloader, download json, driverpack, dropped, dropper, duckdns, dynamics, early iowa, ecc domain, ec oid, Edmonton, Edmonton Police, ejkaej saBey k7-^Oa, elf collection, emotet, encpk, engineering, english us, enterprise, entity, entries, EPS, error, et, et tor, excel, executable, execution, exit, expiration, exploit, Exploit Source, explorer, facebook, facebook link, failed_code_integrity_checks, fakealert, fakedout threat, fakeinstaller, falcon sandbox, false, fareit, fast corporate, feodo, file, filehashmd5, filehashsha256, filerepmalware, filerepmetagen, files, filetour, file transfer, file type, final url, firehol, firm collection, first, floxif, footer, form, formbook, fraud, fraud service, freemake, friendly, fri jun, from, front, function, fusioncore, g2 odigicert, g2 tls, g4 code, game, gamehack, gecko, general, general full, generator, generic, generic malware, genkryptik, genpack, geoip, get h2, ghost, ghost rat, glupteba, gmbh version, gmt etag, gmt server, google, gopher, government relations, gov int, graph community, greatness, gti9080l, gti9128v, gti9158, hacker, hackers, hacking, hacktool, hall render, hallrender, hallrender.com, hallrender.com/attorney/brian-sabey, hall render denver, hash, hashes, header, headers, headers nel, heodo, heur, hidden, highly targeted, hijacking, historical, historical ssl, history first, host, hostname, hostnames, hotmail, hsbc, html, http, http header, http response, hybrid, icann whois, icloud, icmp, iframe, ii llc, illegal, imphash, inc validity, indicator, indicator role, indonesia, information, injection, injector, inmortal, innova co, input, installcore, installer, installpack, iobit, ioc iocs, ioc search, ios, ip address, iphone unlocker, ip summary, ipv4, java, javascript, Jays Youtube Bot.exe, jfif standard, jomax, jpeg image, json ip, json sample, jul jan, june, kb body, key algorithm, keybase, keygen, key info, keylogger, kgs0, khtml, kiannas law, killav, kls0, known tor, kovter, kraddare, kryptik, kyriazhs1975, label, label shanghai, laplasclipper, law, layer, learn, level3, limited, link, linkedin link, linkid252669, link url, list, list for, liu registrant, live, loadmoney, local, lockbit, login, logistics, lokibot, look, lord krishna, lovgate, lsmeta function, lsoldgsqueue, ltd dba, ltd descr, ltd regional, lumma stealer, machinename, macros sneaky, magazine, magic pe32, magniber, magnus, main, malicious, malicious host, malicious site, malicious url, maltiverse, malvertizing, malware, malware generic, malware host, malware hosting, malware scripting, malware site, malware spreader, manager, march, mark, mark brian sabey, markmonitor, masquerading, matsnu, mb iesettings, mb opera, mb qimage, mb setup, mb super, media, mediaget, mediamagnet, meister, memscan, meta, metastealer, meterpreter, metro, metro hacker, metro t-mobile, mexico, michael roberts, microsoft, microsoft azure, microsoftcorpas, microsoft crm, microsoft power, microsoft teams, mile high media, Miles IT, million, mimikatz, miner, mini, minutes ago, mirai, misc attack, missouri, mitre att, mitre attack, modernizr, modified, mo.gov, monitoring, month ago, months ago, most malicious, msil, ms windows, mtd1, multiple botnetworks, name, namecheap inc, name server, name verdict, nanjing, nanocore, nanocore rat, nav onl, network, network rat, networm, new ioc, next, nexus, nimda, nircmd, nisis, njrat, no data, node tcp, node traffic, node udp, no expiration, noname057, notepad, nr-data.net, nsis, null, number, nxdomain, nymaim, object, occamy, octoseek report, offercore, office, open, opencandy, optimizer, origin1, orkut, oshanghai blue, otx octoseek, outbreak, overlay, packed, parent parent, passive dns, password, patcher, path, pattern match, paulsmith, paypal, pcname, pe resource, phish, phishing, Phishing, phishing chase, phishing google, phishing site, phishtank, phy pre, pitman and or dentisthired roberts obvi, pixel, please, pony, porkbun llc, pornhub, pornographers, pornography, post root, powershell_create_scheduled, pragma, predator, premium, presenoker, privacy invasion, privilege escalation, probe, problems, project, protocol h2, proton, proxy, psexec, public url, pulse pulses, pulses, pulse submit, pulses url, pur sta, pyinstaller, pykspa, python_initiated-connection, qakbot, qbot, quasar, quasar rat, raccoon, radamant, radar ineractive, ramnit, ransom, ransomexx, ransomware, record value, reddit, redirector, redline, redline stealer, referrer, refresh, registrar, registrar abuse, reimer, relacionada, related pulses, relayrouter, remcos, remote, remote attacker, render, replacement, report, report spam, reserved, resolutions, resource, response final, restart, revenge rat, reverse dns, revil, rich pe, right, riskware, rms, road, roblox, role title, root ca, root g4, rsa sha256, runescape, runtime process, ruthless, sabey, sabey data centers, safebae, safebae.org, safe site, sality, sample, sample path, samples, scan endpoints, scanning host, script, script urls, search, search live, search otx, secrisk, sections, secure, security, security tls, seraph, serial number, server, server ca, server redirect, service, services, service tool, serving ip, setup stub, severity, seznam, sha1, sha256, sha256 file, sha384, shanghai blue, sharepoint, shell, show, showing, show technique, siblings parent, signing rsa4096, simda, site, site safe, site top, smokeloader, SmokeLoader, sneaky server, soc, soc http, soc https, social engineering, sodinokibi, softcnapp, softonic, software, sonbokli, song culture, sophos sophos, spam author, spammer, span, spark, spyrixkeylogger, spyware, squirrelwaffle, ssdeep, ssl certificate, stalker, startpage, status, status code, stealer, steam, steam route, stopransomware, strike, strings, subject public, submission, submitters, sucurisec, summary, summary iocs, suppobox, suspected, suspicious, swisscom root, swrort, systweak, t1140, t1507537243, t1604023287, tag count, tag tag, tcp traffic, team, team malware, team phishing, team proxy, teams, teams api, technology, telecom, telecom italia, telefonica, telefonica co, temp, test, thebrotherssabey, then brothers sabey, this, threat network, threat report, threat roundup, threats et, thu aug, thumbprint, tiggre, tinba, title added, tjprojmain, tld count, t-mobile, tmobile, t-mobile hacker, tofsee, tool, tools, tor exit, tor known, tor relayrouter, torrent trecker, tracey richter, tracker, tracker malware, tracking, traffic, trid win64, trojan, trojanspy, trojanx, TrojanX, true, trust, tsara brashears, tue dec, tulach, tulach c2, tulach.cc, twitter, type type, UAlberta, ubot, ukraine, ultimate, unauthorized, union, united, unknown, unlocker, unruy, unsafe, update checker, updated date, url http, url https, urls, url summary, urls url, userid, utc http, utc submissions, utmsourcemailer, uztuby, v3 serial, valid from, value, variables, vawtrak, verdict, verdict cloud, verify, verisign, veryhigh, vhash, vidar, view, virus network, virustotal, virut, visible, vitzo, vt graph, wacatac, wannacry kill, webcompanion, webshell, webtoolbar, whois, whois database, whois lookup, whois lookups, whois parent, whois record, whois sneaky, whois ssl, whois sslcert, whois whois, win32, win32 exe, win32.pdf.alien, win64, windir, windows, windows nt, woff2, worm, write, xcitium verdict, xml rtmanifest, xrat, xtrat, #YEG, yixun, youth, youtube, zbot, zeus, zpevdo

• JARM: 27d40d40d00040d00042d43d00041df04c41293ba84f6efe3a613b22f983e6

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 50 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Anguilla, Aruba, Australia, Bahamas, Barbados, Canada, Cayman Islands, Costa Rica, Curaçao, Georgia, Guatemala, Japan, Mexico, Netherlands, Panama, Philippines, Poland, Saint Kitts and Nevis, Saint Martin (French part), Saint Vincent and the Grenadines, Sint Maarten (Dutch part), Tanzania United Republic of, Trinidad and Tobago, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: broadband.moneysavingexpert.com images.moneysavingexpert.com my.moneysavingexpert.com moneysavingexpert.com services.moneysavingexpert.com tags.moneysavingexpert.com webapi.moneysavingexpert.com clubs.moneysavingexpert.com www.tasan6.com images2.moneysavingexpert.com blog.moneysavingexpert.com www.moneysavingexpert.com clicks.moneysavingexpert.com images6.moneysavingexpert.com static.cloudflareinsights.com cloudflareinsights.com dna.tronestaging.com 50years.tronestaging.com labcorp-d8.tronestaging.com labcorp-d8.tronestaging.com.cdn.cloudflare.net monogrambio-d8.tronestaging.com.cdn.cloudflare.net integratedgenetics.tronestaging.com.cdn.cloudflare.net 50years.tronestaging.com.cdn.cloudflare.net lcuat.tronestaging.com.cdn.cloudflare.net

Malware Detected on Host

Count: 519 1315512d5efa70a1f963ac15c378eecb9707e4122485532184d8ccf9ed4ddb8a 05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf 5c176f069252dbc435e6559a46f4bbd181a41eb651fb28cf2efaf1ad6126b53b 01919156db46549e8bf84801695e246e06dff0bd6137298148afa66993202bf3 32117fee79e4bb77fe2c3d3bc8549d4da40dfcf49ad04d190e73f2aa16ad0a29 0f1b247c5010e7a19a415825e4c03fc42411b82b831a3086dad0640456114f2e 22b36685ab094fa332ec60b26c3a9a678832458f18ed81ebec8ec78b1487d04f 67a962b0bcfa26c0ae626a08491c328f4d5b14a74816a92c281a1d3576ee29de 075a773d17c64b96b901ef91d1c4ba58d8e0124fc953a45ce9d714cbef74b19f f6e2562cf8b674a170b5559d2d49394539b65b1c765526a368205ea43bfb261b

Open Ports Detected

2052 2053 2082 2083 2086 2087 2095 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22