104.16.66.85 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.66.85 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1011 - Exfiltration Over Other Network Medium, T1027 - Obfuscated Files or Information, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056.001 - Keylogging, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110.002 - Password Cracking, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1410 - Network Traffic Capture or Redirection, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1497 - Virtualization/Sandbox Evasion, T1560 - Archive Collected Data, T1583.002 - DNS Server, T1583.005 - Botnet, TA0001 - Initial Access, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0006 - Credential Access, TA0007 - Discovery, TA0008 - Lateral Movement, TA0009 - Collection, TA0010 - Exfiltration, TA0011 - Command and Control

• Tags: 0 report, accept, a claim, active created, address, agent, agenttesla, akamaias, alexa, alexa top, algorithm, all octoseek, amazon, amazon02, amazonaes, american international, analysis, and china, android, apple, appleaustin, apple engineering, apple ios, apple unlocker, april, artemis, as15169 google, ascii text, asn16509, asn20940, asn as45090, attack, august, azorult, b2931e3f, b467295d, b535, bank, banker, beijing gu, benjamin, bitdefender, bitrat, blackhat, blacklist https, body, botnet, brian sabey, briansabey, c2, ca issuers, cargo, cgb stgreater, chaos, china telecom, cisco, cisco umbrella, class, click, cloud, cloudflare, cloudflarenet, cnc, cobalt strike, Cobalt Strike, code, collection, collections, com laude, command and control, commercial auto, community https, comodo valkyrie, company limited, compensation, computer, contact, contacted, contacted circa 10.23.2023-, contacted urls, contact phone, content reputation, contexthub, copy, core, cq function, crack, create c, created, creation date, crime, critical, critical risk, crypto, csc corporate, cyber, cyber crime, cybercrime, cyber stalking, cyber threat, cyberthreat, dao360, dapato, dark, dark power, data, data center, date, default, defense, delete c, de page, description, de summary, detection list, detections type, detplock, djvu, dns, dnspionage, dns replication, dns resolutions, dnssec, dock, domain, domain name, domainpath name, domains, domain status, downer, downldr, download, downloader, dsp1, duckdns, dynamic report, ecc domain, ec oid, elqq, email, emails, emotet, encrypt, energy, enterprise, entries, error, et, et tor, evader, execution, exit, export, f20b201c, facebook, falcon sandbox, false, file, filehash, files, files location, filter https, final url, find, firehol, first, footer, form, formbook, frankfurt, fusioncore, general, general full, generator, generic, germany, get na, github, gmt content, gmtn, google, gootloader, greatness, hacker, hacktool, hallgrand, hallrender, heur, historical ssl, history first, http, http redirect, http response, hybrid, hyperv, icloud, icmp, identifier, iframe, ii llc, illegal, indicator, indonesia, info, input, installer, iocs, ioc search, ip address, ip summary, ipv4, issuer, javascript, july, june, kb acrotray, keepaliveyes, key algorithm, key identifier, key info, keylogger, known tor, kuaizip, liability, life, light, limited, link, local, localappdata, location china, lockbit, log id, login aig, login myaig, lolkek, look, lscottsdale, ltd dba, magniber, main, malicious, malicious site, maltiverse, malvertizing, malware, malware scripting, malware site, malware spreader, mark, mark brian sabey, mark sabey, masquerading, maui ransomware, mb iesettings, mb opera, media, media center, medium, memcommit, meta, metro, metro hacker, microsoftcorpas, million, mime type, miner, misc attack, mitre att, mitre attack, modified, monitoring, ms excel, msie, multiple botnetworks, name, namecheap, namecheap inc, name servers, name value, network, network mooooda, network rat, networm, new ioc, next, no data, node traffic, november, number, october, open, p11642963562, p2404, page url, passive dns, password, password bypass, paste, path, pattern match, persistence, phish, phishing, phishing site, phishtank, physical threat, porkbun llc, pornhub, pornographers, presenoker, problems, property, protocol h2, pulse pulses, pulse submit, qakbot, quasar, quasar rat, raccoon, ransom, ransomexx, ransomware, read c, record value, redirected, referrer, refresh, registrar abuse, registrar url, registrar whois, related nids, relayrouter, relic, remcos, remote, remote attacker, report, request chain, resolutions, resource, response final, restart, revenge rat, reverse dns, riskware, root ca, runescape, safe site, samplepath, samuel tulach, sanitize object, scan endpoints, scanning host, script, search, sector, security tls, server, server ca, service, service tool, serving ip, show, showing, site, slcc2, soc, social engineering, softcnapp, span, spreadsheet, ssl certificate, stalker, starizona, startpage, stealer, strings, subject key, subject public, submission, submitters, sucurisec, summary, summary iocs, suricata, swisyn, systemroot, tag count, target, targeting, team, teams, teams api, telecom, telecom italia, textarea, thebrotherssabey, then brothers sabey, threat, threat analyzer, threat network, threat roundup, title, tld count, tlsv1, tls web, t-mobile hacker, tools, torrent trecker, tracking, trickbot, trojan, trojanspy, trust, tsara brashears, tulach, tulach.cc, tulach exploits, twitter, type name, umbrella rank, union, united, unknown, unsafe, url history, url http, url https, urls, urls http, url summary, urls url, ursnif, usage, user, utc http, utc submissions, v3 serial, value, variables, verdict, verify, vidar, view, visitor object, vmprotect, webtoolbar, white, whois, whois record, whois whois, win32, win32 dll, win32 exe, win64, windows, windows nt, wiper, workers, worm, wow64, write, write c, x509v3 key, xport, years ago, zbot

• JARM: 27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 16 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Canada, United States of America
• Passive DNS Results: invisible.udemy.com entrust.udemy.com aircraftpropeller.udemy.com aflacjp2.udemy.com capgemini.udemy.com anadolusigorta.udemy.com fundcraft.udemy.com nomura-amjp.udemy.com rianaryandi.tech arise.udemy.com email.udemy.com adconova.udemy.com havelsan.udemy.com cra-itb.udemy.com juvare.udemy.com omnitracs.udemy.com kyndryl.udemy.com lg.udemy.com kaust.udemy.com tp.udemy.com absagroup.udemy.com mitsubishi-hccapital.udemy.com switch.udemy.com xceedance.udemy.com themathcompany.udemy.com dotdigital.udemy.com 1udemy-images.udemy.com pepsico.udemy.com bosch-rbvh.udemy.com vwds.udemy.com freedommortgage.udemy.com hdfcbank.udemy.com greenbeanit.udemy.com allwynent.udemy.com biogentrial.udemy.com lyondellbasell.udemy.com euronext.udemy.com tcsglobal.udemy.com cognizantee.udemy.com deloittedevelopment.udemy.com dbs-c2e.udemy.com dxc.udemy.com socarturkey.udemy.com koruptoraxis.cf isainfrateam.udemy.com pwcglobal.udemy.com ua.udemy.com auditsafe.udemy.com teleflex.udemy.com accentureatcp.udemy.com oldmutuallimited.udemy.com panasonic-is.udemy.com gksoftware.udemy.com uat.signing.udemy.com www.uat.signing.udemy.com accenture.udemy.com webinars.udemy.com smamdaku.net prudential.udemy.com ensarsolutions.udemy.com ifood.udemy.com gasss.us lacounty.udemy.com dbshyd.udemy.com citrahmad.com learning.udemy.com difc.udemy.com itauchile.udemy.com research.udemy.com virginpulse.udemy.com 53.udemy.com nttdatajp.udemy.com cloudbeds.udemy.com esolutions.udemy.com amdlearning.udemy.com fnb.udemy.com teslaforecast.udemy.com copperpoint.udemy.com standardbank.udemy.com ubs.udemy.com michelingroup.udemy.com bfbs.udemy.com sorenson.udemy.com isbankasi.udemy.com chevrontrial.udemy.com yayanx.ml ibm-learning.udemy.com swissmedical.udemy.com standardcharteredfuturestate.udemy.com sctest.udemy.com dewa.cloudns.asia servicenow.udemy.com connection.udemy.com kibusiness.udemy.com dte.udemy.com str.udemy.com mgplc.udemy.com adidas-itlearning.udemy.com fanatics.udemy.com americanairlines.udemy.com ablink.udemybusiness.udemy.com ablink.instructors.udemy.com ablink.students.udemy.com ablink.alerts.udemy.com nttls.udemy.com tengizchevroil.udemy.com infor.udemy.com usbank.udemy.com ufbsupport.udemy.com operativeuniversity.udemy.com avalara.udemy.com pmi.udemy.com fujitsu.udemy.com wipro.udemy.com atolearning.udemy.com aws-dr.udemy.com portal.udemy.com digital.udemy.com indra.udemy.com virtusa.udemy.com cona-services.udemy.com wwt.udemy.com man.udemy.com bilateral.udemy.com toyota-td.udemy.com bcp.udemy.com idemia.udemy.com www.uat.revenuewebhook.udemy.com uat.revenuewebhook.udemy.com www.prod.revenuewebhook.udemy.com prod.revenuewebhook.udemy.com government.udemy.com cisco.udemy.com cognizant.udemy.com about.udemy.com lazada.udemy.com bhoikfost.ga chevron.udemy.com status.udemy.com ey-covid-19.udemy.com intermountain.udemy.com ihis.udemy.com mywipro.udemy.com teach.udemy.com banorte.udemy.com udemy-images.udemy.com turkcell.udemy.com chemours.udemy.com hartmann.udemy.com kbtg.udemy.com aflacjp.udemy.com page-events-ustats.udemy.com bah.udemy.com business.udemy.com www.udemy.com blackviruskasikornbank.production.udemy.com kasikorn.march-blackvirus.udemy.com www.uat.transport.udemy.com uat.transport.udemy.com 10.72.104.128www.udemy.com www.citigoup.udemy.com udemy.com blog.udemy.com leonardo-hotels.de

Malware Detected on Host

Count: 5 acce09ef5d398909811bddf222d943a1c6851088b2d140611e320c9903562a46 b0563a88451a505c7829e9dd6945a750816bcba234633710656cf7aa307ae54d aab29147b3f21528f0b90404c6cc71463ff53dc19ee822fff8db2f69ae94172c 9b4edf3cc142c84d494bc07c711a6b8117b7de6577d077f39ae62aeedc21f51d a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40

Open Ports Detected

2052 2082 2083 2086 2087 2095 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22