104.18.1.89 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.18.1.89 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1010 - Application Window Discovery, T1012 - Query Registry, T1031 - Modify Existing Service, T1036 - Masquerading, T1040 - Network Sniffing, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056.001 - Keylogging, T1057 - Process Discovery, T1060 - Registry Run Keys / Startup Folder, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1091 - Replication Through Removable Media, T1105 - Ingress Tool Transfer, T1106 - Native API, T1112 - Modify Registry, T1118 - InstallUtil, T1120 - Peripheral Device Discovery, T1122 - Component Object Model Hijacking, T1129 - Shared Modules, T1143 - Hidden Window, T1147 - Hidden Users, T1158 - Hidden Files and Directories, T1184 - SSH Hijacking, T1210 - Exploitation of Remote Services, T1415 - URL Scheme Hijacking, T1416 - URI Hijacking, T1443 - Remotely Install Application, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1460 - Biometric Spoofing, T1478 - Install Insecure or Malicious Configuration, T1497 - Virtualization/Sandbox Evasion, T1528 - Steal Application Access Token, T1539 - Steal Web Session Cookie, T1553.002 - Code Signing, T1553 - Subvert Trust Controls, T1568.002 - Domain Generation Algorithms, T1568 - Dynamic Resolution, T1574 - Hijack Execution Flow, T1583.001 - Domains, T1583.005 - Botnet, T1583 - Acquire Infrastructure, T1589 - Gather Victim Identity Information, T1590 - Gather Victim Network Information, T1591 - Gather Victim Org Information, TA0003 - Persistence, TA0011 - Command and Control

• Tags: aaaa, aaaa nxdomain, abcd, abuse, abuse contact, accept, access ta0001, address, admin country, adobe, adobe reader, a domains, akamaias, alerts, alexa, alexa top, algorithm, alibaba cloud, all octoseek, all scoreblue, all search, amazon02, amazonaes, analysis date, analyzer paste, analyzer threat, anomalous file, antivirus, a nxdomain, apache, apple, apple private, apple remote, apple spy, april, archive, argon data, arial, artro, as14870 flexera, as15169 google, as15293, as16276, as16342 toya, as16509, as17667, as19527 google, as198921, as19905, as202425 ip, as20940, as21342, as22612, as29686 probe, as3215 orange, as36352, as37153, as3842 inmotion, as397240, as40676 psychz, as4230 claro, as44273 host, as46606, as49505, as50599, as53667, as54113, as5617 orange, as63949 linode, as706, as8075, ascii text, asn as16342, asnone, asnone united, a td, attack, august, autoit, autoit windows, automation tool, autorun, av detections, azorult, backdoor, bank, beijing, billing country, binary, blacklist, blind install, body, body doctype, body html, body length, browsing, campaign, canada unknown, certificate, checkin, china telecom, cisco umbrella, ck id, click, cloudflare, cloudflarenet, cname, co20230203, cobalt strike, code, communicating, communication, components, computing, contacted, contact email, contact phone, contained, content, content length, content type, copy, country, crack, crack serial, create c, create new, creation date, cryptexportkey, csc corporate, cve cve20020013, cve overview, cyber threat, dark, data, data collection, data redacted, date, date app, date hash, defense evasion, delete c, detection list, detections type, digitaloceanasn, discord bots, discovery, dlls defense, dll sideloading, dlls privilege, dns replication, dns resolutions, dnssec, dock, dod, domain, domain name, domains, domainsite, domain status, dostpne jzyki, download, download full, dropbox, dynadot llc, dynamic, dynamicloader, email, emails, emotet, encrypt, engineering, enterprise, entity, entries, error, evasion, executable, execution, expiration, expiration date, exploit, exploits, explorer, ezcrack all, facebook, fake date, ff6633, file, filehash, filehashmd5, filehashsha1, filehashsha256, files, file samples, files copied, file score, files domain, files dropped, files ip, files location, files matching, files related, final url, first, fjlsedauv, flag united, flow t1574, forbidden, formbook cnc, for privacy, framing, france unknown, fraud risk, free, fuck, fuck team, full name, generic windos, germany, germany unknown, get autoit, gmt content, gmt contenttype, gmt server, goldfinder, google, google domain, google safe, gootloader, government, graph community, group, grum, hacktool, hash, hashes, head body, header intel, headers, head title, health law, hidden privacy, high, high defense, hilgraeve, historical, historical ssl, hitmen, hostile, hostname, hostnames, html public, http request, http response, hybrid, ibm, identifier, identity theft, ids detections, ietfdtd html, incorporated, info, info compiler, infrastructure, installs, intel, internalname, internet mobile, invalid url, iocs, ip address, ip summary, ip traffic, ipv4, issuer, javascript, jekyll, june, just, kb body, key algorithm, key identifier, keys license, killers, kingdom unknown, language, latest, legalcopyright, level3, limited, lineargradient, local, location poland, luna moth, mail spammer, malicious, malicious ids, malicious site, maltiverse, malvertising, malware, malware beacon, malware trojan, march, mask, media t1091, medium, memcommit, menu files, meta, meta http, metro, million, mitre att, modify existing, module load, modyfikuj stref, moved, ms windows, mtb dec, mtb feb, mtb jan, mtb mar, name, name md5, name servers, namesilo, next, no expiration, ns nxdomain, number, nxdomain, october, office open, open, orbiters, os2 executable, otx scoreblue, oval oval, overview ip, parent referrer, parking crew, passive dns, path, pattern match, pcap, pdf community, pdf report, pe32 executable, pe resource, persistence, phishing, please, png image, poland unknown, posix tar, pragma, process32nextw, products id, protos, providers, provides, pty ltd, pulse pulses, pulse submit, pulse use, push, quasi, query, rask, read, read c, record type, record value, redacted for, referrer, refresh, regdword, registrant fax, registrant name, registrar, registrar abuse, registrar iana, registrar url, registry, registry domain, regsetvalueexa, related, related nids, related pulses, remote attack, replication, resolutions, reverse dns, rgba, runescape, russia unknown, rwi dtools, sabey, safe site, sameorigin, sample, samplepath, samples, scaleway, scammer, scan endpoints, script, script domains, script urls, search, server, servers, service, sha256, shadow, shellexecuteexw, show, showing, show technique, siblings, sibot, singapore asn, site, site kit, skynet, social engineering, software, softwares, south africa, spammer, spawns, ssl certificate, stalkers, state server, status, status code, stop, stream, strings, subdomains, subject key, submitters, summary, summary iocs, suppobox, support, susp, suspicious, switch dns, system46606, t1031, t1055, t1055 spawns, t1129, table, targeted, td td, td tr, team, team phishing, teenfuckers.com, teen porn, telefonica co, text, threat network, threat roundup, time, time stamping, title, title head, tls sni, tofsee, total, traffic, trojan, trojandropper, trojan features, trojanspy, tr table, tr tr, ttl value, tucows, twitter, type, type texthtml, ualberta tld, udp a83f8110, unclejohn, unified layer, united, united kingdom, unknown, updated date, url analysis, url https, urls, urls http, urls latest, url summary, us autonomous, user, useragent, utc submissions, utwrz stref, v3 serial, vary, vercel x, verdict, verified, version crack, virgin islands, virtool, virustotal, vt graph, vulnerabilities, whitelisted, whois, whois lookup, whois record, whois whois, win16 ne, win32, win32botgor, win32mofksys, win32qqpass, win32salgorea, win32tofsee, win32trickler, win32vb, window, windows, winhttp authip, wordpress site, worm, worm worm, write, write c, writeconsolea, writeconsolew, written c, x00x00, x509v3 key, x force, xml spreadsheet, yara detections, yara rule, zbot, zeppelin20

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 9 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: United States of America
• Passive DNS Results: acphospitalist.acponline.org rmed.acponline.org powellbrokerage.com qa-fi-aau-fbmvp-24354-anoncollectionspen.az.ssdgws.co.uk digitalnomadstart.de mobile-keybank.identity.security auslots.com shopcart.ca.identity.security portal.identity.security sentry.fryday.ai bo.ripleypuntos.com.pe casino-manager.int.rolljar.plus www.camelai.com es.topmelhores.com thewoodstockarmsdidsbury.co.uk theelijenkinscardiff.co.uk webauthn.identity.security imperialfordcapetown.co.za www.sophiawealthllc.com knaufinsulation.co.kr unleash.identity.security camelai.com wt.test-sre-aws-override-shep2.auth0c.com test-sre-aws-override-shep2.auth0c.com edge.tenants.test-sre-aws-override-shep2.auth0c.com signin.identity.security signin.identity.security.cdn.cloudflare.net tfdev.securethethings.xyz www.colquittga.gov sch-sf81dxctadmf9k7dprep-slot.paastest.epimore.com sch-sf81dxctadmf9k7dprep.paastest.epimore.com sch-sf81dxctadmf9k7dprod-slot.paastest.epimore.com corum-epargne.com phmacao.mom klavenesscombinationcarriers.no www.advokatkurset.no advokatkurset.no www.teledyneoptech.com ripleypuntos.com.pe hinesmillwork.com cdn.epicstream.com www.sumedico.com equitalyon.com.cdn.cloudflare.net www.equitalyon.com.cdn.cloudflare.net formation.lourugby.fr www.plutonesunplaneta.org ivancaatest.plutonesunplaneta.org wamcfdev.plutonesunplaneta.org wamcfqa.plutonesunplaneta.org eagleinvest.firstrepublic.com www.eagleinvest.firstrepublic.com sumedico.com ccbm.bkqx-dev.cc-bm.net admbroker.fxddtrading.com secure.fxddtrading.com custportal.fxddtrading.com adm.fxddtrading.com fxlive.fxddtrading.com livereg.fxddtrading.com tradefair.com www.tradefair.com qa-nl-vpa-fbmvp-13056-add-sce-wiremocks.az.ssdgws.co.uk www.equitalyon.com qa-ca-osd-apd-472-hashrangeupdate8.az.ssdgws.co.uk www.hellofresh.ie.cdn.cloudflare.net uplinq.qualcomm.com qa-ca-fa2-caecom-5657-enable-dk-componen.az.ssdgws.co.uk lotoland.mx qa-dk-ifn-fbmvp-12918-nl-redirect-change.az.ssdgws.co.uk discountid.com origin-dev-fod-cf.faa.gov plutonesunplaneta.org getomegawifi-handyventures.com video-beta.tacxtraining.com drgerrysotomayor.com dxctngnadxcr7ls4prod.paastest.nl static.hellofresh.ie www.hellofresh.ie track.hellofresh.ie bob.hellofresh.ie epicstream.com www.ich-bin-drin.com splunk.jobcase.com ich-bin-drin.com tap.stage.wppgrouph.net tos.stage.wppgrouph.net icms.stage.wppgrouph.net www.jobcase.com www.newealthmanagement.com jde.wppgrouph.net dashboard.wppgrouph.net cvn.jobcase.com russian-origin.people.com.cn.cdn.cloudflare.net cookbook.fivem.net dashboard.stage.wppgrouph.net sentry.fivem.net www.topmelhores.com russian.people.com.cn wah.valleystrong.com www.hypedc.com www.hypedc.com.cdn.cloudflare.net staging.jobcase.com keymaster.fivem.net stagingwidgets.getwisely.com www.seabreezeresortfl.com webforms-dev.acponline.org servicesng-green.ideal.dbs.com dfkdfsie.zljsjld.com webforms.acponline.org webforms-test.acponline.org servers-frontend.fivem.net prod.bainandcompany.fi bondibet1.com git.fivem.net dxctngnadxcxi01yprod.paastest.nl ladd-cf.faa.gov www.bainandcompany.fi changelogs-live.fivem.net idms.fivem.net www.stottecompagniet.dk adastraperaspera.cf topmelhores.com docs.fivem.net lambda.fivem.net fivem.net servers-live.fivem.net mirrors.fivem.net runtime.fivem.net servers.fivem.net www.jobcase.com.cdn.cloudflare.net www.bondibet1.com azucardominomex.com www.bainandcompany.fi.cdn.cloudflare.net i360api.com www.newealthmanagement.com.cdn.cloudflare.net www.retailmenot.com sage-music.com ffxiv.zam.com.cdn.cloudflare.net www.stottecompagniet.dk.cdn.cloudflare.net prod.bainandcompany.fi.cdn.cloudflare.net zhuobangzhu.com www.4w8e.com 8ypr.com www.mtn6.com mtn6.com www.8ypr.com 6hnh.com www.6hnh.com www.x0vp.com www.g0el.com 4w8e.com x0vp.com

Malware Detected on Host

Count: 4 2f186bf3e2ebea6c0af75c5fb6a22eb110ff55efc9c475bc6a6352db88261de0 8f83f77cd8fcc49ef79d1ae431540bd6531ff3bf7a6ccb506ddc996106b26c46 77175316b6c1ae8faaef9df2caa2ddccb6c4c6f975277d8f107a4f10834d4b24 608f4c3174077a84e643298949ee74dbf362aec2516432fdda368e9bad341a62

Open Ports Detected

2052 2053 2082 2083 2086 2087 2095 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22