104.21.32.1 Threat Intelligence and Host Information

ipinfopage

General

This page contains threat intelligence information for the IPv4 address 104.21.32.1 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

🟠 Elevated — 60/100

Host and Network Information

View other sources: Spamhaus VirusTotal Shodan AbuseIPDB
Noticed: 25 times
Protocols Attacked: Anonymous Proxy
Countries Attacked: Australia, Canada, China, Denmark, Finland, Germany, Ireland, Japan, Lithuania, Luxembourg, Norway, Poland, Romania, Spain, Sweden, Taiwan, Ukraine, United Arab Emirates, United States of America
Open Ports: 2082, 2083, 2086, 2087, 2095, 2096, 443, 80, 8080, 8443, 8880
Tor Node: No
Associated Malware Samples: 5834

MITRE ATT&CK TTPs

T1001 - Data Obfuscation
T1003.004 - LSA Secrets
T1003 - OS Credential Dumping
T1005 - Data from Local System
T1011 - Exfiltration Over Other Network Medium
T1012 - Query Registry
T1018 - Remote System Discovery
T1019 - System Firmware
T1021.001 - Remote Desktop Protocol
T1021.006 - Windows Remote Management
T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1038 - DLL Search Order Hijacking
T1045 - Software Packing
T1047 - Windows Management Instrumentation
T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1053 - Scheduled Task/Job
T1055.001 - Dynamic-link Library Injection
T1055.003 - Thread Execution Hijacking
T1055 - Process Injection
T1057 - Process Discovery
T1059.001 - PowerShell
T1059.004 - Unix Shell
T1059.007 - JavaScript
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1068 - Exploitation for Privilege Escalation
T1069.001 - Local Groups
T1071.004 - DNS
T1071 - Application Layer Protocol
T1076 - Remote Desktop Protocol
T1078.004 - Cloud Accounts
T1081 - Credentials in Files
T1082 - System Information Discovery
T1088 - Bypass User Account Control
T1090 - Proxy
T1094 - Custom Command and Control Protocol
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1114.002 - Remote Email Collection
T1114 - Email Collection
T1119 - Automated Collection
T1129 - Shared Modules
T1143 - Hidden Window
T1184 - SSH Hijacking
T1185 - Man in the Browser
T1192 - Spearphishing Link
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link
T1210 - Exploitation of Remote Services
T1211 - Exploitation for Defense Evasion
T1218.001 - Compiled HTML File
T1404 - Exploit OS Vulnerability
T1449 - Exploit SS7 to Redirect Phone Calls/SMS
T1454 - Malicious SMS Message
T1476 - Deliver Malicious App via Other Means
T1480 - Execution Guardrails
T1489 - Service Stop
T1491 - Defacement
T1497 - Virtualization/Sandbox Evasion
T1530 - Data from Cloud Storage Object
T1553.004 - Install Root Certificate
T1553 - Subvert Trust Controls
T1557 - Man-in-the-Middle
T1560 - Archive Collected Data
T1562.004 - Disable or Modify System Firewall
T1562 - Impair Defenses
T1563.002 - RDP Hijacking
T1566.001 - Spearphishing Attachment
T1566 - Phishing
T1568.001 - Fast Flux DNS
T1568 - Dynamic Resolution
T1573 - Encrypted Channel
T1583 - Acquire Infrastructure
T1590.002 - DNS
T1590 - Gather Victim Network Information
T1596.001 - DNS/Passive DNS
T1596.004 - CDNs

Passive DNS

ecmo.ru

Attack Log References

Whois Information

NetRange: 104.16.0.0 - 104.31.255.255 CIDR: 104.16.0.0/12 NetName: CLOUDFLARENET NetHandle: NET-104-16-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2014-03-28 Updated: 2024-09-04 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv Ref: https://rdap.arin.net/registry/ip/104.16.0.0 OrgName: Cloudflare, Inc. OrgId: CLOUD14 Address: 101 Townsend Street City: San Francisco StateProv: CA PostalCode: 94107 Country: US RegDate: 2010-07-09 Updated: 2024-11-25 Ref: https://rdap.arin.net/registry/entity/CLOUD14 OrgNOCHandle: CLOUD146-ARIN OrgNOCName: Cloudflare-NOC OrgNOCPhone: +1-650-319-8930 OrgNOCEmail: noc@cloudflare.com OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN OrgRoutingHandle: CLOUD146-ARIN OrgRoutingName: Cloudflare-NOC OrgRoutingPhone: +1-650-319-8930 OrgRoutingEmail: noc@cloudflare.com OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN OrgTechHandle: ADMIN2521-ARIN OrgTechName: Admin OrgTechPhone: +1-650-319-8930 OrgTechEmail: rir@cloudflare.com OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN OrgAbuseHandle: ABUSE2916-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-650-319-8930 OrgAbuseEmail: abuse@cloudflare.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN RTechHandle: ADMIN2521-ARIN RTechName: Admin RTechPhone: +1-650-319-8930 RTechEmail: rir@cloudflare.com RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN RAbuseHandle: ABUSE2916-ARIN RAbuseName: Abuse RAbusePhone: +1-650-319-8930 RAbuseEmail: abuse@cloudflare.com RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN RNOCHandle: NOC11962-ARIN RNOCName: NOC RNOCPhone: +1-650-319-8930 RNOCEmail: noc@cloudflare.com RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN