104.21.78.215 Threat Intelligence and Host Information

Dec 01, 2025 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 104.21.78.215 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

  • Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1105 - Ingress Tool Transfer, T1112 - Modify Registry, T1119 - Automated Collection, T1129 - Shared Modules, T1143 - Hidden Window, T1176 - Browser Extensions, T1210 - Exploitation of Remote Services, T1410 - Network Traffic Capture or Redirection, T1429 - Capture Audio, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1480 - Execution Guardrails, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1566 - Phishing, T1568 - Dynamic Resolution, T1598 - Phishing for Information, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0011 - Command and Control

  • Tags: aacr, abuse, acint, address, address domain, address first, address range, adload, admin name, adware, agent, agent tesla, agenttesla, ag organization, alert, alerts, alexa, alexa top, all ipv4, allocation type, amazon aws, america flag, analysis, analysis date, android, andromeda, anonymisation services, Anonymizer, api, api call, apk, apple, apple private, april, arkei stealer, artemis, as16509, ascii text, astaroth, attack, august, authentihash, av detections, ave maria, azorult, back, bad traffic, bambernek, bandoo, bank, banker, b body, betabot, binary file, blacklist, blacklist http, blackshades, body, body length, Botnet Command and Control, bradesco, brashears music, brashears song, brontok, browser malware, changelog, children, cidr, cisco umbrella, citadel, city bonn, ck id, ck matrix, ck techniques, class, cleaner, click, cloud xcitium, cnc beacon, cndigicert sha2, cobalt strike, Cobalt Strike, codeoverlap, command, comment, comments, communicating, compiler, conduit, contacted, contacted hosts, contentlength, content reputation, content type, contenttype, control, cool, copy, copy md5, copy sha1, copy sha256, core, country, country de, covid19, covid19 scam, cowboy server, creation date, critical, critical risk, crypt, culture, cura adma, cutwail, cyber security, cyberstalking, cyber threat, dark power, darpapox, data, data collection, date, date checked, date hash, dead, default, defender, delete, deletes_executed_files, delivery status, delphi, details \iexplore.exe\ trying to touch file %WINDIR%\System32\v, detect, detection list, detections type, detplock, deva psaa, direct, dns, dnspionage, dns poisoning, dns replication, DNS Requests, dnssec, dock, domain, domain add, domain name, domain related, domains, domains show, domaiq, download, downloader, dpt, driver pro, dropped, dropped files, dropper, drops, dynamicloader, e ep, email, email delivery, email fwd, emails, emotet, encrypt, engineering, entity bns34, entries, error, et, et tor, evasion att, evasion ta0005, evasive, execution, exit, expiration date, exploit, facebook, fakealert, falcon sandbox, fareit, february, file, file access, filename, file query, files, file score, files ip, file size, files marked clean, filetour, file type, final url, financial, flag, floxif, footer, form, formbook, found cache, friendly, function, fusioncore, gamarue, gc, gc abuse, geckohost, general, generator, generic, generic malware, getpost, get search, gif image, gmt0600, gmt content, gmt p3p, goldfinder, googl2, google, google llc, google safe, Google search, google update, hacking, hacktool, handle, hash apr, header, heur, hidden privacy, hidden users, hifi, high, high st, historical ssl, history first, hosting, hostname add, hosts process, hotmail, http, http host, httponly, http response, https webserver, hybrid, icmp, icmp traffic, ids detections, \iexplore.exe\ trying to touch file, iframe, indexed, infinity, informative, infostealer, injection, installcore, installer, installpack, intel, ios, ip address, ip addresses, ip check, iphone, ip summary, ipv4, ipv4 add, ip whois, jakuz, january, javascript, jeffrey, jeffrey reimer dpt, jfif, jpeg image, july, Jumpseller phishing, june, kawaii unicorn, kb body, kb file, kedence, keybase, keygen, keylogger, keyloggers, kgs0, kiannas law, kls0, known tor, kovter, kryptik, langchinese, launcher, layer, learn, legal, lehash, local, localappdata, location united, lockbit, log4, login, logon, look, lowfi, lseattle, lumma stealer, magic pe32, main, malicious, malicious host, malicious server, malicious site, malicious url, maltiverse, malvertizing, malware, malware site, ma ma, march, matsnu, mcfunction, md5 code, media center, medium, medium risk, meta, metro, million, mimikatz, miner, misc attack, mitre, mitre att, monitoring, moved, msie, msil, ms windows, music, name, name domain, name legal, name servers, name tactics, name verdict, nanocore, net34, net340000, nethandle, netrange, network, network name, network related, networm, next, next associated, next related, nexus, nights, nircmd, node traffic, noi nid, noname057, none related, notification, NSIS, ntp open resolver, null, nymaim, occamy, october, odigicert inc, opencandy, openurl c, optimizer pro, org deutsche, orgid, org principal, os, os2 executable, outbreak, passive dns, password, patcher, path, pattern match, paypal phishing, pe32, pe resource, persistence, pe section, phishing, phishing: Amazon.com, phishing huntington bank, Phishing - Mr.Looquer, phishing site, phpsessid, pixelrz, png image, poisoning, pony, porn, powershell, pragma, prefetch2 name, prefetch8, presenoker, present apr, present aug, present dec, present feb, present jan, present jun, present mar, present may, present nov, present oct, process32nextw, process details, program, programfiles, project, psda our, psexec, pua, pulse pulses, pulses none, pur com, pyinstaller, pykspa, python, query, query type, radamant, ransom, ransomware, rat, read, reads, record value, redirect, redline stealer, referral url, referrer, refresh, registrar, reimer, related, relayrouter, relic, remcos, resolutions, response final, restart, results apr, results aug, results dec, results feb, results jan, results jun, results mar, results may, revil, riskware, runescape, runtime process, safe site, sama bus, samples, sandbox, scanning_host, scanning ip’s, search, search host, secrisk, sections, secure, secure server, seen asn, seen last, september, server, server response, servers, service, services, serving ip, setup sha256, sha1, sha256, show, showing, show technique, sibot, simda, site, size, skynet, slcc2, social engineering, sodinokibi, song culture, sophos sophos, spam, span, spawns, ssdeep, ssl certificate, startpage, status, status code, status hostname, stcalifornia, stealer, steam, strike, strings, stwashington, subdomains, submission, summary, suppobox, suricata, suspicious, t1003, t1071, t1105, ta0002 defense, ta0009, target, tbmisch, team, team phishing, telekom ag, temp, tethering, text, text ip, threat report, threat roundup, Threats200220200050, threats https, tinba, tlsv1, t-mobile, tmobile, tofsee, tools, total, track, trellian, trid windows, trojan, trojandropper, trojanx, tsara brashears, tsara lynn, type, type data, type name, ub euj, ub uj, ue codeoverlap, unauthorized scanning of hosts, unicode text, united, unknown, unruy, unsafe, update, updated date, updater, url hostname, url https, urls, urls show, url summary, utc http, value address, vawtrak, verdict cloud, verify, vhash, virustotal, virut, VM, vmware, wacatac, wa status, whois, whois field, whois lookup, whois record, whois server, whois show, whois siblings, whois whois, wife happy, win32, win32 exe, win32spigot may, win64, windir, %WINDIR%\System32\vm3dum_loader.dll\ source API Call, windows nt, winver, wow64, write, write c, xcitium verdict, xtrat, Yandex, yara detections, yara rule, youth, zbot, zeus, zipcode, zpevdo

  • View other sources: Spamhaus VirusTotal

  • Country:
  • Network:
  • Noticed: 22 times
  • Protocols Attacked: SSH
  • Countries Attacked: United States of America

Malware Detected on Host

Count: 17 49d07cd15f6c8637e1b0f78733f271c275bcce1bbeea50f05f59c19c6028b038 d6b183e419ac85bf1968a4dc6a589de6e5df7b3c79ad0980c05b0fbe55ef8063 981af6b2a755e5dea2491fc7d16fa3b7144f60708b9b3eb87eaa855cc8fb6d22 7df2eedc9a0e843e78e5810f1f2f7c399dc640e23245e5327f68f5e3a08377ca 6cb56e6c6ef06a3b8759327aa2f8e6cbccf159397a05e209c6cc660a80eadbec b8ae5b172f060aa4e9e31024a6fe04f066c6b16aae2e68be5f34e34eea8281f4 6ecc24bef3dac94a8cdaa92833d613ee6625d12defbe0b04f6170a2a3069a906 4674efde9933e56fe109410cc7f8c2a4c05089f765908deca4d17174f7307526 5d06bd002132f40e0c00c87b5ee80a8a48b97870ad97b735519546db5ad1bdbc 9406173442691d488b3c8e5cadf78ad3de279e369fe4f68d486645867c8f3401

Open Ports Detected

2052 2053 2082 2083 2086 2087 2095 2096 443 80 8080 8443 8880

Map

Whois Information

Share on: