104.244.76.170 Threat Intelligence and Host Information

Share on:

Jan 11, 2024 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 104.244.76.170 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Known Malicious Host 🔴 90/100

Host and Network Information

Mitre ATT&CK IDs: T1027 - Obfuscated Files or Information, T1056.001 - Keylogging, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1110 - Brute Force, T1114 - Email Collection, T1176 - Browser Extensions, T1491 - Defacement, T1497 - Virtualization/Sandbox Evasion, T1560 - Archive Collected Data, T1566 - Phishing, T1571 - Non-Standard Port, T1573.002 - Asymmetric Cryptography, T1573 - Encrypted Channel, TA0011 - Command and Control
Tags: acint, agent, agent tesla, agenttesla, alexa, alexa top, all octoseek, all search, anlise, anonymizers, appdata, apple, apple ios, artemis, as141773, as15169 google, as17506 arteria, as17806 mango, as19969, as32244 liquid, as49505, as61317, as62744, as63932, ascii text, asnone united, asyncrat, attack, authority, azorult, backdoor, bank, banker, bazaloader, bazarloader, beginstring, bitminer, blacklist, blacklist http, blacklist https, bladabindi, blockchain, body, botnet, bradesco, brian sabey, Bruteforce, Brute-Force, catalog file, cisco umbrella, ck id, class, cleaner, click, cobalt strike, collection, communicating, conduit, contacted, contacted urls, core, covid19, crack, critical, cry kill, cve201711882, cyber security, cyberstalking, cyber threat, cymulate2, dangeroussig, dapato, date, detection list, detplock, dllinject, domain, done adding, downldr, download, downloader, driverpack, dropped, dropper, dumping, emotet, encpk, encrypt, engineering, entries, error, et tor, exit, expired, facebook, fakeinstaller, falcon, fali contacted, fali malicious, file, files, filetour, formbook, fusioncore, general, generator, generic, generic malware, gmt content, gmt contenttype, hacking, hacktool, hallrender.com, heur, hostname, http, hybrid, iframe, immediate, indicator, installcore, installer, installpack, internet storm, iobit, ioc, ip address, ip summary, ipv4, japan unknown, keep alive, keylogger, known tor, kraddare, kyriazhs1975, loadmoney, local, lockbit, login, look, malicious, malicious site, maltiverse, malvertizing, malware, malware norad, malware site, mark sabey, media, mediaget, meta, meterpreter, million, miner, mirai, misc attack, mitre att, monitoring, moved, msil, name verdict, nanocore, nanocore rat, netwire rc, networm, next, Nextray, njrat, node traffic, noname057, null, open, otx octoseek, outbreak, passive dns, pattern match, paypal, phish, phishing, phishing site, phishtank, png image, pony, port 80, predator, presenoker, probing, proxy avoidance, pulse as16509, pulse pulses, qakbot, qbot, quasar, raccoon, ransom, ransomexx, ransomware, redline, redline stealer, referrer, refresh, related nids, relayrouter, remcos, response, restart, riskware, root ca, rostpay, runescape, russia unknown, safe site, sample, samples, scan endpoints, scanner, scanning, script, search, service, silk road, site, smokeloader, softonic, span, spyrixkeylogger, spyware, SSH, ssl certificate, stealer, strings, summary, suppobox, swrort, systweak, tag count, tcp/80, team, Telnet, threat, threat report, tools, tor, trojan, trojanspy, tsara brashears, Tsara brashears, twitter, type, union, united, unknown, unsafe, url http, urls, url summary, verify, vidar, wacatac, webscan, webscanner bruteforce web app attack, whois record, whois whois, win32, win64, windows nt, xcnfe
Known tor exit node
View other sources: Spamhaus VirusTotal
Contained within other IP sets: blocklist_net_ua, botscout_30d, botscout_7d, dm_tor, et_tor, haley_ssh, sblam, stopforumspam_180d, stopforumspam_1d, stopforumspam_30d, stopforumspam_365d, stopforumspam_7d, stopforumspam_90d, stopforumspam, tor_exits_1d, tor_exits_30d, tor_exits_7d, tor_exits
Known TOR node
Country: Luxembourg
Network: AS53667 frantech solutions
Noticed: 50 times
Protcols Attacked: ssh
Countries Attacked: Bangladesh, Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Malaysia, Norway, Poland, Romania, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
Passive DNS Results: doolaege.synology.me

Malware Detected on Host

Count: 11 7282e2fdb25b07554b082f5cf1697315ed5ce3005f985cbe96a34da965869db5 a896be5e1f5b7d498d6556c9d64fe6407b70360e36dd3f47ee46da9367748ff6 f046b65739764aa74d38bfaf666094d45ad087b3bc6430c5a19c599b1735a54e 949c6737d24f301ca7ea79dfd0936614bb3158ca66be70a842e7e0a7510d8616 25837be752586ccedb7da8ab32d563a7baa799d91ca69067f0b8acc14dfc0923 eb5d9b1d6c60b8aec27b43fb1878d607242c2798fadb2c114bd343bc626b2cca 7ddef1c1c6c94febf3565291d7f4604f550144fd90a33b8c7445626ac29256d3 4c84095d79415b4eb846b08183204a3e8a6b1b551657d42d2476ca9345276622 08840136d804212e4d2d09ccf0bb4414a9c31707880630279ee989ebef2e76df 4322f5477f23e04b4474091e6406c0aac5627e26d05fb5448e3fc5c28ff6dc14

Open Ports Detected

80 9002

Map

Whois Information

NetRange: 104.244.72.0 - 104.244.79.255
CIDR: 104.244.72.0/21
NetName: PONYNET-14
NetHandle: NET-104-244-72-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS53667
Organization: FranTech Solutions (SYNDI-5)
RegDate: 2014-11-10
Updated: 2014-11-10
Ref: https://rdap.arin.net/registry/ip/104.244.72.0
OrgName: FranTech Solutions
OrgId: SYNDI-5
Address: 1621 Central Ave
City: Cheyenne
StateProv: WY
PostalCode: 82001
Country: US
RegDate: 2010-07-21
Updated: 2017-01-28
Ref: https://rdap.arin.net/registry/entity/SYNDI-5
OrgAbuseHandle: FDI19-ARIN
OrgAbuseName: Dias, Francisco
OrgAbusePhone: +1-778-977-8246
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
OrgTechHandle: FDI19-ARIN
OrgTechName: Dias, Francisco
OrgTechPhone: +1-778-977-8246
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
NetRange: 104.244.72.0 - 104.244.79.255
CIDR: 104.244.72.0/21
NetName: BUYVM-LUXEMBOURG-01
NetHandle: NET-104-244-72-0-2
Parent: PONYNET-14 (NET-104-244-72-0-1)
NetType: Reallocated
OriginAS: AS53667
Organization: BuyVM (BUYVM)
RegDate: 2017-10-01
Updated: 2017-10-01
Ref: https://rdap.arin.net/registry/ip/104.244.72.0
OrgName: BuyVM
OrgId: BUYVM
Address: 3, op der Poukewiss
City: Roost
StateProv:
PostalCode: 7795
Country: LU
RegDate: 2017-10-01
Updated: 2017-10-01
Ref: https://rdap.arin.net/registry/entity/BUYVM
OrgTechHandle: FDI19-ARIN
OrgTechName: Dias, Francisco
OrgTechPhone: +1-778-977-8246
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
OrgAbuseHandle: FDI19-ARIN
OrgAbuseName: Dias, Francisco
OrgAbusePhone: +1-778-977-8246
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN

Links to attack logs

** aws-ssh-bruteforce-ip-list-2021-06-23 vultrwarsaw-ssh-bruteforce-ip-list-2022-11-02 vultrparis-ssh-bruteforce-ip-list-2023-04-02 nmap-scanning-list-2022-08-05 vultrmadrid-ssh-bruteforce-ip-list-2022-12-30 ** **