104.26.13.31 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.26.13.31 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1005 - Data from Local System, T1012 - Query Registry, T1023 - Shortcut Modification, T1027 - Obfuscated Files or Information, T1043 - Commonly Used Port, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055.012 - Process Hollowing, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1059.005 - Visual Basic, T1059.006 - Python, T1059.007 - JavaScript, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1081 - Credentials in Files, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1089 - Disabling Security Tools, T1090 - Proxy, T1105 - Ingress Tool Transfer, T1110.002 - Password Cracking, T1110 - Brute Force, T1111 - Two-Factor Authentication Interception, T1112 - Modify Registry, T1114.002 - Remote Email Collection, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1132.001 - Standard Encoding, T1140 - Deobfuscate/Decode Files or Information, T1158 - Hidden Files and Directories, T1179 - Hooking, T1204 - User Execution, T1210 - Exploitation of Remote Services, T1222.002 - Linux and Mac File and Directory Permissions Modification, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1491 - Defacement, T1497.001 - System Checks, T1497 - Virtualization/Sandbox Evasion, T1547.001 - Registry Run Keys / Startup Folder, T1552.001 - Credentials In Files, T1555.003 - Credentials from Web Browsers, T1566 - Phishing, T1568 - Dynamic Resolution, T1574.008 - Path Interception by Search Order Hijacking, T1583.005 - Botnet, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0007 - Discovery, TA0011 - Command and Control

• Tags: aaaa, aaaa nxdomain, accept, accept encoding, adaptivebee, administrator, adobe air, a domains, agent tesla, alexa, alexa top, alf features, algorithm, all octoseek, all scoreblue, amadey, america asn, analyzer paste, android, android windows, anonymization, anonymizer, antigua, apple, apple ios, apple phone, application/binary, april, arbor networks, artemis, as12876 online, as15169 google, as16276, as23393, as3214 xtom, as3842 inmotion, as40676 psychz, as44273 host, as47846, as50069 misaka, as53667, as55293 a2, as8068, ascii text, asn as13335, asn owner, asyncrat, attack, august, awful, azorult, backdoor, bancolombia, bank, Base64_encoded, bhja, binder, bitfender, bitrat, blacklist http, blacklist https, body, body doctype, body length, bot, botnet, botnet command and control, bot networks, bounty, bounty-6, brian sabey, browser, browse scan, browsing, bruteforce, bundled, C2, canada unknown, carica la, cdate, certificate, checks, chrome, cisco umbrella, click, clng, cname, cobalt, cobalt strike, code, collections wow, colorado, comcast, com cnt, com laude, communicating, connect, contact, contacted, contacted urls, content type, copy, copyright, core, country, crack, crash, creation date, critical, crypto, csc corporate, cus olet, cyber army, cyber attack, darklivity podcast, dark power, dashboard, data, data rticon, date, date hash, dbatloader, dead, december, default, defender, dem fin, destination ip, detection list, dga, diamondfox, discovery, dns, dns replication, dns resolutions, dofoil, domain, domain robot, domains, domains top, downer, download, downloader, downloads, dridex, dropper, early iowa, el0kpmhlfz, emails, emotet, encrypt cnr3, english, entries, error, error resume, et exploit, et tor, et trojan, executable, execution, exit, expiration date, exploit, explorer, external ip, fabookie, facebook, fakedout threat, false, february, files, file samples, files deleted, files matching, file system, file type, final url, findwindowa, firefox c, first, flashpix, formbook, fraud, fuery, generic/spear phishing, generic windos, genkryptik, germany unknown, get na, gmbh, gmt content, gmt etag, gmt server, google safe, goog mal, gov int, graph, hacked by phone call, hacker, hackers, hacking, hacktool, hallrender, hashes, hawkeye, header intel, headers, hetzner online, heur, hiddentear, high, highly targeted, historical ssl, hitmen, hong kong, hr rtd, html, html info, html response, http requests, http response, hupigon, hybrid, icmp traffic, identifier, iframe, ii llc, indostealer, info, info compiler, information, injection, install, installcore, installer, intel, internet files, iobit, iocs, ip address, ip detections, ip related, ip summary, ip traffic, ipv4, january, java, javascript, Jays Youtube Bot.exe, jeffrey scott reimer, jomax, july, june, kb body, kb file, key algorithm, key identifier, key info, kgs0, kls0, known tor, kryptos logic, kyrgyz default, law firm, lazarus, levelblue, levelblue labs, lincode, lincode members, listen, local, logic, lolkek, look, low software, lumma, lumma stealer, machinename, malicious, malicious site, maltiverse, malware, malware site, march, matches rule, maze, mediamagnet, medium, memcommit, memreserve, meta, meta tags, metro, michael roberts, million, misc attack, monitoring, moved, msie, msil, ms windows, mtb sep, murderer, namecheap inc, name md5, name servers, name verdict, nanocore rat, nav onl, netwire, network, next, nginx, nivdort, no data, node tcp, node traffic, npzk765, null, number, nxdomain, object, observed, october, odx3x33jk9w3, org domains, os2 executable, otx telemetry, outbreak, packing t1045, page dow, parked, passive, passive dns, password, password bypass, pattern match, pcname, pe32, pe32 executable, pegasus, pe resource, persistence, pe section, phi, phishing, phishing site, phone hacking, phy pre, pii, ping, pings c, pitman and or dentisthired roberts obvi, poser, possible, potential ip, pragma, probe, probe ms17010, products, project, project skynet, proxy, psiusa, ptls7, public w3cdtd, pulse pulses, pulse submit, pur sta, purtroppo, python connection, q0gpyr1balpdgpo, qakbot, qdkxgr24yz, quasar, quasar rat, raccoonstealer, ransom, ransomexx, ransomware, rat, read c, record type, record value, redline, redline stealer, redlinestealer, referrer, refresh, registrarsafe, registry, regopenkeyexw, regsz, relacionada, related pulses, relayrouter, relic, remcos, remote, remote debian spy, replacement, request, resolutions, restart, riskware, rticon kyrgyz, runescape, ruthless, safe site, sality, sample, samples, scam, scammer, scan endpoints, search, search debian available space, security, september, server redirect, servers, service, sha1, sha256, shell, show, showing, sinkhole cookie, site, skynet, small, smoke loader, smokeloader, snatch, song culture, span, ssh, ssl certificate, standard, startpage, status, status code, stealer, storage, strings, stripe, subject key, subject public, summary, survivor, suspicious, swrort, t1045, t1082, tag count, targeting, targets sa, targets tsara brashears, team, technology, template, text, thebrotherssabey, threat report, threat roundup, thu apr, tofsee, tools, tor, tor known, tor relayrouter, tracey richter, traffic, trojan, trojan evader, trojan features, trojan malware, trojanspy, trojanx, trustinfo, tsara brashears, ttl value, tulach, type name, unauthorized, union, united, united states, unknown, unruy, unsafe, unsupported, upatre, updater, url analysis, urls, url summary, ursnif, user, v3 serial, validity, value snkz, verify, videosdewebcams, view, virgin islands, virus network, visualizza, voun2hd, vs2005, vs2008, vt report, wacatac, wannacry, webshell, webtoolbar, west domains, whitelisted, whois, whois record, whois sneaky, whois whois, win16 ne, win32, win32 exe, wiper, worm, worn, write, written c, x00x00, xhtml, xmlns http, yara detections, yara rule, ygjpaufscontext, youtube, zfglddkl58a url

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network:
• Noticed: 18 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Germany, Hong Kong, Netherlands, United States of America

Malware Detected on Host

Count: 3836 a33c02fad8074afff3850051d327c97d3dc1ba1a1034c5fb38ba029ad899f50d 7b55aa14440d88e76930c7840f982a9962f881bb7c1b26131eaf1bf001f92a75 9a9e0f6121fc2595591666d302c64b64bd81fa5ff02f38d3c1ac8bebfc129bf1 989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d 35a3811f64c02bc7ad77f93cbe801e25c9e7183a7ad7e706b4eec19b9fec12ea c4b6378bb7cb29ee188879c99df812aa623195f05c4a72ff159e29ef737be0fb 6c3a7bb64f1131335ec9e7aca45b3db11a790afbf582d3b4d653f847956a06b4 0f78a658b60f0879acccf0933d9ae8a5d2c188e9f16b8e6f7b01bd0cc9b5c4e1 d86678b8f3f966008dc1d1e519428bf4e12bf4a0f36aa9b811c6f5965b7f51f4 2ffcff805b5608d7f218a4af1f76aedd3dd0a50b6293f96f092b86f9bcd89073

Open Ports Detected

2052 2082 2083 2086 2087 2095 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22 anonymous-proxy-ip-list-2025-06-24