104.26.3.70 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.26.3.70 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1063 - Security Software Discovery, T1074 - Data Staged, T1546 - Event Triggered Execution, T1566 - Phishing, T1583.005 - Botnet, T1584.005 - Botnet, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery, TA0009 - Collection, TA0011 - Command and Control

• Tags: aaaa, address, airpods tv, akamaias, akamaiasn1, alexa, alexa top, algorithm, amazon02, apple, apple card, apple ios, apple og, apple store, apple trade, apple tv, apple watch, april, as133618, as133618 trellian pty. limited, as15169, as15169 google, as16509, as20940, as29182 jsc, as3359, as39084 rinet, as47846, as8075, as852, asyncrat, attack, attempts, authentihash, awful, Baby, Best, Best Buy, Bios, bitrep, blacklist, Bluetooth, body length, botnet, bot network, bots, brother sabey, Buy, buy apple, bv6fet56ww, cab, cellbrite, chi2, Christopher Pool, cisco umbrella, class, cname, communicating, compiler, connect, connection, contact, contacted, contained, core, crypto, Crypto, CryptoMining, cryptor, cuba, data collection, date, defense evasion, detection list, Digital Stalking, discovery, domains, dropper, dynamic expires, dynamicloader, encoder, encrypt, error, Euif, evasive, execution, facebook, falcon sandbox, february, files, file sharing, file type, final url, find, first, floxif, footer, found, fraud urls, from, Geek, generic malware, geoip, germany unknown, ghost, gmt server, google, hacktool, header intel, headers nel, header target, high, high security, historical ssl, hostname, hostnames, html info, http response, imphash, indextab og, indonesia, info compiler, intel, iocs, ioc search, ip address, ireland unknown, kb body, Keylogging, language, lcid1033, learn, level3, libel, link library, loader, lockbit, machine intel, magic pe32, malicious site, malware, malware generic, Mark Monitor, media, medium, menacing, meta tags, mexico, microsoft visual c++ v6.0, million, mini, ms visual, ms windows, name md5, name servers, name verdict, new ioc, next, No Help, overlay, paste, pe32, pe32 compiler, pegasus, pe resource, Persistant, personal data, plugins, Pool’s Closed, privilege escalation, probe, products, proton, public url, quasar, ransomexx, ransomware, reads self, rich pe, rticon english, russia unknown, sabey, safe site, samples, search, self, serial number, server apple, serving ip, seznam, sha256, sha256 code, signing ca, site, smlen, software, spn647, spoofs, spyware, Squad, ssdeep, ssl certificate, staged data, stamping, status code, stealthy, Sucky, summary, Survives Reformat, survivor, symantec sha256, symantec time, t1063, tag count, targets sa, teams api, telecom, threat, threat analyzer, threat network, threat report, threat roundup, thumbprint, Timothy Pool, title apple, tsara brashears, tue dec, twitter, type, ukraine, ukraine unknown, united, unknown, urls url, utc entry, vhash, virgin islands, Virus, vs2005, vs2008, vs98, w3.org, wannacry, watch vision, w english, Whiny, WhinySuckyBaby, whois record, whois whois, win16 ne, win32, win32 dll, win32 dynamic, win64, yara rule

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network:
• Noticed: 13 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Anguilla, Aruba, Australia, Bahamas, Barbados, Canada, Cayman Islands, Costa Rica, Curaçao, Georgia, Guatemala, Japan, Mexico, Netherlands, Panama, Philippines, Poland, Saint Kitts and Nevis, Saint Martin (French part), Saint Vincent and the Grenadines, Sint Maarten (Dutch part), Tanzania United Republic of, Trinidad and Tobago, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America

Malware Detected on Host

Count: 18 bd59dc690ea613febce31b225997fbb9bbbad8eca48f6202f09c99425de6a658 c2d6048ab02999820a8b870e01036d97713c420f1d4988e91b707fba24b205d9 b4169fe58fac780f749b6d0dad3065122d7c68bafd58aa34dcbe1bead617aad4 b2c2bea90ca5f4cf9fdbbf4b5abf5eab3a2e3d7fe225e6e8b0a7c324ba7acbc7 016486d48a21ba85ff5649528be212ca3847b8988c90104d7bc1ac7b438af1db 67f3ec87225b29e4d52fe1820f6e722d731284ec441f251df34f7c9aeae5732d 6967134163afd27c256029343eb3b94748bf2b0f8f7ec1d8e6ae5f236de46d07 606611556c0b03eb329ce9729cc5cb631981f9fcbff1ba5c7b2cc74a0b597702 9808d83142a94c28304e936f7d865f44f21854fdc1cef576c39be712218bae0c 564c87f3e28df2c6895e2290c9be8ddbb0305c9bf812c6ba9565f7f0501359c1

Open Ports Detected

2052 2053 2082 2083 2086 2087 2096 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22 anonymous-proxy-ip-list-2025-06-24