104.47.10.36 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.10.36 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001.003 - Protocol Impersonation, T1001 - Data Obfuscation, T1005 - Data from Local System, T1010 - Application Window Discovery, T1011 - Exfiltration Over Other Network Medium, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1033 - System Owner/User Discovery, T1035 - Service Execution, T1041 - Exfiltration Over C2 Channel, T1046 - Network Service Scanning, T1055 - Process Injection, T1056.001 - Keylogging, T1056 - Input Capture, T1057 - Process Discovery, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.002 - File Transfer Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110.002 - Password Cracking, T1114.002 - Remote Email Collection, T1114 - Email Collection, T1129 - Shared Modules, T1134.001 - Token Impersonation/Theft, T1140 - Deobfuscate/Decode Files or Information, T1156 - Malicious Shell Modification, T1184 - SSH Hijacking, T1210 - Exploitation of Remote Services, T1213 - Data from Information Repositories, T1218 - Signed Binary Proxy Execution, T1408 - Disguise Root/Jailbreak Indicators, T1410 - Network Traffic Capture or Redirection, T1415 - URL Scheme Hijacking, T1421 - System Network Connections Discovery, T1422 - System Network Configuration Discovery, T1427 - Attack PC via USB Connection, T1428 - Exploit Enterprise Resources, T1429 - Capture Audio, T1445 - Abuse of iOS Enterprise App Signing Key, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1453 - Abuse Accessibility Features, T1491 - Defacement, T1497.002 - User Activity Based Checks, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1523 - Evade Analysis Environment, T1546 - Event Triggered Execution, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1560 - Archive Collected Data, T1563 - Remote Service Session Hijacking, T1566 - Phishing, T1583.002 - DNS Server, T1583.005 - Botnet, T1584.005 - Botnet, TA0001 - Initial Access, TA0004 - Privilege Escalation, TA0011 - Command and Control, TA0030 - Defense Evasion

• Tags: aaaa, abuse, accept, active, active threat, address, admin country, adult content, adware, agent, agenttesla, aig, akamai, alexa, alexa top, algorithm, alive, allegations, all octoseek, alohatube, amazonaes, android, anti-detection, antivirus, a nxdomain, a poster, aposter, appdata, apple, apple attack, apple engineering, apple id, appleid, apple ios, applenoc, apple private data collection, april, artemis, AS 10975 (NET-AIG) US, as11042, as16625, as20940, as24940 hetzner, as58061 scalaxy, as714, ascii text, asp.net, assault, attack, Attack origin: United States, august, authority, av scan, awful, azorult, baaa, back, backdoor, bahamut, bam, bam.nr-data.net, bank, banker, bankerx, BankerX, bell south, bellsouth, bitrat, black, blacklist, blacklist https, body, body length, boolean, Botnet, bradesco, brian, brian sabey, briansabey, browse scan, brute force passwords, b.scope, bundled, ca, caaa, caca, caca4baaa, cacf, caea, canvas, cellbrite, chaos, checkbox, china, china telecom, chinese, cidr, cisco umbrella, ck id, ck matrix, class, click, close, cloud, cloudflarenet, cmd, cname, cobalt strike, Cobalt Strike, code, collection, colorado, comcast tmobile, command_and_control, communicating, community https, confed, config, contact, contacted, contacted circa 10.23.2023-, contacted urls, contact phone, contentencoding, contextualizing, continent na, copy, copy md5, copy sha1, copy sha256, core, country us, crack, create new, creation date, crimson apple, critical, critical risk, crypto, csc corporate, cus ou, cus stnew, CVE-2016-7255, CVE-2017-0147, CVE-2017-11882, CVE-2017-17215, CVE-2017-8570, CVE-2018-0802, cybercrime, cyber stalking, cyber threat, dapato, dark, dark power, dashboard, data, data.net, date, dead, debugger evasion, december, defacement, defense entity fraud?, description, desktop, detection list, detections type, detplock, d mmmm, dnspionage, dns replication, dnssec, domain, domain entries, domain related, domains, domains dropped, domain status, downer, downldr, download, downloader, drops, dsp1, ducktail, elf wgetboat, email, emotet, endpoints all, engineering, entrust, error, et, et cins, et tor, evasion, evasive, execution, exit, expiration, exploit, export, facebook, factory, falcon sandbox, false, fear, february, file, filehashmd5, filehashsha1, filehashsha256, files, final, final url, final url summary, firehol, first, flag, footer, forbidden, form, formbook, fusioncore, gandcrab, general, generator, generic, germany, germany unknown, getprocaddress, github, goldfinder, goldmax, google, gootloader, graph, green, group, hacking, hacktool, hallrender, harassment, hashes files, hashtablemutex, headers, headers nel, heur, historical, historical ssl, hostname, hr rtd, http response, https, hybrid, hybrid analysis, hyperv, iana id, icann whois, icefog, icloud, id, identifier, iframe, import, indicator, info, infor, input, install, installation, installcore, installer, insurance company, interfacing, iocs, ioc search, iocs kb, ios, ip summary, ipv4, ipv6, issuer, january, japan national police agency, jekyll, jfif standard, jpeg image, july, june, kb acrotray, kb body, key algorithm, key identifier, keylogger, known tor, kuaizip, l1k validity, label netaig, law enforcement aware complacent or complicit?, legal entities, libel, light, llll, loader, local, localappdata, lockbit, lolkek, looquer, love, mail spammer, main, major, malicious, malicious host, malicious site, maltiverse, malvertizing, malware, malware site, march, markmonitor, masquerading, matrix, maui ransomware, mb iesettings, mb opera, media, meta, metro, metro tmobile, microsoft, million, mimikatz, miner, mirai, misc attack, mitre, mitre att, mitre attk, model, monitoring, mtsub26293293, mutex, name, namecheap, namecheap inc, name server, name servers, name verdict, nanocore, national police agency japan, netlify, netlify edge, network, network ascii text, networm, new ioc, new york, next, no data, node traffic, no expiration, no match, noname057, norad.mil, norad tracker, no relevant, nr-data.net, NSA tool Tulach malaware, nuance, null, number, nxdomain, nymaim, october, octoseek, oentrust, open, opencandy, openurl c, override, p2404, passive dns, password, password bypass, paste, path, pattern match, payment, pcap, pdf report, pegasus, pegatech, pe resource, persistence, phish, phishing, phishing site, phishtank, phonenumber, physical threat, pine street, png image, pony, pornhub, postal code, prefetch2, presenoker, private investigator, pulse use, qakbot, quasar, quasar rat, raccoon, ransomexx, ransomware, record type, record value, referrer, registrar abuse, registrar iana, registrar url, registrar whois, registry arin, reinsurance, relacion, relay, relayrouter, relic, remcos, remote, remote attack, remote cnc, resolutions, result, retaliation, revenge, riskware, root, root ca, roundup, runescape, runtime process, rust, sabey, safe site, sample, samplepath, samples, samuel tulach, sandbox, scalaxy, scan endpoints, scanning_host, script, search, sector, september, server, service, serving ip, session details, severe, severity, sha1, sha256, showing, show technique, show technique span, sibot, silencing, silly, simple, site, size, skynet, small, social engineering, softcnapp, spammer, span, speakez securus, spyware, ssh on server, ssl certificate, ssl hostname, state, status code, status codes, stealer, stealthyness, stix, strings, subdomains, subid, subject key, submit, submit quasar, submitters, summary, summary iocs, suppobox, suricata alerts, sweetheart videos, swisyn, tag count, tagging, target, team, teams api, tech, tech email, telecom, temp, textarea, threat, threat analyzer, threat roundup, threats, title, tld count, tofsee, tracker, tracking, trickbot, trim, trojan, trojanspy, trojanx, trust, tsara brashears, ttl value, tulach, tulach.cc, type data, type name, uaaa, unicode text, union, united, United states, unknown, unknown urls, unlocker, unsafe, url, url http, url https, urls, urls https, url summary, urls url, ursnif, usage, user, users voice, utc submissions, v3 serial, verdict, victim, vidar, virustotal, vmprotect, vt report, waaa, webtoolbar, whois database, whois lookup, whois record, whois whois, who’s driving, widget, win32, win32 dll, win32 exe, win64, windir, windows, windows nt, wiper, workaposter, workers compensation, writes data to a remote process, x509v3 key, xobo, yaaa, yixun tool, yyyy, zbot

• View other sources: Spamhaus VirusTotal

• Country: Ireland
• Network: AS8075 microsoft corporation
• Noticed: 42 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, Netherlands, Singapore, United States of America

Malware Detected on Host

Count: 18 a22897763e1a05cf3baa9e54edea1ee49e869815784f340573c839e217acbbe6 18cab9a7b20e3b7455965e572b5d696930851bb0ec3842b1ad9c1f7c28aa29ca cebeeaf893e7ec9456a0c763af162a44ab67e87bf080df9e98a598f6ddb4f338 f6e553174239ab8731590490ea70f5624182b35fb578cb39c007bfb349c1ee84 a4b1bcb7e668646d0fa9adee0d89f389eee21947ab726c564395563b32d32c46 b472f69c97c283a4511729ccf03d1ece53bc3bfa6f58eefc7a0f50e160b30d75 cba8d84f4f7edf9ecafab1d1d70bee2354a0a40516e227289cf3ed25eb2dac88 ec2d80b3a039251d0cf5140747304bdf1d6193053fb73e1407dd223cee5ec777 e6f044595aa7dc92b02c2b0a0350e6623c02bed4bb3718dac187b6a93a3eee29 b7b7a48796963b83bccdcbd93477ce0fc06ffc55b7a1f64be0b8213395f5bd7d

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN

Links to attack logs

****** ****** ******