104.47.51.110 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.51.110 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001 - Data Obfuscation, T1003 - OS Credential Dumping, T1011 - Exfiltration Over Other Network Medium, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036.004 - Masquerade Task or Service, T1036 - Masquerading, T1038 - DLL Search Order Hijacking, T1040 - Network Sniffing, T1041 - Exfiltration Over C2 Channel, T1045 - Software Packing, T1052.001 - Exfiltration over USB, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056.001 - Keylogging, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1078.004 - Cloud Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1090 - Proxy, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110.002 - Password Cracking, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1132 - Data Encoding, T1140 - Deobfuscate/Decode Files or Information, T1176 - Browser Extensions, T1190 - Exploit Public-Facing Application, T1210 - Exploitation of Remote Services, T1211 - Exploitation for Defense Evasion, T1410 - Network Traffic Capture or Redirection, T1412 - Capture SMS Messages, T1415 - URL Scheme Hijacking, T1448 - Carrier Billing Fraud, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1450 - Exploit SS7 to Track Device Location, T1454 - Malicious SMS Message, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1498 - Network Denial of Service, T1546 - Event Triggered Execution, T1548 - Abuse Elevation Control Mechanism, T1560 - Archive Collected Data, T1562.003 - Impair Command History Logging, T1566 - Phishing, T1583.002 - DNS Server, T1583.005 - Botnet, T1588 - Obtain Capabilities, TA0009 - Collection, TA0011 - Command and Control, TA0029 - Privilege Escalation, TA0037 - Command and Control

• Tags: $WebWatson, aaaa, accept, a checkin, active, active2, adaptivebee, address, admin, a domains, adult content, agent, agent tesla, agenttesla, alexa, alexa top, algorithm, all octoseek, all search, amadey, amazon 02, amazonaes, america, amonetize, android, Anomalous.100%, anomalous file, anonymizer, api blog, appdata, apple, apple app store compromise, apple computer, apple ios, apple phone, apple support compromise, app store, april, artemis, as14061, as16625 akamai, as20940, as25577 ide, as2914 ntt, as35994 akamai, as43350 nforce, as63949 linode, as8068, as9009 m247, ascii text, asyncrat, attack, august, avast win32, ave maria, avg win32, azorult, back, bandoo, bangladesh, bank, banker, bankerddedridexexploit, bankerdridexevasive, banking, b body, beginstring, BehavesLike.YahLover, betabot, binder, bitbucket.org, bitrat, blacklist, blacklist http, blacklist https, blacknet, blacknet rat, blacknet threats, bladabindi, blustealer, body, body length, bondat, botmaster, botnet, botnet campaign, botnetwork, bounty, bradesco, brian sabey, brute force, buildno, burkina, c2, ca g2, ca id, cascade, ca x3, cayman, cdata, certificate, channelisales, chaos, china cobalt, china telecom, ciphersuite, cisco umbrella, citadel, city, city center, ck id, ck matrix, class, clean mx, click, cloud, cloudeye, cloudflarenet, cmc threat, cmd, cname, cndigicert sha2, cndst root, cnisrg root, cobalt strike, Cobalt Strike, cobaltstrike4.tk, code, collection, collections, collections kp, command_and_control, communicating, community https, comspec, conduit, contact, contacted, contacted circa 10.23.2023-, contacted ip, contacted urls, contact phone, contentencoding, content reputation, __convergedlogin_pcustomizationloader_44b450e8d543eb53930d, cookie, copy, core, count blacklist, country, country us, covid19, crack, create c, creation date, critical, critical risk, crypto, csc corporate, cus cnapple, cus cnr3, cutwail, CVE-2005-1790, CVE-2009-3672, CVE-2010-3333, CVE-2010-3962, CVE-2012-3993, CVE-2014-3153, CVE-2014-6332, CVE-2015-1641, CVE-2015-1650, CVE-2017-0143, CVE-2017-0147, CVE-2017-0199, CVE-2017-11882, CVE-2017-8464, CVE-2017-8570, CVE-2017-8759, CVE-2018-0802, CVE-2018-4893, CVE-2018-8373, CVE-2018-8453, CVE-2020-0601, CVE-2020-0674, CVE-2021-27065, CVE-2021-40444, CVE-2023-4966, cybereason, cyber stalking, cyber threat, dapato, dark, darkgate, dark power, darkweb, darpa, data, date, daum, dbatloader, december, deep scan, defacement, de indicators, delete c, Delf.NBX, description, detection list, detections file, detections type, detplock, device, dga malvertizing, dga parking, dgs, district, dnspionage, dns replication, dnssec, docs pricing, domain, domain robot, domains, domain status, domaiq, downer, downldr, download, downloader, dridex, dropbox, dropped, dropper, drpsuinstaller, dtrack, dynadot, dynadot inc, dynamicloader, ecc ca, edsaid, email, emails, emotet, endangerment, engineering, enter, entries, error, et, et tor, et trojan, evasive, evasivemsilratrevenge-rat, evilnum, execution, exe size, exit, expiration, expiro, exploit, exploited spyware, exploit_source, export, facebook, factory, fakealert, falcon sandbox, february, feodo tracker, file, filehashmd5, filehashsha1, filehashsha256, file name, FileRepMalware, files, final url, financial, find, findwindowa, firehol, firehol gozi, first, first seen, flubot, footer, form, formbook, for privacy, fortinet, fuery, fusioncore, g1 oapple, galaxy, galaxy watch, gamehack, gandi sas, gating, gear s, gear s2, gear s3, gear sport, gecko, general, generator, generic, genericm, generic malware, Gen:Heur.Ransom.HiddenTears, genkryptik, getprocaddress, ghost rat, github, gmt connection, gmt contenttype, godaddy online, gootkit, gootloader, grandoreiro, hacker, hackers, hacking, hacktool, hallrender.com, hashes, hashes c2ae, headers, headers nel, header target, heur, high, highly targeted, high process, hijacker, hiloti, historicalandnew, historical ssl, hit, hostname, hostnames, houdini, html, http, http response, hybrid, hyperv, icedid, Icefog, icloud compromise, icwrmind, identifier, iframe, incident ip, indicator, infected, info, info compiler, injection t1055, inmortal, input, installcore, installer, insurance, intel, internal, internet se, invasion of privacy, iobit, iocs, ioc search, ionos se, ios, ip address, ip detections, iphone unlocker, ip security, ip summary, ipv4, issuer, jansky, january, javascript, jfif, jpeg image, js user, july, june, kb acrotray, kb body, key algorithm, keybase, key identifier, key info, keylogger, kgs0, khtml, kls0, known tor, kovter, kraken, kuaizip, languageenu, lazarus, less see, life, light, linux agent, live, lmenlo park, local, localappdata, location canada, lockbit, locky, loki, lokibot, Loki Password Stealer (PWS), loki pws, lolkek, lookups, machine intel, main, majorver16, malicious, Malicious domain - SANS Internet Storm Center, malicious red team, malicious site, malicious url, maltiverse, malvertizing, malware, malware beacon, malware distribution site, malware download, malware host, malware hosting, malware site, masquerading, mas.to, matsnu, maui ransomware, maxage5184000, mb first, mb iesettings, mb opera, media, media center, mediamagnet, media player, medium, meta, meterpreter, metro, metroby-tmo, microsoft, million, miner, mirai malware, misc attack, mitre att, mobilekey.pw, model, monitoring, mozilla, msie, msil, ms windows, mtb oct, mumblehard, music, name, namecheap, namecheap inc, name servers, name verdict, nanocore, nanocore rat, necurs, netherlands asn, net technology, network, network rat, networks, networm, new ioc, neworder.doc, next, nginx, njrat, no data, node tcp, node traffic, no expiration, no expired, no na, noname057, no no, notepad, november, null, number, nymaim, object, october, odigicert inc, olet, ollydbg, ometa platforms, openioc, opera, organization, orgid, orgtechhandle, orgtechref, osregion, otx octoseek, outbreak, p2404, parent referrer, parked domain, parking crew, passive dns, password, password bypass, paste, patch, path, pattern match, paypal, pcap, pdf report, pe32, pe resource, pe yandex, phish, phishing, phishing paypal, phishingransomwaresinkhole, phishing site, phishtank, physical threat, pictures, point, pony, possible, postal code, prefetch8, presenoker, prism_object, prism_setting, privacy admin, privacy tech, probe, products, project, prynt, prynt stealer, psiusa, public folder, public key, public server, puffstealer, pulse pulses, pulse submit, pykspa, python infostealer, python user, qakbot, quasar, quasar rat, query, qwest, raccoon, radamant, ramnit, ransomexx, ransomware, ransomwaretorrentlocker, raspberry robin, rat, ratel, rauschenberg, rdds service, read c, record, record type, record value, red, redacted for, redirector, redirectors, redline, redline stealer, referrer, refresh, regbinary, regdword, registrant, registrar, registrar abuse, registrar url, registrar whois, registry arin, registry domain, regsetvalueexa, related nids, relayrouter, relic, remcos, replacement, research group, resolutions, revenge rat, revenge-rat, reverse dns, rightsaided, riskware, rmndrp, root ca, rsa cn, rtechhandle, rtechref, rultazo, runescape, safe site, sality, sample, samplepath, samples, samsug, samsung galaxy, samuel tulach, scan endpoints, screenshot, script, search, search live, searchmeup, sections, sector, security, seen, send bug, september, server, servers, service, serving ip, setcookie geous, sha256, shell, shell code, show, showing, show technique, simda, sinkhole, sinkhole cookie, site, skynet, slcc2, sliver, smokeloader, sneaky server, snort ip, soc, social engineering, softcnapp, solimba, song culture, sophos, South Carolina Federal Credit Union phishing, spammer, span, spearfishing, spyware, srdvd16010404, ssl certificate, stateprovince, states, static engine, status, status code, stcalifornia, stealer, steam, stevens creek, stix, strike, strings, subject key, subject public, submitters, summary, summary iocs, suppobox, suspic, suspicious, swift, swisyn, swrort, systemlocale, t1055, tag count, tagging, tag tag, target, targeted attack, targeting, team, teams api, tech contact, telecom, template, textarea, threat, threat analyzer, threat report, threat roundup, tinba, title, tld count, t-mobile, tofsee, tools, tor c++, tor c++ client, tor known, tor relayrouter, traffic, trickbot, trident, trojan, trojanspy, trojanx, trust, tsara brashears, ttl value, tulach, tulach.cc, twitter, type name, type win32, unauthorized, undetected dns8, undetected vx, union, unique, united, united kingdom, unknown, unlocker, unreliable subdomains, unruy, unsafe, url analysis, url http, url https, urls, urls http, urls https, url summary, ursnif, usage, user, utc entry, utc submissions, v3 serial, valid, validity, value snkz, vault, vawtrak, vdfsurfs, vendorname2581, verdict, vidar, videos, virtool, virustotal, virut, vitro, vjw0rm, vmprotect, vs2008, vs2008 sp1, vs2010, wacatac, wanacrypt0rwannacrywcry, watch, webshell, webtoolbar, wells fargo, whitelisted, whois, whois parent, whois record, whois service, whois siblings, whois whois, win32, win32 dll, win32 exe, win64, windows, windows nt, wiper, worm, wow64, write, write c, x509v3 key, x8bxe5, xpire.info, yandex, yara detections, yara rule, zbot, zdb zeus, zenbox, zeppelin, zeus, zombie devices

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS8075 microsoft corporation
• Noticed: 27 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, France, Netherlands, Spain, United Arab Emirates, United Kingdom of Great Britain and Northern Ireland, United States of America

Malware Detected on Host

Count: 116 0dc2438f688be1c95b7de4604cf63f994dec3ffdebe4c939f28a4cd56e48bb5e 98fa18ee6e3df02745019b2441e2438526f3a8b6b5fe954d761b5d7e3235dc56 3846596e287952712907060a38a476796efc84bbc1b4bc3cc965b91f0f5380f5 746a6ed0905e5525dc2b5251b7ebfe80fa1630162f9bf6741da0835f4dcc777c 89980030de7282929c3209b613e8525abcff4a409f4ae8bb6557691bc8891625 639136b730ff966fbc068401ed85ebe7fae94a47993e284fa816f25dba273c02 1d54d92b0fa0f245de3b46c44077ac9ab867a2224b0485f108a90f9cd23be67a 52c06bb3149d1492929e36494f6a401f866505bfa5b95de64f778101a1501fa5 6598daa5904f003efb7063e67a642ddad03d2df5c61e86977c3a59cc9abcd975 cfd16a2908a53eaed2fcccaf9d0dd0a6677c9c3e0953737127ffee8c09022eff

Open Ports Detected

25

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN

Links to attack logs

****** ****** ******