104.47.55.138 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.55.138 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001.002 - Steganography, T1003 - OS Credential Dumping, T1012 - Query Registry, T1027 - Obfuscated Files or Information, T1030 - Data Transfer Size Limits, T1031 - Modify Existing Service, T1036.004 - Masquerade Task or Service, T1036 - Masquerading, T1038 - DLL Search Order Hijacking, T1041 - Exfiltration Over C2 Channel, T1045 - Software Packing, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.002 - File Transfer Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1074 - Data Staged, T1078.004 - Cloud Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1090 - Proxy, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1106 - Native API, T1114 - Email Collection, T1119 - Automated Collection, T1122 - Component Object Model Hijacking, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1147 - Hidden Users, T1156 - Malicious Shell Modification, T1415 - URL Scheme Hijacking, T1445 - Abuse of iOS Enterprise App Signing Key, T1448 - Carrier Billing Fraud, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1497 - Virtualization/Sandbox Evasion, T1518.001 - Security Software Discovery, T1518 - Software Discovery, T1546.015 - Component Object Model Hijacking, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1560 - Archive Collected Data, T1562.003 - Impair Command History Logging, T1562.004 - Disable or Modify System Firewall, T1564.001 - Hidden Files and Directories, T1588.004 - Digital Certificates, TA0009 - Collection, TA0011 - Command and Control, TA0037 - Command and Control

• Tags: 114.114.114.114, aaaa, accept, active, active2, active threat, address, adobe acrobat, adobe cloud, adobe crash, adobe sign, a domains, agent tesla, aig, akamai, alexa, alexa top, alfper, algorithm, all octoseek, all search, analyze, analyzed, android, anonymizer, a nxdomain, apache, a poster, aposter, apple, apple app store compromise, apple attack, apple computer, apple engineering, apple id, apple ios, applenoc, apple support compromise, app store, april, artemis, as13414 twitter, as14061, as16276, as16625, as20940, as22612, as24940 hetzner, as32934, as43350 nforce, as58061 scalaxy, as714, ascii text, asnone united, assaulter, asyncrat, attack, attempt goog, august, authority, ave maria, azorult, back, backdoor, bahamut, bank, banker, b body, beginstring, bell south, bellsouth, blacklist, blacklist http, blacklist https, body, body length, both forensics, bradesco, brian, brian sabey, briansabey, browse scan, brute force passwords, bundled, burma, ca, ca g2, ca lann, california, caltech.edu, canvas, carnegie mellon, carnegie mellon university, cellbrite, cellebrite, cellebrite ufed, certificate, chaos, china, chrome, cidr, cisco umbrella, citadel, city, city center, ck id, ck matrix, class, click, cloudfront, cmd, cmu server, cname, cobalt strike, code, collections, communicating, component loop, config, connection, contact, contacted, contacted urls, contact phone, contentencoding, contextualizing, cookie, copy, core, count blacklist, country, country us, covid19, create new, creation date, critical, crypto, csc corporate, cus cnapple, cus cnincommon, cybercrime, cyber stalking, cyber threat, dangerous, dashboard, data, date, defense, detection list, detections type, dgs, digicert inc, digicert tls, divi child, dnspionage, dns replication, domain, domain entries, domain holder, domain name, domain record, domains, domain status, dropped, ecc ca, email, emotet, encrypt, endpoints all, engineering, entries, error, et, et cins, et tor, evasive, examiner, execution, exit, expiration, expiration date, falcon sandbox, false, family, fear, february, feeds ioc, file, filehashmd5, filehashsha1, filehashsha256, files, files domain, file size, files related, file type, final url, final url summary, find, firehol gozi, first, forbidden, formbook, for privacy, fraud services, full name, g1 oapple, galaxy, galaxy watch, gamehack, gear s, gear s2, gear s3, gear sport, general, generator, genericm, germany, germany unknown, ghost rat, gmail, gmtn, gmt x, google, google attack, google playstore, graph, hacker profile, hacktool, hall render, hallrender, hashes files, headers, headers nel, hidden form, highly targeted, hijacker, historical, historical ssl, hostname, hostnames, html info, html internet, http, http response, https, hybrid, icefog, icloud, icloud compromise, identify, ids detections, info, install, installbrain, installcapital, installcore, installer, investigation, iocs, ioc search, iocs kb, ios, ip address, ip summary, ipv4, ipv6, issuer, it legal, japan national police agency, jekyll, july, kb body, key algorithm, keylogger, known tor, komodo, kraken, lab command, lazarus, life, local, localappdata, location united, lockbit, log id, lolkek, lookups, magic html, mail spammer, makop, malicious, malicious host, malicious site, malicious url, malvertizing, malware, malware generator, malware site, manage, mark brian sabey, masquerading, matsnu, medium, meta, meta http, meta tags, metro, metroby-tmo, michael roberts, microsoft, million, miner, misc attack, mitre, mitre att, mitre attk, mon oct, moved, mtsub26293293, mydoom-90, name, name servers, name verdict, nanocore, nanocore rat, national police agency japan, net128, net1280000, netsky, network, networm, new ioc, neworder.doc, next, nexus category, no data, node tcp, node traffic, no expiration, none file, nuance, null, number, nxdomain, nymaim, object, obsession, occamy, octoseek, orgid, orgtechhandle, orgtechref, otx octoseek, packing t1045, passive dns, password, paste, pattern match, pcap, pdf report, pegasus, pe resource, phishing, phishing site, phishtank, pittsburgh, please select, podcast, ponmocup, pornographer, postal code, ppi useragent, pragma, premium, present jun, privacy admin, privacy tech, privilege https, project, protect, public key, public server, pulse pulses, pulses none, pulse submit, pulse use, python infostealer, qakbot, quasar, qwest, ramnit, ransom, ransomexx, ransomware, ratel, rauschenberg, record type, record value, red, redacted for, redline stealer, redlinestealer, referrer, refresh, registrar, registrar abuse, registrar url, registrar whois, registry arin, registry domain, reinsurance, relacion, related tags, relay, relayrouter, remote, resolutions, reverse dns, rexxfield cyber, rolefunction, root, root ca, roots, rsa cn, rsa server, rsa sha256, rtechhandle, rtechref, sabey, safe site, sample, samples, samsug, samsung galaxy, sandbox, sat aug, sa victim, scalaxy, scan endpoints, script, script urls, search, security, select contact, server, servers, services, serving ip, setcookie geous, sha256, show, showing, show technique, simda, simple, site, site kit, skynet, slander, small, smart search, soc, solve, spammer, span, speakez securus, ssh on server, ssl certificate, ssl hostname, state, status, status code, status codes, stealer, stealth, stevens creek, stix, stmi ouincommon, strange, strings, subdomains, subid, submit, submit quasar, summary, suppobox, survey, survivor, tackle company, tag count, tagging, tag tag, target, targeting, targets sa, team, team malware, teams api, temp, threat, threat analyzer, threat report, threat roundup, threat score, tinba, title, title rexxfield, tld count, tls web, t-mobile, tofsee, tools, tor known, tor relayrouter, tracey richter, tracker, tracking, traffic, trid file, trojan, trojanclicker, trojanspy, tsara brashears, ttl value, tulach, type textplain, union, united, united kingdom, United states, unknown, unknown urls, upgrade, url analysis, url http, url https, urls, urls https, url summary, urls url, ursnif, v3 serial, validity, value0, vawtrak, verdict, virtool, virustotal, voyeurism, watch, webtoolbar, whois record, whois whois, win32, win32 exe, winamp, window, workaposter, worm, write, xobo, yara detections, zbot, zeus, zombie devices

• JARM: 2ad2ad0002ad2ad0002ad2ad2ad2adf9fdf4eeac344e8b5003264da73585be

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS8075 microsoft corporation
• Noticed: 50 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, Netherlands, Saudi Arabia, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: ixpcorp-com.mail.eo.outlook.com trainboston-com.mail.protection.outlook.com juiceplus-com.mail.protection.outlook.com inbound.mail.truedefense.com halversoncompany-com.mail.protection.outlook.com ironorbit-com.mail.protection.outlook.com kingsafetywear-com.mail.protection.outlook.com coronadopacific-com.mail.protection.outlook.com nohocovidtruth-org.mail.protection.outlook.com montananlinen.com coronafire-org.mail.protection.outlook.com premierrealtymedia.com icmarc-org.mail.protection.outlook.com coronadolandscaping-com.mail.protection.outlook.com coronapa-com.mail.protection.outlook.com tcbk-com.mail.protection.outlook.com covidfreezonepr-com.mail.protection.outlook.com feltzmfg-com.mail.protection.outlook.com clearway-com.mail.protection.outlook.com kesslercollection-com.mail.protection.outlook.com hallrender-com.mail.protection.outlook.com heequipment-mail-onmicrosoft-com.mail.protection.outlook.com gageicloud-com.mail.protection.outlook.com kapplerusa-com.mail.protection.outlook.com covid911-com01c.mail.protection.outlook.com applebeeenterprises-com.mail.protection.outlook.com lukolion-com.mail.protection.outlook.com greatfallsma.com greatfallsmanagementadvisors.com wessimani.com harmonelectric-net.mail.protection.outlook.com applejoy-net.mail.protection.outlook.com napa-com.mail.protection.outlook.com chaseproperties.com dwincorp-com.mail.protection.outlook.com pittsburghmoves-com.mail.protection.outlook.com 1398412883.mail.outlook.com ewerks-com-sg0c.mail.eo.outlook.com schmortanaderllc.mail.protection.outlook.com hagemeyerna-com.mail.protection.outlook.com iisp-gatech-edu.mail.protection.outlook.com caseys-org.mail.protection.outlook.com coronadovets-com.mail.protection.outlook.com fnni-com.mail.protection.outlook.com id-msr.churchofjesuschrist.org mvpsmart.com ttipe-mail-onmicrosoft-com.mail.protection.outlook.com kingdomfamilychurch-org.mail.protection.outlook.com 2039648931.mail.outlook.com la-ddb-com.mail.eo.outlook.com itsinfocom-com.mail.protection.outlook.com nam12b.map.protection.outlook.com hbmgroup-com.mail.protection.outlook.com crazydomains-com-au.mail.eo.outlook.com apthost-com.mail.eo.outlook.com mednax-com.mail.protection.outlook.com raksmart-com.mail.protection.outlook.com netsol-com.mail.eo.outlook.com coronacity-com.mail.protection.outlook.com hostgator-com.mail.eo.outlook.com zebtiger.tech email.thegraysons.com malco-com.mail.protection.outlook.com cendyn-com.mail.protection.outlook.com www.bibi-llc.com marykay-com.mail.protection.outlook.com oneumannlaw-com.mail.protection.outlook.com oneumannlaw.com remote.eclawiowa.com sfmoma-org.mail.protection.outlook.com warehouseservices-com.mail.protection.outlook.com electioninnovation-org.mail.protection.outlook.com freetalk-app.mail.protection.outlook.com marisolcoronado-com.mail.protection.outlook.com zachwamp-com.mail.protection.outlook.com coronafootandankle-com.mail.protection.outlook.com admin.protection.outlook.com gcorpflooring-com.mail.protection.outlook.com valverde-edu.mail.protection.outlook.com waynesburg-edu.mail.protection.outlook.com coronadohomewatch-com.mail.protection.outlook.com coronadoferrylanding-com.mail.protection.outlook.com grupohasbun-com.mail.protection.outlook.com ghkc-com0e.mail.eo.outlook.com networksolutions-com.mail.protection.outlook.com ncomailgw2.ncogroup.com globalyachtfuel.com chasetechconsulting.com calvarydowney-org.mail.protection.outlook.com smtp.financialengines.com financialengines-com.mail.protection.outlook.com pcg-com.mail.protection.outlook.com azsos-gov.mail.protection.outlook.com hdrinc-com.mail.protection.outlook.com skyriver-net.mail.protection.outlook.com pace-edu.mail.protection.outlook.com bluekaleroad-com.mail.protection.outlook.com cochrist-org.mail.protection.outlook.com swiftenergy-com.mail.protection.outlook.com ibremis-com.mail.protection.outlook.com dev.magnetizinglove.com ucdavis-edu.mail.protection.outlook.com mail.mobile-workforce.com mobileworkforce-com01e.mail.protection.outlook.com walex.biz magnetizinglove.com hpenow-com.mail.protection.outlook.com cablevision-com.mail.protection.outlook.com fehb-org.mail.protection.outlook.com www.pollardarchitects.com coronaanimalER-com.mail.protection.outlook.com misinc.org coronarealtygroupinc-com.mail.protection.outlook.com fieldtex.com coronaservices-com.mail.protection.outlook.com nam12.admin.protection.outlook.com fibernetdirect-com.mail.protection.outlook.com bsu-edu.mail.protection.outlook.com fullerthaler-com.mail.protection.outlook.com receivablesmp-com.mail.protection.outlook.com hminvest-com.mail.protection.outlook.com gatewaystaff-com.mail.protection.outlook.com wisemangroup-com.mail.protection.outlook.com carestia-com.mail.protection.outlook.com securewan-com01e.mail.protection.outlook.com utwebsolutions.com extendedstay.mail.protection.outlook.com gruninholdings.com coronarapidtestkits-com.mail.protection.outlook.com idsi-com.mail.protection.outlook.com govisland-org.mail.protection.outlook.com currantaylor-com.mail.eo.outlook.com hrgportal-com.mail.protection.outlook.com basaw-com.mail.protection.outlook.com olearylaw-net01e.mail.protection.outlook.com jgtaxgroup-com.mail.protection.outlook.com guzzosco-com.mail.protection.outlook.com telenav-com.mail.protection.outlook.com alumni-caltech-edu.mail.protection.outlook.com pop.mail.outlook.com apesb-org-au.mail.protection.outlook.com uq-net-au.mail.protection.outlook.com wthaigh-com.mail.protection.outlook.com syringanetworks-net.mail.protection.outlook.com hklogistics-com-au.mail.protection.outlook.com tecdocdigital-com.mail.protection.outlook.com pollardarchitects-com.mail.protection.outlook.com systemconfidence-com.mail.protection.outlook.com dairyone-com.mail.protection.outlook.com gregharrellarchitect-com.mail.protection.outlook.com townehc-com.mail.protection.outlook.com merituscapital-com.mail.eo.outlook.com hdfct-org0i.mail.protection.outlook.com tht-com.mail.protection.outlook.com dea1950-com.mail.protection.outlook.com

Malware Detected on Host

Count: 1461 ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81 5e817cc0390a78051866952da0cc8e2b6d04b9e1a8798cf80d1923d3afd05c35 37fbc4022ca13f83076b08a5746ef6c1ede818e8378c43be079aea81af1b705b eff9430fd7c767261605486496bff37b62652167c8a209eff25939e1a7c69c53 1f884bc647b15727722571594167a0ac24ce522bebd9be7b1820418397f30c55 b74f7f269a97e34d99a81007b33a1410e080c6164b3b4daa832f6eeeba9598ed e390d8045ba3be1716c355ad041c083fbea49dec0d5c6cbca2e3bc750f34bcb1 dbff03dbd1e5e7690f0c8ac8e3d143a22424c6da5ea3da5fb1e87e04652dd2de 6a617328f1971019eb82261656ecb6065143048e6105bc295bd198d53e2402d1 825c75943c766610b807b1e538a22e7327f6f5f9669ccdab1ce1e64d8f04cbd6

Open Ports Detected

25 443 80

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN

Links to attack logs

****** ****** ******