104.47.56.110 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.56.110 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001 - Data Obfuscation, T1003 - OS Credential Dumping, T1005 - Data from Local System, T1010 - Application Window Discovery, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1033 - System Owner/User Discovery, T1036.004 - Masquerade Task or Service, T1036 - Masquerading, T1038 - DLL Search Order Hijacking, T1040 - Network Sniffing, T1041 - Exfiltration Over C2 Channel, T1045 - Software Packing, T1052.001 - Exfiltration over USB, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1078.004 - Cloud Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1090 - Proxy, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1106 - Native API, T1114.002 - Remote Email Collection, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1132 - Data Encoding, T1140 - Deobfuscate/Decode Files or Information, T1156 - Malicious Shell Modification, T1176 - Browser Extensions, T1190 - Exploit Public-Facing Application, T1210 - Exploitation of Remote Services, T1211 - Exploitation for Defense Evasion, T1213 - Data from Information Repositories, T1218 - Signed Binary Proxy Execution, T1408 - Disguise Root/Jailbreak Indicators, T1412 - Capture SMS Messages, T1415 - URL Scheme Hijacking, T1421 - System Network Connections Discovery, T1422 - System Network Configuration Discovery, T1427 - Attack PC via USB Connection, T1428 - Exploit Enterprise Resources, T1429 - Capture Audio, T1448 - Carrier Billing Fraud, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1450 - Exploit SS7 to Track Device Location, T1454 - Malicious SMS Message, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1498 - Network Denial of Service, T1518 - Software Discovery, T1546 - Event Triggered Execution, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1560 - Archive Collected Data, T1562.003 - Impair Command History Logging, T1566 - Phishing, T1583.005 - Botnet, T1588 - Obtain Capabilities, TA0009 - Collection, TA0011 - Command and Control, TA0029 - Privilege Escalation, TA0030 - Defense Evasion, TA0037 - Command and Control

• Tags: $WebWatson, aaaa, accept, a checkin, active, active2, active threat, adaptivebee, address, admin, admin country, a domains, adult content, agent, agent tesla, agenttesla, aig, akamai, alexa, alexa top, algorithm, all octoseek, all search, amadey, amazon 02, america, amonetize, android, Anomalous.100%, anomalous file, anonymizer, anti-detection, a nxdomain, api blog, a poster, aposter, appdata, apple, apple app store compromise, apple attack, apple computer, apple engineering, apple id, appleid, apple ios, applenoc, apple phone, apple support compromise, app store, artemis, as11042, as14061, as16625, as16625 akamai, as20940, as24940 hetzner, as25577 ide, as2914 ntt, as35994 akamai, as43350 nforce, as58061 scalaxy, as63949 linode, as714, as8068, as9009 m247, ascii text, asyncrat, attack, august, authority, avast win32, ave maria, avg win32, azorult, baaa, back, backdoor, bahamut, bandoo, bangladesh, bank, banker, bankerddedridexexploit, bankerdridexevasive, banking, b body, beginstring, BehavesLike.YahLover, bell south, bellsouth, betabot, binder, bitbucket.org, black, blacklist, blacklist http, blacklist https, blacknet, blacknet rat, blacknet threats, bladabindi, blustealer, body, body length, bondat, boolean, botmaster, botnet, botnet campaign, botnetwork, bounty, bradesco, brian, brian sabey, briansabey, browse scan, brute force, brute force passwords, buildno, bundled, burkina, c2, ca, caaa, caca, caca4baaa, cacf, caea, ca g2, ca id, canvas, cascade, ca x3, cayman, cdata, cellbrite, certificate, channelisales, chaos, checkbox, china, china cobalt, cidr, ciphersuite, cisco umbrella, citadel, city, city center, ck id, ck matrix, class, clean mx, click, close, cloudeye, cmc threat, cmd, cname, cndigicert sha2, cndst root, cnisrg root, cobalt strike, cobaltstrike4.tk, code, collections, collections kp, comcast tmobile, command_and_control, communicating, comspec, conduit, config, contact, contacted, contacted ip, contacted urls, contact phone, contentencoding, content reputation, contextualizing, __convergedlogin_pcustomizationloader_44b450e8d543eb53930d, cookie, copy, core, count blacklist, country, country us, covid19, crack, create c, create new, creation date, critical, critical risk, crypto, csc corporate, cus cnapple, cus cnr3, cutwail, CVE-2005-1790, CVE-2009-3672, CVE-2010-3333, CVE-2010-3962, CVE-2012-3993, CVE-2014-3153, CVE-2014-6332, CVE-2015-1641, CVE-2015-1650, CVE-2017-0143, CVE-2017-0147, CVE-2017-0199, CVE-2017-11882, CVE-2017-8464, CVE-2017-8570, CVE-2017-8759, CVE-2018-0802, CVE-2018-4893, CVE-2018-8373, CVE-2018-8453, CVE-2020-0601, CVE-2020-0674, CVE-2021-27065, CVE-2021-40444, CVE-2023-4966, cybercrime, cybereason, cyber stalking, cyber threat, darkgate, darkweb, darpa, dashboard, data, date, daum, dbatloader, debugger evasion, december, deep scan, defacement, de indicators, delete c, Delf.NBX, desktop, detection list, detections file, detections type, detplock, device, dga malvertizing, dga parking, dgs, district, dnspionage, dns replication, dnssec, docs pricing, domain, domain entries, domain related, domain robot, domains, domains dropped, domain status, domaiq, downer, downldr, download, downloader, dridex, dropbox, dropped, dropper, drpsuinstaller, dtrack, dynadot, dynadot inc, dynamicloader, ecc ca, edsaid, elf wgetboat, email, emails, emotet, endangerment, endpoints all, engineering, enter, entries, error, et, et cins, et tor, et trojan, evasive, evasivemsilratrevenge-rat, evilnum, execution, exe size, exit, expiration, expiro, exploit, exploited spyware, exploit_source, facebook, factory, fakealert, falcon sandbox, false, fear, february, feodo tracker, file, filehashmd5, filehashsha1, filehashsha256, file name, FileRepMalware, files, final, final url, final url summary, financial, find, findwindowa, firehol gozi, first, first seen, flubot, forbidden, form, formbook, for privacy, fortinet, fuery, g1 oapple, galaxy, galaxy watch, gamehack, gandi sas, gating, gear s, gear s2, gear s3, gear sport, gecko, general, generator, generic, genericm, generic malware, Gen:Heur.Ransom.HiddenTears, genkryptik, germany, germany unknown, getprocaddress, ghost rat, gmt connection, gmt contenttype, godaddy online, gootkit, grandoreiro, graph, green, group, hacker, hackers, hacking, hacktool, hallrender, hallrender.com, hashes, hashes c2ae, hashes files, headers, headers nel, header target, heur, high, highly targeted, high process, hijacker, hiloti, historical, historicalandnew, historical ssl, hit, hostname, hostnames, houdini, hr rtd, html, http, http response, https, hybrid, iana id, icedid, icefog, Icefog, icloud, icloud compromise, icwrmind, id, iframe, import, incident ip, indicator, infected, info, info compiler, infor, injection t1055, inmortal, install, installation, installcore, installer, insurance, intel, internal, internet se, invasion of privacy, iobit, iocs, ioc search, iocs kb, ionos se, ios, ip address, ip detections, iphone unlocker, ip security, ip summary, ipv4, ipv6, issuer, jansky, january, japan national police agency, javascript, jekyll, jfif, jpeg image, js user, july, june, kb body, key algorithm, keybase, key identifier, key info, keylogger, kgs0, khtml, kls0, known tor, kovter, kraken, languageenu, lazarus, less see, life, linux agent, live, lmenlo park, loader, local, localappdata, location canada, lockbit, locky, loki, lokibot, Loki Password Stealer (PWS), loki pws, lookups, love, machine intel, mail spammer, major, majorver16, malicious, Malicious domain - SANS Internet Storm Center, malicious host, malicious red team, malicious site, malicious url, maltiverse, malvertizing, malware, malware beacon, malware distribution site, malware download, malware host, malware hosting, malware site, masquerading, mas.to, matsnu, maxage5184000, mb first, media center, mediamagnet, media player, medium, meta, meterpreter, metro, metroby-tmo, microsoft, million, miner, mirai malware, misc attack, mitre, mitre att, mitre attk, mobilekey.pw, model, monitoring, mozilla, msie, msil, ms windows, mtb oct, mtsub26293293, mumblehard, music, name, name servers, name verdict, nanocore, nanocore rat, national police agency japan, necurs, netherlands asn, netlify, netlify edge, net technology, network, network ascii text, network rat, networks, networm, new ioc, neworder.doc, next, nginx, njrat, no data, node tcp, node traffic, no expiration, no expired, no na, noname057, no no, notepad, november, nuance, null, number, nxdomain, nymaim, object, october, octoseek, odigicert inc, olet, ollydbg, ometa platforms, open, openioc, opera, organization, orgid, orgtechhandle, orgtechref, osregion, otx octoseek, outbreak, override, parent referrer, parked domain, parking crew, passive dns, password, paste, patch, path, pattern match, payment, paypal, pcap, pdf report, pe32, pegasus, pe resource, persistence, pe yandex, phishing, phishing paypal, phishingransomwaresinkhole, phishing site, phonenumber, pictures, point, pony, possible, postal code, prefetch8, presenoker, prism_object, prism_setting, privacy admin, privacy tech, probe, products, project, prynt, prynt stealer, psiusa, public folder, public key, public server, puffstealer, pulse pulses, pulse submit, pulse use, pykspa, python infostealer, python user, qakbot, quasar, quasar rat, query, qwest, raccoon, radamant, ramnit, ransomexx, ransomware, ransomwaretorrentlocker, raspberry robin, rat, ratel, rauschenberg, rdds service, read c, record, record type, record value, red, redacted for, redirector, redirectors, redline, redline stealer, referrer, refresh, regbinary, regdword, registrant, registrar, registrar abuse, registrar url, registrar whois, registry arin, registry domain, regsetvalueexa, reinsurance, relacion, related nids, relay, relayrouter, relic, remcos, remote, remote cnc, replacement, research group, resolutions, revenge rat, revenge-rat, reverse dns, rightsaided, riskware, rmndrp, root, root ca, rsa cn, rtechhandle, rtechref, rultazo, runescape, rust, sabey, safe site, sality, sample, samples, samsug, samsung galaxy, sandbox, scalaxy, scan endpoints, screenshot, script, search, search live, searchmeup, sections, security, seen, send bug, september, server, servers, service, serving ip, setcookie geous, sha256, shell, shell code, show, showing, show technique, show technique span, silly, simda, simple, sinkhole, sinkhole cookie, site, skynet, slcc2, sliver, small, smokeloader, sneaky server, snort ip, soc, social engineering, solimba, song culture, sophos, South Carolina Federal Credit Union phishing, spammer, span, speakez securus, spearfishing, spyware, srdvd16010404, ssh on server, ssl certificate, ssl hostname, state, stateprovince, states, static engine, status, status code, status codes, stcalifornia, stealer, stealthyness, steam, stevens creek, stix, strike, strings, subdomains, subid, subject public, submit, submit quasar, summary, suppobox, suspic, suspicious, swift, swrort, systemlocale, t1055, tag count, tagging, tag tag, targeted attack, targeting, team, teams api, tech contact, tech email, temp, template, threat, threat analyzer, threat report, threat roundup, tinba, tld count, t-mobile, tofsee, tools, tor c++, tor c++ client, tor known, tor relayrouter, tracker, tracking, traffic, trickbot, trident, trim, trojan, trojanspy, trojanx, tsara brashears, ttl value, tulach, twitter, type name, type win32, uaaa, unauthorized, undetected dns8, undetected vx, union, unique, united, united kingdom, United states, unknown, unknown urls, unlocker, unreliable subdomains, unruy, unsafe, url, url analysis, url http, url https, urls, urls http, urls https, url summary, urls url, ursnif, utc entry, v3 serial, valid, validity, value snkz, vault, vawtrak, vdfsurfs, vendorname2581, verdict, vidar, videos, virtool, virustotal, virut, vitro, vjw0rm, vs2008, vs2008 sp1, vs2010, vt report, waaa, wacatac, wanacrypt0rwannacrywcry, watch, webshell, webtoolbar, wells fargo, whitelisted, whois, whois parent, whois record, whois service, whois siblings, whois whois, who’s driving, widget, win32, win32 exe, win64, windows nt, workaposter, worm, wow64, write, write c, writes data to a remote process, x8bxe5, xobo, xpire.info, yaaa, yandex, yara detections, yara rule, zbot, zdb zeus, zenbox, zeppelin, zeus, zombie devices

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS8075 microsoft corporation
• Noticed: 23 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, France, Netherlands, Spain, United Arab Emirates, United Kingdom of Great Britain and Northern Ireland, United States of America

Malware Detected on Host

Count: 111 9e32a5c6655a9c15fe87d46006d5568157218be6d907654c73fa56b0ad0d7bf2 3b1c71269e3659392c30f5240359eec11e3b34523e96e16ec19fcc9cccde72e2 3846596e287952712907060a38a476796efc84bbc1b4bc3cc965b91f0f5380f5 3fa283763463d27b6bd04f3a41720c8d1f2b2d1d1608b8f1edc5dd73a523b327 f11c70877db2d7377e617ca2c9bf2e2792910bb145f66f1e7d7e642f4cfe47c9 58273d5c1aa5b08861f3760babfbb0b01f2774c9de1b7f2057d15a44829fde9f 46f45f13f990bc003667d225ea606622031acb7ce8a723025dc38ab20a38e4b4 a60a376c1cfe447c7a474d330a71a05c90f099bf8e93b08b9a8e6ce489a1da88 237043d21e4a31f3ebbcd2496d711415201d5f4cc04a2315407c0b60a7cb1a6b 0211b6e53e99467c8447e6bbfea8939abea0b82dc9768a699b2d11b4dcddaed3

Open Ports Detected

25

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN

Links to attack logs

****** ****** ******