104.47.57.138 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.57.138 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1114 - Email Collection, T1140 - Deobfuscate/Decode Files or Information, T1156 - Malicious Shell Modification, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1497 - Virtualization/Sandbox Evasion, T1547 - Boot or Logon Autostart Execution, T1560 - Archive Collected Data, TA0011 - Command and Control

• Tags: aaaa, accept, access, active, active threat, address, agent, aig, akamai, alexa top, all octoseek, android, a nxdomain, a poster, aposter, apple, apple attack, apple engineering, apple id, apple ios, applenoc, artemis, as16625, as20940, as24940 hetzner, as58061 scalaxy, as714, ascii text, att, attack, authority, awful, azorult, backdoor, bahamut, bank, bell south, bellsouth, blacklist, body, body length, brian, brian sabey, briansabey, browse scan, brute force passwords, bundled, ca, canvas, cellbrite, china, cidr, cisco umbrella, civicaIg, ck id, ck matrix, class, cleaner, click, cmd, cname, cobalt strike, communicating, conduit, config, contact, contacted, contentencoding, content type, contextualizing, copy, crack, create new, creation date, critical, crypto, cybercrime, cyber stalking, dashboard, date, detection list, dns replication, domain, domain entries, download, dropped, emails, endpoints all, error, et, et cins, execution, expiration, expiration date, expiressun, facebook, falcon sandbox, false, fear, file, filehashmd5, filehashsha1, filehashsha256, final url, final url summary, forbidden, formbook, fusioncore, general, generator, germany, germany unknown, graph, hacktool, hallrender, hashes files, headers, headers nel, heur, historical, historical ssl, hostname, html info, http response, https, hughesnet, hybrid, icefog, icloud, iframe, install, installer, installpack, iocs, ioc search, iocs kb, ios, ip address, ipv4, ipv6, japan national police agency, jekyll, kb body, local, localappdata, mail spammer, malicious, malicious host, malicious site, maltiverse, malvertizing, malware, malware site, masquerading, meta, meta tags, metro, million, mitre, mitre att, mitre attk, monitoring, movies, mtsub26293293, name, name servers, national police agency japan, network, new ioc, next, no expiration, nuance, nxdomain, octoseek, opencandy, passive dns, password crack, paste, path, pattern match, pcap, pdf report, pegasus, phishing, phishing site, porn, pornhub, presenoker, pt3rc1, pt3uc1, pulse use, quasar, record type, record value, referrer, reinsurance, relacion, relay, remote, resolutions, riskware, root, root ca, runescape, sabey, safe site, samples, sandbox, scalaxy, scan endpoints, script, search, servers, service, serving ip, sha256, show, showing, show technique, simple, site, small, softcnapp, span, speakez securus, spying, spyware, ssh on server, ssl certificate, ssl hostname, state, status, status code, status codes, stix, strings, subdomains, subid, submit, submit quasar, suddenlink tv, tagging, target tsara brashears, team, teams api, temp, threat, threat analyzer, tiggre, tofsee, toshiba, tracker, trackers amazon, tracking, trojan, trojanspy, tsara brashears, ttl value, tulach, tylerknott, united, United states, unknown, unknown urls, unsafe, url http, url https, urls https, verdict, wacatac, watch, whois record, whois whois, win32, workaposter, xobo, xrat, xtrat

• JARM: 2ad2ad0002ad2ad0002ad2ad2ad2adf9fdf4eeac344e8b5003264da73585be

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS8075 microsoft corporation
• Noticed: 5 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, Netherlands, United States of America

Malware Detected on Host

Count: 7 fda67895d270ad60709492635c37e0999564e4b01b52b2a612363f569b3edca5 883bde1c6564053750f613e44ecb0cf3a9af01397fc68b950009c897fec0e420 f0778cb9abf7e28cedf0a6ed3bc2187c33edaf4dfcc8a035c63d4e8ddbefd380 d8f6648b0bcbb6b10e4bb83b0544ce704d249d8b3f4bf35d26357eb33f6f7bd2 9aa2a07e3380f1524363e68e2b346393dcb16a7fe58d1ea7eda617ebdebd83ea 378e9520aa98a07e74e2a49307699d48f97446131b15565093a1eaf4d79ace83 b81db9595e7cdc16ca6f106f5610e4442cbaf9049940938b34ce759a42688dfa

Open Ports Detected

25 443 80

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN

Links to attack logs

****** ****** ******