104.47.59.138 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.47.59.138 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001.002 - Steganography, T1012 - Query Registry, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036 - Masquerading, T1038 - DLL Search Order Hijacking, T1041 - Exfiltration Over C2 Channel, T1056.001 - Keylogging, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.002 - File Transfer Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1074 - Data Staged, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1105 - Ingress Tool Transfer, T1106 - Native API, T1114 - Email Collection, T1122 - Component Object Model Hijacking, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1147 - Hidden Users, T1445 - Abuse of iOS Enterprise App Signing Key, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1518.001 - Security Software Discovery, T1518 - Software Discovery, T1546.015 - Component Object Model Hijacking, T1562.004 - Disable or Modify System Firewall, T1564.001 - Hidden Files and Directories, T1588.004 - Digital Certificates, TA0004 - Privilege Escalation, TA0011 - Command and Control

• Tags: 114.114.114.114, address, adload, adobe acrobat, adobe cloud, adobe crash, adobe sign, adult content, adwind, agency, agent, agent tesla, aig.com, aig.rastreator.mx, alexa, alexa top, algorithm, all octoseek, all search, analyzed, android, apple, apple ios, april, artemis, ascii text, asp.net, assaulter, asyncrat, attack, attempt goog, august, author, ave maria, awful, azorult, back, bank, banker, bankerx, b body, blacklist, blacklist http, blacklist https, body length, both forensics, bradesco, brian sabey, burma, ca lann, caltech.edu, carnegie mellon, carnegie mellon university, cellbrite, cellebrite, cellebrite ufed, charles, chrome, cisco umbrella, citadel, city, ck id, class, cleaner, click, cloudfront, cmu server, cobalt strike, code, communicating, conduit, connection, contact, contacted, contact phone, copy, core, covid19, crack, created, critical, crypto, csc corporate, cus cnincommon, cus ou, cyber security, cyber threat, cyber warfare, data, date, defence, defense, detection list, detections type, djvu, dnspionage, dns replication, domain, domain name, domain record, domains, domain status, downldr, downloader, dropper, emotet, engineering, entrust, error, evasive, examiner, execution, exploit, facebook, fakealert, falcon sandbox, february, filehashsha256, files, files domain, file size, files related, filetour, file type, final url, find, first, formbook, fraud, full name, fusioncore, gamehack, general, generator, generic, generic malware, ghost rat, gmail, google attack, google playstore, group, hacktool, hall render, hallrender, hashes files, headers, heur, hidden form, historical ssl, hostname, hostnames, html internet, http, http response, hybrid, iana id, identifier, iframe, info, installbrain, installcore, ioc, iocs, ioc search, ios, ip address, ip summary, ipv4, issuer, it legal, july, june, kb body, key algorithm, key identifier, keylogger, killav, kraken, l1k validity, lab command, lazarus, list, lnew york, lockbit, logistics, lokibot, lolkek, magic html, makop, malicious, malicious site, malvertizing, malware, malware site, manage, mark brian sabey, markmonitor, matsnu, metro, microsoft, Miles IT, million, miner, mitre att, modified, monitoring, mon oct, month ago, months ago, mydoom-90, name, name server, name verdict, nanocore rat, net128, net1280000, netsky, networm, new ioc, new york, next, Nextray, nimda, nircmd, no data, noname057, none file, nr-data.net, number, nymaim, occamy, october, oentrust, opencandy, orgid, origin1, otx octoseek, packed, passive dns, paste, patcher, pegasus, phishing, phishing site, phishtank, pittsburgh, please select, podcast, ponmocup, pornography, postal code, post root, premium, presenoker, present jun, privacy invasion, privilege escalation, privilege https, protect, pulses none, qakbot, qbot, quasar, raccoon, ramnit, ransomexx, ransomware, record type, redirector, redline stealer, redlinestealer, referrer, registrar abuse, registrar url, registrar whois, reimer, related tags, report spam, resolutions, reverse dns, riskware, rolefunction, root ca, rsa server, rtechhandle, safe site, sample, sample path, samples, sat aug, sa victim, scan endpoints, seraph, server, serving ip, sha256, simda, site, skynet, smart search, solve, ssl certificate, status code, stealer, stealth, stmi ouincommon, strings, subject key, summary, suppobox, survey, survivor, swisscom root, swrort, t1140, tag count, targeting, targets sa, team, team malware, teams api, threat, threat analyzer, threat report, threat roundup, threat score, tiggre, tinba, tofsee, tools, tracking, trid file, trojan, trojanspy, trojanx, trust, tsara brashears, ttl value, tulach, type textplain, united, unknown, unruy, unsafe, upgrade, url http, url https, urls, urls https, url summary, ursnif, utmsourcemailer, v3 serial, validity, vawtrak, vidar, wacatac, webcompanion, webtoolbar, whois record, whois whois, win32, win32 exe, win64, winamp, windir, worm, x509v3 key, xrat, xtrat, zbot, zeus, zpevdo

• JARM: 2ad2ad0002ad2ad0002ad2ad2ad2adf9fdf4eeac344e8b5003264da73585be

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS8075 microsoft corporation
• Noticed: 50 times
• Protcols Attacked: SSH
• Countries Attacked: Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Norway, Poland, Romania, Saudi Arabia, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America

Malware Detected on Host

Count: 1501 ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81 0d59fb3ee725564095f3cbb88652abb7c0df969719608b98889f0c0ac702d139 f63a3c061a58110ae7d2d2a0640d58a09800a2c9e46874cbd929bfe0ace8cf81 37fbc4022ca13f83076b08a5746ef6c1ede818e8378c43be079aea81af1b705b 1f884bc647b15727722571594167a0ac24ce522bebd9be7b1820418397f30c55 b74f7f269a97e34d99a81007b33a1410e080c6164b3b4daa832f6eeeba9598ed a561c99db6fb1cf48c919762cf9930ad6edb6db1b0223d7d686209744ded5cea 5d39d06da63faa83f48256f5ff75d570d88b91ab952bedfbe35b47a63937ee3c fd25dff49e2c2f3991e59a88c50ee40742c66804fcc5ddc1c0ad581f1204857b 5a4ce432cd5f2ae51a2b78a4698f88abde3bd442b244bcb7c5f3e1d4665e3bbe

Open Ports Detected

25 443 80

Map

Whois Information

• NetRange: 104.40.0.0 - 104.47.255.255
• CIDR: 104.40.0.0/13
• NetName: MSFT
• NetHandle: NET-104-40-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Microsoft Corporation (MSFT)
• RegDate: 2014-05-07
• Updated: 2021-12-14
• Ref: https://rdap.arin.net/registry/ip/104.40.0.0
• OrgName: Microsoft Corporation
• OrgId: MSFT
• Address: One Microsoft Way
• City: Redmond
• StateProv: WA
• PostalCode: 98052
• Country: US
• RegDate: 1998-07-10
• Updated: 2023-11-17
• Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
• Comment: * https://cert.microsoft.com.
• Comment:
• Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
• Comment: * abuse@microsoft.com.
• Comment:
• Comment: To report security vulnerabilities in Microsoft products and services, please contact:
• Comment: * secure@microsoft.com.
• Comment:
• Comment: For legal and law enforcement-related requests, please contact:
• Comment: * msndcc@microsoft.com
• Comment:
• Comment: For routing, peering or DNS issues, please
• Comment: contact:
• Comment: * IOC@microsoft.com
• Ref: https://rdap.arin.net/registry/entity/MSFT
• OrgAbuseHandle: MAC74-ARIN
• OrgAbuseName: Microsoft Abuse Contact
• OrgAbusePhone: +1-425-882-8080
• OrgAbuseEmail: abuse@microsoft.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
• OrgTechHandle: MRPD-ARIN
• OrgTechName: Microsoft Routing, Peering, and DNS
• OrgTechPhone: +1-425-882-8080
• OrgTechEmail: IOC@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
• OrgTechHandle: SINGH683-ARIN
• OrgTechName: Singh, Prachi
• OrgTechPhone: +1-425-707-5601
• OrgTechEmail: pracsin@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
• OrgTechHandle: BEDAR6-ARIN
• OrgTechName: Bedard, Dawn
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: dabedard@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
• OrgTechHandle: IPHOS5-ARIN
• OrgTechName: IPHostmaster, IPHostmaster
• OrgTechPhone: +1-425-538-6637
• OrgTechEmail: iphostmaster@microsoft.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
• OrgRoutingHandle: CHATU3-ARIN
• OrgRoutingName: Chaturmohta, Somesh
• OrgRoutingPhone: +1-425-882-8080
• OrgRoutingEmail: someshch@microsoft.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN

Links to attack logs

****** ****** ******