138.124.180.216 Threat Intelligence and Host Information

Share on:
May 27, 2023 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 138.124.180.216 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 51/100

Host and Network Information

  • Mitre ATT&CK IDs: T1005 - Data from Local System, T1007 - System Service Discovery, T1010 - Application Window Discovery, T1012 - Query Registry, T1018 - Remote System Discovery, T1027 - Obfuscated Files or Information, T1027.005 - Indicator Removal from Tools, T1028 - Windows Remote Management, T1033 - System Owner/User Discovery, T1036 - Masquerading, T1039 - Data from Network Shared Drive, T1043 - Commonly Used Port, T1047 - Windows Management Instrumentation, T1048 - Exfiltration Over Alternative Protocol, T1049 - System Network Connections Discovery, T1050 - New Service, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1055.002 - Portable Executable Injection, T1056 - Input Capture, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1069 - Permission Groups Discovery, T1070.001 - Clear Windows Event Logs, T1070.004 - File Deletion, T1070.005 - Network Share Connection Removal, T1070.006 - Timestomp, T1071 - Application Layer Protocol, T1076 - Remote Desktop Protocol, T1078 - Valid Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1090 - Proxy, T1095 - Non-Application Layer Protocol, T1098 - Account Manipulation, T1102 - Web Service, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110 - Brute Force, T1112 - Modify Registry, T1113 - Screen Capture, T1115 - Clipboard Data, T1127 - Trusted Developer Utilities Proxy Execution, T1133 - External Remote Services, T1134 - Access Token Manipulation, T1135 - Network Share Discovery, T1136 - Create Account, T1140 - Deobfuscate/Decode Files or Information, T1189 - Drive-by Compromise, T1202 - Indirect Command Execution, T1218 - Signed Binary Proxy Execution, T1480 - Execution Guardrails, T1482 - Domain Trust Discovery, T1486 - Data Encrypted for Impact, T1489 - Service Stop, T1490 - Inhibit System Recovery, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1552 - Unsecured Credentials, T1553 - Subvert Trust Controls, T1558 - Steal or Forge Kerberos Tickets, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1564 - Hide Artifacts, T1584 - Compromise Infrastructure, T1588 - Obtain Capabilities, T1602 - Data from Configuration Repository
  • Tags: CryptOne, Dridex, Evil Corp, Hades, Macaw, PayloadBIN, Phoenix Locker, WastedLocker, access token, agency, agent, august, base64url, beacon, bitpaymer, blueeye, build, build time, cnthawte rsa, cobalt strike, code, colorfake, command, conti, cryptone, cus validation, darktrace, data volume, defender, domains, donut, doppelpaymer, dridex, e da, egregor, emotet, evil corp, evolution, factory, fakeupdates, february, from dridex, gold drake, gold winter, gozi, gozi isfb, group, hades, hancitor, hidden window, highlight, ip address, june, l co, lockbit, locker, m ac, macaw, mandiant, march, mask, match case, mimikatz, modify registry, modify system, modify tools, ncc group, netwalker, new ransomware, odigicert inc, open print, password, payloadbin, phoenix, phoenix locker, previous next, protect, psexec, range, ransom, ransomware, recon, reg key, regdword, remote desktop, research https, script, secureworks, sentinelone, serial number, sha256, sha256 hash, shellcode, smokeloader, ssl beacon, t1140, t1620, trickbot, ttps, type indicator, username, valid, view go, vo lu, wastedlocker, whole, x to, zloader

  • View other sources: Spamhaus VirusTotal

  • Country: United States
  • Network: AS52000 innovation it solutions ltd
  • Noticed: 3 times
  • Protcols Attacked: Anonymous Proxy
  • Countries Attacked: United Kingdom of Great Britain and Northern Ireland, United States of America
  • Passive DNS Results: mashines.click habiton.site feelbuy.tech dryup.site dueease.space helptie.xyz

Open Ports Detected

22

Map

Whois Information

  • NetRange: 138.124.0.0 - 138.124.255.255
  • CIDR: 138.124.0.0/16
  • NetName: RIPE-ERX-138-124-0-0
  • NetHandle: NET-138-124-0-0-1
  • Parent: NET138 (NET-138-0-0-0-0)
  • NetType: Early Registrations, Transferred to RIPE NCC
  • OriginAS:
  • Organization: RIPE Network Coordination Centre (RIPE)
  • RegDate: 2003-12-11
  • Updated: 2003-12-11
  • Comment: These addresses have been further assigned to users in
  • Comment: the RIPE NCC region. Contact information can be found in
  • Ref: https://rdap.arin.net/registry/ip/138.124.0.0
  • OrgName: RIPE Network Coordination Centre
  • OrgId: RIPE
  • Address: P.O. Box 10096
  • City: Amsterdam
  • StateProv:
  • PostalCode: 1001EB
  • Country: NL
  • RegDate:
  • Updated: 2013-07-29
  • Ref: https://rdap.arin.net/registry/entity/RIPE
  • OrgAbuseHandle: ABUSE3850-ARIN
  • OrgAbuseName: Abuse Contact
  • OrgAbusePhone: +31205354444
  • OrgAbuseEmail: [email protected]
  • OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
  • OrgTechHandle: RNO29-ARIN
  • OrgTechName: RIPE NCC Operations
  • OrgTechPhone: +31 20 535 4444
  • OrgTechEmail: [email protected]
  • OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
  • inetnum: 138.124.180.0 - 138.124.180.255
  • country: US
  • geofeed: https://stark-industries.solutions/geofeed.csv
  • descr: STARK INDUSTRIES SOLUTIONS LTD
  • netname: STARK_INDUSTRIES
  • status: LEGACY
  • mnt-by: STARK-MNT
  • org: ORG-SISL18-RIPE
  • admin-c: SICK1337-RIPE
  • tech-c: SICK1337-RIPE
  • created: 2020-08-15T22:06:24Z
  • last-modified: 2022-12-28T22:28:56Z
  • organisation: ORG-SISL18-RIPE
  • org-name: STARK INDUSTRIES SOLUTIONS LTD.
  • org-type: OTHER
  • address: 71-75, Shelton Street
  • address: Covent Garden
  • address: London
  • address: WC2H 9JQ
  • address: UNITED KINGDOM
  • phone: +441234416080
  • abuse-c: SICK1337-RIPE
  • mnt-ref: STARK-MNT
  • mnt-ref: MEREZHA-MNT
  • mnt-ref: MNT-DGTL
  • mnt-by: STARK-MNT
  • created: 2022-02-11T19:47:43Z
  • last-modified: 2022-09-19T19:38:52Z
  • role: Stark Industries Solutions NOC
  • address: UNITED KINGDOM
  • address: WC2H 9JQ
  • address: London
  • address: Covent Garden
  • address: 71-75, Shelton Street
  • phone: +441234416080
  • abuse-mailbox: [email protected]
  • nic-hdl: SICK1337-RIPE
  • mnt-by: STARK-MNT
  • created: 2022-02-11T01:48:55Z
  • last-modified: 2022-12-21T20:26:43Z
  • route: 138.124.180.0/24
  • origin: AS44477
  • mnt-by: STARK-MNT
  • created: 2022-07-19T21:36:02Z
  • last-modified: 2022-07-19T21:36:02Z
  • route: 138.124.180.0/24
  • origin: AS52000
  • mnt-by: MNT-DGTL
  • mnt-by: STARK-MNT
  • created: 2020-08-15T22:09:21Z
  • last-modified: 2022-02-12T10:04:13Z

Links to attack logs

anonymous-proxy-ip-list-2023-05-26