146.20.161.1 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 146.20.161.1 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1001 - Data Obfuscation, T1003 - OS Credential Dumping, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036.004 - Masquerade Task or Service, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1078.004 - Cloud Accounts, T1082 - System Information Discovery, T1090 - Proxy, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1114 - Email Collection, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1156 - Malicious Shell Modification, T1176 - Browser Extensions, T1190 - Exploit Public-Facing Application, T1210 - Exploitation of Remote Services, T1211 - Exploitation for Defense Evasion, T1412 - Capture SMS Messages, T1448 - Carrier Billing Fraud, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1450 - Exploit SS7 to Track Device Location, T1454 - Malicious SMS Message, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1498 - Network Denial of Service, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1560 - Archive Collected Data, T1562.003 - Impair Command History Logging, TA0009 - Collection, TA0011 - Command and Control, TA0029 - Privilege Escalation, TA0037 - Command and Control

• Tags: $WebWatson, aaaa, accept, active, active2, active threat, adaptivebee, address, adult content, agent, agent tesla, agenttesla, aig, akamai, alexa, alexa top, algorithm, alienvault part, all octoseek, all search, amadey, america, amonetize, android, Anomalous.100%, anonymizer, a nxdomain, api blog, a poster, aposter, apple, apple app store compromise, apple attack, apple computer, apple engineering, apple id, apple ios, applenoc, apple support compromise, app store, artemis, as16625, as20940, as24940 hetzner, as29791, as43350 nforce, as58061 scalaxy, as714, asyncrat, attack, authority, avast avg, avast win32, ave maria, avg win32, azorult, back, backdoor, bahamut, bandoo, bank, banker, bankerddedridexexploit, bankerdridexevasive, banking, beginstring, BehavesLike.YahLover, bell south, bellsouth, benjamin, betabot, binder, bitbucket.org, blacklist, blacklist http, blacklist https, blacknet, blacknet rat, blacknet threats, bladabindi, body, body length, bondat, botmaster, botnetwork, bounty, bradesco, brian, brian sabey, briansabey, browse scan, brute force, brute force passwords, buildno, bundled, burkina, c2, ca, ca g2, ca id, canvas, ca x3, cellbrite, certificate, channelisales, chaos, china, china cobalt, choco, cidr, cisco umbrella, citadel, city, city center, ck id, ck matrix, class, clean mx, click, cloudeye, cmc threat, cmd, cname, cndst root, cnisrg root, cobalt strike, cobaltstrike4.tk, code, collections, collections kp, command_and_control, communicating, conduit, config, connect http, contact, contacted, contacted urls, contact phone, contentencoding, contextualizing, __convergedlogin_pcustomizationloader_44b450e8d543eb53930d, cookie, copy, copy c, core, count blacklist, country, country us, covid19, cowrie, cowrie hashes, crack, create new, creation date, critical, critical risk, crypto, csc corporate, cus cnapple, cus cnr3, cutwail, CVE-2005-1790, CVE-2009-3672, CVE-2010-3333, CVE-2010-3962, CVE-2012-3993, CVE-2014-3153, CVE-2014-6332, CVE-2015-1641, CVE-2015-1650, CVE-2017-0143, CVE-2017-0147, CVE-2017-0199, CVE-2017-11882, CVE-2017-8464, CVE-2017-8570, CVE-2017-8759, CVE-2018-0802, CVE-2018-4893, CVE-2018-8373, CVE-2018-8453, CVE-2020-0601, CVE-2020-0674, CVE-2021-27065, CVE-2021-40444, CVE-2023-4966, cybercrime, cybereason, cyber stalking, cyber threat, czechia unknown, darkgate, darkweb, dashboard, data, data center, date, date hash, daum, dbatloader, deep scan, defacement, de indicators, Delf.NBX, delphi, detection list, detections type, detplock, device, dgs, district, dnspionage, dns replication, docs pricing, domain, domain entries, domains, domain status, domaiq, downer, downldr, download, downloader, dridex, dropbox, dropped, dropper, drpsuinstaller, ecc ca, ec oid, edsaid, email, emotet, endangerment, endpoints all, engineering, entries, error, et, et cins, et tor, evasive, evasivemsilratrevenge-rat, evilnum, execution, exe size, exit, expiration, exploit, exploited spyware, exploit_source, facebook, fakealert, falcon sandbox, false, fear, feodo tracker, file, filehashmd5, filehashsha1, filehashsha256, file name, FileRepMalware, files, final url, final url summary, financial, find, firehol gozi, first, first seen, forbidden, formbook, fortinet, free, fuery, g1 oapple, galaxy, galaxy watch, gamehack, gating, gear s, gear s2, gear s3, gear sport, general, generator, generic, genericm, generic malware, Gen:Heur.Ransom.HiddenTears, genkryptik, germany, germany unknown, get dns, ghost rat, gootkit, gorf, grandoreiro, graph, hacker, hacking, hacktool, hallrender, hallrender.com, hashes, hashes files, headers, headers nel, healthcare, heur, highly targeted, hijacker, hiloti, historical, historicalandnew, historical ssl, hit, hostname, houdini, http, http method, http requests, http response, https, hybrid, icedid, icefog, Icefog, icloud, icloud compromise, icwrmind, identifier, iframe, incident ip, info, inmortal, install, installcore, installer, insurance, intel, invasion of privacy, iobit, iocs, ioc search, iocs kb, ios, ip detections, iphone unlocker, ip security, ip summary, ip traffic, ipv4, ipv6, iranian actor, issuer, jansky, japan national police agency, japan unknown, jekyll, johnnsabey, js user, june, kb body, key algorithm, keybase, key identifier, key info, keylogger, kgs0, kls0, known tor, kovter, kraken, languageenu, lazarus, life, linux agent, live, local, localappdata, lockbit, locky, loki, lokibot, Loki Password Stealer (PWS), loki pws, lookups, mail spammer, majorver16, malicious, Malicious domain - SANS Internet Storm Center, malicious host, malicious red team, malicious site, malicious url, maltiverse, malvertizing, malware, malware distribution site, malware download, malware host, malware server, malware site, markmonitor inc, masquerading, mas.to, matsnu, mb first, mediamagnet, meta, meterpreter, metro, metroby-tmo, microsoft, million, miner, misc attack, mitre, mitre att, mitre attk, mobilekey.pw, mozilla, msil, ms windows, mtb dec, mtsub26293293, name, name servers, name verdict, nanocore, nanocore rat, national police agency japan, necurs, network, network rat, networm, new ioc, neworder.doc, next, nids, njrat, no data, node tcp, node traffic, no expiration, no expired, no na, noname057, no no, notepad, november, nuance, null, number, nxdomain, nymaim, object, octoseek, olet, opera, orgid, orgtechhandle, orgtechref, osregion, otx octoseek, outbreak, parents, passive dns, password, paste, pattern match, paypal, pcap, pdf report, pe32, pe32 executable, pegasus, pe resource, pe yandex, phi, phishing, phishing paypal, phishingransomwaresinkhole, phishing site, pii, pony, postal code, presenoker, prism_object, prism_setting, privacy, privacy admin, privacy tech, problems, project, public key, public server, puffstealer, pulse submit, pulse use, pykspa, python infostealer, python user, qakbot, qbot, quasar, quasar rat, qwest, raccoon, radamant, ragnar locker, ramnit, ransomexx, ransomware, ransomwaretorrentlocker, rat, ratel, rauschenberg, recon, record type, record value, red, redacted for, redirector, redirectors, redline, redline stealer, red team, referrer, refresh, registrar, registrar abuse, registrar url, registrar whois, registry arin, registry domain, registry expiry, reinsurance, relacion, relay, relayrouter, remcos, remote, replacement, research group, resolutions, revenge rat, revenge-rat, rightsaided, riskware, rmndrp, root, root ca, rsa cn, rtechhandle, rtechref, rultazo, runescape, sabey, sabey data center, safe site, sality, sample, samples, samsug, samsung galaxy, sandbox, scalaxy, scan endpoints, schema abuse, script, script urls, search, search live, security, seen, send bug, sender, server, servers, service, serving ip, set cookie, setcookie geous, sha256, shell, shipping, show, showing, show technique, simda, simple, sinkhole, site, skynet, sliver, small, smokeloader, sneaky server, snort ip, soc, social engineering, solimba, sophos, South Carolina Federal Credit Union phishing, spammer, span, speakez securus, spyware, srdvd16010404, ssh on server, ssl certificate, ssl hostname, state, states, static engine, status, status code, status codes, stealer, steam, stevens creek, stix, strike, strings, subdomains, subid, subject key, subject public, submit, submit quasar, summary, suppobox, suspic, swift, swrort, systemlocale, tag count, tagging, tag tag, targeted attack, targeting, team, teams api, temp, template, threat, threat analyzer, threat report, tinba, tld count, t-mobile, tofsee, tools, tor c++, tor c++ client, tor known, tor relayrouter, tracker, tracking, traffic, trickbot, trojan, trojanspy, trojanx, tsara brashears, ttl value, tulach, tulach.cc, twitter, type name, type win32, unauthorized, undetected dns8, undetected vx, union, united, united kingdom, United states, unknown, unknown urls, unlocker, unreliable subdomains, unruy, unsafe, url analysis, url http, url https, urls, urls http, urls https, url summary, ursnif, us execution, using, us postal, v3 serial, valid, validity, vault, vawtrak, vdfsurfs, vendorname2581, verdict, vidar, virustotal, virut, vitro, vjw0rm, wacatac, wanacrypt0rwannacrywcry, watch, webshell, webtoolbar, wells fargo, whois parent, whois record, whois siblings, whois whois, win32, win32 exe, win64, workaposter, worm, write, write c, x509v3 key, xobo, yandex, zbot, zdb zeus, zeus, zombie devices

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS27357 rackspace hosting
• Noticed: 10 times
• Protocols Attacked: SSH
• Countries Attacked: Canada, France, Netherlands, Spain, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: machins19.site umbrall.com sonomalatinagrill.com mothership420.com mighty439.com turingtech.co emlsrvr.com home-server.tech home-server.services home-server.website home-server.shop home-server.live tech-care.us service-infocare.com info-tech.live tech-care.live secure-tech.live secure-mail.news info-care.live mail.kkwates.com.mx mail.spasydell.com mx1.emailsrvr.com

Malware Detected on Host

Count: 883 758c07c612e33cbe8800020542afac29fc458c0f10ccbcd878a5723087621ff5 88df337f2a24c515b251f68f342912636042813fccd99cd32dc9b6502f77ba59 84429074fefcf623326c4ce47a7413b94f10ea2fe77d665be8ffc1ce05ac8568 f0692e02312e29f8bd956d28550af0cc07a26da9d80dcf5bc17b7b832882686b 55d8f95e9c0b1b480fd235c02d2b055d542121fece127302fd28baee8864d594 6f09447ca6355aadc6026657c3da12eb8035455f41ba136f44d890bad17e421a 7fb185a4f66133fa4e32267da7af75a8bc911a81850d7cd734a880ec1d4f036d 95d55fe677eb150f519bf41068159b847b8308ce8f4855ccd9c1146832abdc76 d19dd1951c51074e51c262873f3701c11533813f20fd9eb8fef25bdf3ac66d87 b65ad18f44afb2bd99a980921795946e04580019140b3f925b4822450af8331e

Open Ports Detected

25

Map

Whois Information

• NetRange: 146.20.0.0 - 146.20.255.255
• CIDR: 146.20.0.0/16
• NetName: RACKS-8
• NetHandle: NET-146-20-0-0-1
• Parent: NET146 (NET-146-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Rackspace Hosting (RACKS-8)
• RegDate: 2015-09-17
• Updated: 2015-09-17
• Ref: https://rdap.arin.net/registry/ip/146.20.0.0
• OrgName: Rackspace Hosting
• OrgId: RACKS-8
• Address: 1 Fanatical Place
• City: Windcrest
• StateProv: TX
• PostalCode: 78218
• Country: US
• RegDate: 2010-03-29
• Updated: 2017-09-12
• Ref: https://rdap.arin.net/registry/entity/RACKS-8
• OrgTechHandle: ZR9-ARIN
• OrgTechName: Rackspace, com
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ZR9-ARIN
• OrgTechHandle: HANSE157-ARIN
• OrgTechName: Hansell, Chris
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgAbuseHandle: ABUSE45-ARIN
• OrgAbuseName: Abuse Desk
• OrgAbusePhone: +1-210-312-4000
• OrgAbuseEmail: abuse@rackspace.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE45-ARIN
• OrgNOCHandle: HANSE157-ARIN
• OrgNOCName: Hansell, Chris
• OrgNOCPhone: +1-210-312-4000
• OrgNOCEmail: hostmaster@rackspace.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: IPADM17-ARIN
• OrgTechName: IPADMIN
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPADM17-ARIN
• NetRange: 146.20.161.0 - 146.20.161.255
• CIDR: 146.20.161.0/24
• NetName: RSPC-398087B4-4A16-4695-9CFE-D1B51B551E59
• NetHandle: NET-146-20-161-0-1
• Parent: RACKS-8 (NET-146-20-0-0-1)
• NetType: Reassigned
• OriginAS:
• Customer: Webmail - IAD3b (C06327101)
• RegDate: 2017-02-09
• Updated: 2017-02-09
• Ref: https://rdap.arin.net/registry/ip/146.20.161.0
• CustName: Webmail - IAD3b
• Address: 5000 Walzem Road
• City: San Antonio
• StateProv: TX
• PostalCode: 78218
• Country: US
• RegDate: 2017-02-09
• Updated: 2017-02-09
• Ref: https://rdap.arin.net/registry/entity/C06327101
• OrgTechHandle: ZR9-ARIN
• OrgTechName: Rackspace, com
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ZR9-ARIN
• OrgTechHandle: HANSE157-ARIN
• OrgTechName: Hansell, Chris
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgAbuseHandle: ABUSE45-ARIN
• OrgAbuseName: Abuse Desk
• OrgAbusePhone: +1-210-312-4000
• OrgAbuseEmail: abuse@rackspace.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE45-ARIN
• OrgNOCHandle: HANSE157-ARIN
• OrgNOCName: Hansell, Chris
• OrgNOCPhone: +1-210-312-4000
• OrgNOCEmail: hostmaster@rackspace.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: IPADM17-ARIN
• OrgTechName: IPADMIN
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPADM17-ARIN

Links to attack logs

****** ****** ******