146.20.161.2 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 146.20.161.2 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 58/100

Host and Network Information

• Mitre ATT&CK IDs: T1031 - Modify Existing Service, T1053 - Scheduled Task/Job, T1060 - Registry Run Keys / Startup Folder, T1129 - Shared Modules, T1143 - Hidden Window, T1158 - Hidden Files and Directories

• Tags: aaaa, accept, a domains, algorithm, all octoseek, amadey, apple, april, as15169 google, as19527 google, as19905, as23724, as29580 a1, as35280 acorus, as4808 china, as4812 china, as54113, as7922 comcast, as8866, asnone united, assaulter, attack, august, awful, b body, benjamin c, bitcoin, body, body length, browse scan, bundled, c-67-181-73-197.hsd1.ca.comcast.net, cellbrite, cellebrite, certificate, china, chrome, cisco umbrella, cname, communicating, connection, contact, contacted, contact email, contact made by mark brian sabey, contact made by o’dea, contact phone, cookie, copy, core, creation date, crypto, cus cnr3, data, date, date sat, dnssec, dock, domain, domain name, domain status, download, ec oid, emails, encrypt, endpoints all, entries, error, eternalblue, et exploit, execution, expiration date, exploit, files, files location, final url, forbidden, generic flags, gmt content, google tag, headers date, historical ssl, hostname, html info, http, http response, ingestion time, ios, ip address, ipv4, ireland, key algorithm, key info, location dublin, login, malicious, malware, march, meta, metro, moved, msf style, msie, msr jan, mtb jan, name servers, next, november, number, nxdomain, october, olet, otx telemetry, passive dns, pe32, pegasus, pe resource, playgame, popularity, privilege https, probe, probe ms17010, pulse pulses, pulse submit, push, quasar, query, rank position, ransom, record type, record value, referrer, registrar abuse, related nids, reverse dns, russia unknown, sa victim, scan endpoints, script urls, search, september, server, servers, service, sha256, show, showing, sign up, smbds ipc, social engineering, ssl certificate, startpage, status, status code, subject public, survivor, targets sa, threat roundup, title, trojan, tsara brashears, ttl value, tulach, united, unknown, url analysis, url https, urls, ursnif, utc aw741566034, utc redirection, v3 serial, virgin islands, whois lookup, whois record, whois ssl, whois whois, win32, win32mydoom jan, worm, write, x ua

• View other sources: Spamhaus VirusTotal

• Country: United States
• Network: AS27357 rackspace hosting
• Noticed: 4 times
• Protocols Attacked: SSH
• Countries Attacked: Germany, Netherlands, United States of America, Virgin Islands British
• Passive DNS Results: mx2.dakno.com mx2.hollandcomputers.com home-server.tech home-server.services home-server.website home-server.shop home-server.club home-server.cloud secure-tech.live info-tech.live info-care.live secure-mail.news tech-care.us tech-care.live service-infocare.com mx066.ectekinc.com mx006.ectekinc.com mx2.dovetailinternet.com mx2.precisionemail.net mx4.volusion.com mx2.emailsrvr.com

Malware Detected on Host

Count: 675 758c07c612e33cbe8800020542afac29fc458c0f10ccbcd878a5723087621ff5 84429074fefcf623326c4ce47a7413b94f10ea2fe77d665be8ffc1ce05ac8568 55d8f95e9c0b1b480fd235c02d2b055d542121fece127302fd28baee8864d594 554b40ffa3948f977c026df107f2a9d69aa2644fa052421e28fb3e7ab24f575b 6f09447ca6355aadc6026657c3da12eb8035455f41ba136f44d890bad17e421a 539df2d96480caaa85601a8cd0941aa0c6e1fb2fe570c7a4c342dd0a90eccc71 50131e3caf1d601d29372da0777bdfa92900c85cdc5c3fc4965882b4dba730f6 98cee8785098084a3271504c05e3f1ad8cf7716fcff82e700f57402035c572ed 8093bd982009897e371ae261fc3729ffea6ed6b03599e63ef56f8b75ad5aa609 95d55fe677eb150f519bf41068159b847b8308ce8f4855ccd9c1146832abdc76

Open Ports Detected

25

Map

Whois Information

• NetRange: 146.20.0.0 - 146.20.255.255
• CIDR: 146.20.0.0/16
• NetName: RACKS-8
• NetHandle: NET-146-20-0-0-1
• Parent: NET146 (NET-146-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: Rackspace Hosting (RACKS-8)
• RegDate: 2015-09-17
• Updated: 2015-09-17
• Ref: https://rdap.arin.net/registry/ip/146.20.0.0
• OrgName: Rackspace Hosting
• OrgId: RACKS-8
• Address: 1 Fanatical Place
• City: Windcrest
• StateProv: TX
• PostalCode: 78218
• Country: US
• RegDate: 2010-03-29
• Updated: 2017-09-12
• Ref: https://rdap.arin.net/registry/entity/RACKS-8
• OrgTechHandle: HANSE157-ARIN
• OrgTechName: Hansell, Chris
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: ZR9-ARIN
• OrgTechName: Rackspace, com
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ZR9-ARIN
• OrgAbuseHandle: ABUSE45-ARIN
• OrgAbuseName: Abuse Desk
• OrgAbusePhone: +1-210-312-4000
• OrgAbuseEmail: abuse@rackspace.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE45-ARIN
• OrgNOCHandle: HANSE157-ARIN
• OrgNOCName: Hansell, Chris
• OrgNOCPhone: +1-210-312-4000
• OrgNOCEmail: hostmaster@rackspace.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: IPADM17-ARIN
• OrgTechName: IPADMIN
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPADM17-ARIN
• NetRange: 146.20.161.0 - 146.20.161.255
• CIDR: 146.20.161.0/24
• NetName: RSPC-398087B4-4A16-4695-9CFE-D1B51B551E59
• NetHandle: NET-146-20-161-0-1
• Parent: RACKS-8 (NET-146-20-0-0-1)
• NetType: Reassigned
• OriginAS:
• Customer: Webmail - IAD3b (C06327101)
• RegDate: 2017-02-09
• Updated: 2017-02-09
• Ref: https://rdap.arin.net/registry/ip/146.20.161.0
• CustName: Webmail - IAD3b
• Address: 5000 Walzem Road
• City: San Antonio
• StateProv: TX
• PostalCode: 78218
• Country: US
• RegDate: 2017-02-09
• Updated: 2017-02-09
• Ref: https://rdap.arin.net/registry/entity/C06327101
• OrgTechHandle: HANSE157-ARIN
• OrgTechName: Hansell, Chris
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: ZR9-ARIN
• OrgTechName: Rackspace, com
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ZR9-ARIN
• OrgAbuseHandle: ABUSE45-ARIN
• OrgAbuseName: Abuse Desk
• OrgAbusePhone: +1-210-312-4000
• OrgAbuseEmail: abuse@rackspace.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE45-ARIN
• OrgNOCHandle: HANSE157-ARIN
• OrgNOCName: Hansell, Chris
• OrgNOCPhone: +1-210-312-4000
• OrgNOCEmail: hostmaster@rackspace.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/HANSE157-ARIN
• OrgTechHandle: IPADM17-ARIN
• OrgTechName: IPADMIN
• OrgTechPhone: +1-210-312-4000
• OrgTechEmail: hostmaster@rackspace.com
• OrgTechRef: https://rdap.arin.net/registry/entity/IPADM17-ARIN

Links to attack logs

****** ****** ******