148.163.129.50 Threat Intelligence and Host Information

Mar 17, 2024 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 148.163.129.50 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

  • Mitre ATT&CK IDs: T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1053 - Scheduled Task/Job, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1158 - Hidden Files and Directories, T1560 - Archive Collected Data

  • Tags: aaaa, accept, a domains, agent, aig, alexa top, algorithm, all octoseek, amadey, apple, apple ios, april, artemis, as15169 google, as19527 google, as19905, as23724, as29580 a1, as35280 acorus, as4808 china, as4812 china, as54113, as7922 comcast, as8866, ascii text, asnone united, assaulter, att, attack, august, authority, awful, azorult, bank, b body, benjamin c, bitcoin, blacklist, body, body length, brian sabey, browse scan, bundled, c-67-181-73-197.hsd1.ca.comcast.net, cellbrite, cellebrite, certificate, china, chrome, cisco umbrella, civicaIg, ck id, class, cleaner, click, cname, communicating, conduit, connection, contact, contacted, contact email, contact made by mark brian sabey, contact made by o’dea, contact phone, cookie, copy, core, crack, creation date, critical, crypto, cus cnr3, cybercrime, cyber stalking, data, date, date sat, detection list, dnssec, dock, domain, domain name, domain status, download, dropped, ec oid, emails, encrypt, endpoints all, entries, error, eternalblue, et exploit, execution, expiration date, expiressun, exploit, facebook, falcon sandbox, files, files location, final url, forbidden, fusioncore, general, generator, generic flags, gmt content, google tag, hacktool, headers, headers date, heur, historical, historical ssl, hostname, html info, http, http response, hughesnet, hybrid, iframe, ingestion time, installer, installpack, ios, ip address, ipv4, ireland, kb body, key algorithm, key info, local, localappdata, location dublin, login, mail spammer, malicious, malicious site, maltiverse, malvertizing, malware, malware site, march, meta, meta tags, metro, million, mitre att, monitoring, moved, movies, msf style, msie, msr jan, mtb jan, name servers, next, november, number, nxdomain, october, olet, opencandy, otx telemetry, passive dns, password crack, path, pattern match, pe32, pegasus, pe resource, phishing, phishing site, playgame, popularity, porn, pornhub, presenoker, privilege https, probe, probe ms17010, pt3rc1, pt3uc1, pulse pulses, pulse submit, push, quasar, query, rank position, ransom, record type, record value, referrer, registrar abuse, related nids, reverse dns, riskware, root ca, runescape, russia unknown, safe site, sa victim, scan endpoints, script, script urls, search, september, server, servers, service, sha256, show, showing, sign up, site, smbds ipc, social engineering, softcnapp, spying, spyware, ssl certificate, startpage, status, status code, strings, subject public, suddenlink tv, survivor, targets sa, target tsara brashears, team, temp, threat roundup, tiggre, title, toshiba, trackers amazon, tracking, trojan, trojanspy, tsara brashears, ttl value, tulach, tylerknott, united, unknown, unsafe, url analysis, url https, urls, ursnif, utc aw741566034, utc redirection, v3 serial, virgin islands, wacatac, watch, whois lookup, whois record, whois ssl, whois whois, win32, win32mydoom jan, worm, write, xrat, xtrat, x ua

  • View other sources: Spamhaus VirusTotal

  • Country: United States
  • Network: AS13916 proofpoint inc.
  • Noticed: 6 times
  • Protocols Attacked: SSH
  • Countries Attacked: Germany, Netherlands, United States of America, Virgin Islands British
  • Passive DNS Results: 4417oldtown.com ppe-mx1.securemail.hibox.biz marialease.com xn6t-1.mx10.pef.luxsci.com ygb-1.mx10.pef.luxsci.com xei-1.mx10.pef.luxsci.com yjw-1.mx10.pef.luxsci.com xet-1.mx10.pef.luxsci.com mxlogic.dtmconsulting.com smtp.exagrid.com smtp.mailmethismailmethat.com www.legendmgmt.com outbound-us2.ppe-hosted.com mx1-us2.ppe-hosted.com outbound-us1.ppe-hosted.com mx1-us1.ppe-hosted.com mail1.hbs.net ibn-1.mx10.pef.luxsci.com

Malware Detected on Host

Count: 5 559887e6dc5d6f9ff1fd9ec6243d45ea63bb874ea7e6af0f22828823b0479e03 76b65db3c8fc7b371fb343b2ac7646c47f0c4a34e8d657e7bf7620925338690b 4b530f55bb950d0bb5f4a31d91e436912f1f2daf0c92c102a10f28568cdfc866 0a946c93c4eb57bfddc1fc29eff633f1bcd69c522fb701662ededcb79689ba89 e617adf73c4849529edd9201b9d387619561460a49173cf0d0d045014f75af79

Open Ports Detected

25 587

Map

Whois Information

  • NetRange: 148.163.128.0 - 148.163.159.255
  • CIDR: 148.163.128.0/19
  • NetName: PROOFPOINT-NET-NORTH-AMERICA
  • NetHandle: NET-148-163-128-0-1
  • Parent: NET148 (NET-148-0-0-0-0)
  • NetType: Direct Allocation
  • OriginAS: AS16509, AS22843, AS13916, AS26211
  • Organization: Proofpoint, Inc. (PROOF)
  • RegDate: 2014-06-13
  • Updated: 2020-05-29
  • Comment: —–BEGIN CERTIFICATE—–MIIDDjCCAfYCCQDlx2/zW8KJpzANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTEZMBcGA1UECgwQUHJvb2Zwb2ludCwgSW5jLjAeFw0xOTA5MTkxNTA2MTVaFw0zNDA5MTUxNTA2MTVaMEkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMRkwFwYDVQQKDBBQcm9vZnBvaW50LCBJbmMuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8mW90pOTCfhbsHnvVha0SwTPcKkVoHaz4zboFNfIf5QpSRVvuO2fQtXqxFpMwMy5HMecJve/Z9dz2JDjV9JMZtT5DX3kyrULdGpNbydt/c+bfmykysW4mr48IApmc3QRb1nJYTThwK6kqJ70YLkNeRjlJ0P03pj2x4vTJTv4i5Wy4YPStTTlAVwnXCVtZ7cewPvUoGOfu1RE+/jYyqlPkWe9AzFQQw8zh9Xc0KuieDzBc/Ziskg12yIe9bXXErTZggGCvUhWPaNxgEYQAYnzvBZh/Jj5/uCFbHCKQPtG2cCOa1BRHgkRXSvqKMtfeYR9on/mGai3tkwZxqnVBq0wFQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDuHinB0sU9FoQ+jCP7osAvQJeUhRc5FxsauAYoZYDXAtFNhFmmuyUJB/zpAQc+uZ7w1/8QHJjzHtsmG5zvukkI9GErdr4Q5IajoM4j7msrVnI29XPrLQDylLMkDUw5BP4V6JHHqwSndXSeS312ty2JCsK7Z0/bD63ot2Q2Guia9uXfZWN7M/la/j+rbE454fKsjzpa+BKeVFGPaCrnCgFZUHdaqa0qsjteKpOvlCXnjY3/UxkM/GNnPsG1iDwtxr19iiEjtBz1s/8M/MPoSn48pPvqy1ohhnnVhw9qlhhb0L0f55CGAWEWzdjBjkS1KklGal19rXwy7K4itcjBqIfz—–END CERTIFICATE—–
  • Ref: https://rdap.arin.net/registry/ip/148.163.128.0
  • OrgName: Proofpoint, Inc.
  • OrgId: PROOF
  • Address: 925 W Maude Ave
  • City: Sunnyvale
  • StateProv: CA
  • PostalCode: 94085
  • Country: US
  • RegDate: 2007-10-16
  • Updated: 2021-06-15
  • Ref: https://rdap.arin.net/registry/entity/PROOF
  • OrgAbuseHandle: PAA19-ARIN
  • OrgAbuseName: Proofpoint ARIN Abuse
  • OrgAbusePhone: +1-801-748-4494
  • OrgAbuseEmail: abuse@proofpoint.com
  • OrgAbuseRef: https://rdap.arin.net/registry/entity/PAA19-ARIN
  • OrgTechHandle: NETWO2061-ARIN
  • OrgTechName: Network Operations
  • OrgTechPhone: +1-801-748-4444
  • OrgTechEmail: arin-management@proofpoint.com
  • OrgTechRef: https://rdap.arin.net/registry/entity/NETWO2061-ARIN

Links to attack logs

****** ****** ******

Share on: