166.70.207.2 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 166.70.207.2 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Known Malicious Host 🔴 96/100

Host and Network Information

• Mitre ATT&CK IDs: T1027 - Obfuscated Files or Information, T1056.001 - Keylogging, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1105 - Ingress Tool Transfer, T1110 - Brute Force, T1114 - Email Collection, T1140 - Deobfuscate/Decode Files or Information, T1176 - Browser Extensions, T1491 - Defacement, T1497 - Virtualization/Sandbox Evasion, T1566 - Phishing, T1571 - Non-Standard Port, T1573 - Encrypted Channel, TA0011 - Command and Control

• Tags: acint, adposhel, agent, agent tesla, agenttesla, alexa, alexa top, all octoseek, all search, api blog, appdata, apple, apple ios, artemis, as141773, as15169 google, as17506 arteria, as17806 mango, as19969, as32244 liquid, as49505, as61317, as63932, ascii text, asnone united, asyncrat, attack, autoit, azorult, bank, banker, bazaloader, bazarloader, beginstring, bitminer, blacklist, blacklist http, blacklist https, blacknet rat, bladabindi, blockchain, blocker, body, bradesco, Bruteforce, Brute-Force, bundled, cisco umbrella, class, cleaner, click, cobalt strike, communicating, conduit, contacted, core, covid19, crack, critical, cry kill, crypt, cve201711882, cyber security, cyberstalking, cyber threat, cymulate2, dapato, date, dbatloader, de summary, detection list, detplock, dllinject, docs pricing, domain, downldr, download, downloader, driverpack, dropped, dropper, emotet, encpk, encrypt, engineering, entries, error, et tor, europelondon, execution, existing pulse, exit, expired, facebook, fakeinstaller, falcon, fali contacted, fali malicious, file, filerepmalware, files, filetour, flawedammyy, formbook, fusioncore, gecko, general, generator, generic, generic malware, gmt content, gmt contenttype, google safe, hacktool, hashes files, heur, hostname, http, hybrid, iframe, immediate, indicator, installcore, installer, installpack, internet storm, iobit, ioc, ip address, ip summary, ipv4, irata, japan unknown, keep alive, keylogger, kfsensor, khtml, known tor, kraddare, kyriazhs1975, loadmoney, local, lockbit, login, london, look, malicious, malicious site, maltiverse, malvertizing, malware, malware norad, malware site, media, mediaget, meta, metamorfo, meterpreter, million, mimikatz, miner, mirai, misc attack, mitre att, moved, msil, name verdict, nanocore, nanocore rat, netwire rc, networm, new pulse, next, Nextray, njrat, node traffic, noname057, november, null, open, otx octoseek, outbreak, passive dns, pattern match, paypal, pe resource, phish, phishing, phishing site, phishtank, png image, pony, predator, presenoker, pulse pulses, qakbot, qbot, quasar, raccoon, ransom, ransomexx, ransomware, rdp, redline, redline stealer, referrer, refresh, related nids, relayrouter, remcos, resolutions, response, restart, riskware, rostpay, runescape, russia unknown, safe site, sample, samples, scan endpoints, scanner, script, search, search live, servers, service, silk road, site, smokeloader, softonic, span, spyrixkeylogger, spyware, ssh, SSH, ssl certificate, stealer, strings, summary, suppobox, swrort, systweak, tag count, team, Telnet, threat report, tools, tor, trojan, trojanspy, trojanx, tsara brashears, twitter, type, union, united, united kingdom, unknown, unsafe, url http, urls, url summary, utorrent, verify, veryhigh, vidar, wacatac, webtoolbar, whois record, whois whois, win64, windows nt, xcnfe, xrat, yakes

• Known tor exit node

• View other sources: Spamhaus VirusTotal

• Contained within other IP sets: blocklist_net_ua, botscout_30d, cruzit_web_attacks, dm_tor, et_tor, greensnow, haley_ssh, sblam, stopforumspam_180d, stopforumspam_1d, stopforumspam_30d, stopforumspam_365d, stopforumspam_7d, stopforumspam_90d, stopforumspam, tor_exits_1d, tor_exits_30d, tor_exits_7d, tor_exits

• Known TOR node
• Country: United States
• Network: AS6315 xmission l.c.
• Noticed: 50 times
• Protocols Attacked: ssh
• Countries Attacked: Bangladesh, Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Malaysia, Norway, Poland, Romania, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: block2.mmms.eu

Malware Detected on Host

Count: 41 4657fec938692d5ba532b18160fec051017bfbf31cdd7801c47e8ae0062cdc89 9818769c0de0c83c4ec38ed7361ef65566e3994168ab31299ab9700fb4a94a38 90ab861e72662f97c6efde07de6ba40d3d3630c9123e9f44bc7c56d5812d9616 f5f8ba796aab82ddf835d0e16e2d9e8bfe9c0203257e12cecf98e6d7586b08fe 7282e2fdb25b07554b082f5cf1697315ed5ce3005f985cbe96a34da965869db5 ba5797e6b6f5c60fb8c0397797672071cd3d971eb6477a0560bb678b1ba65202 50124a9bf4fad5e256ebfe9b407a93ad29a05218f952a8c9b53b0cb33f3251ea 31e336d15f3414e6bae7056b612b3529b0af5c6656f93f9c3d51312a3ce8935c e1ce74027aaab07fefd7add80dbcf9403f6c4545d2823eb5f6f1577d58dcc69b a4a63515b6bd2562e94430e10629c0c9e69309b2281dc857628cd537909c0352

Open Ports Detected

80

CVEs Detected

CVE-2021-23017 CVE-2021-3618 CVE-2023-44487

Map

Whois Information

• NetRange: 166.70.0.0 - 166.70.255.255
• CIDR: 166.70.0.0/16
• NetName: XMISSION-166-70-0-0
• NetHandle: NET-166-70-0-0-1
• Parent: NET166 (NET-166-0-0-0-0)
• NetType: Direct Allocation
• OriginAS:
• Organization: XMission, L.C. (XMIS)
• RegDate: 1997-02-19
• Updated: 2004-04-06
• Comment: Please use the abuse@xmission.com email address for all
• Comment: complaints regarding UCE (spam), copyright violations, security
• Comment: intrusions, and other suspected network abuse sourcing from
• Comment: XMission networks. DO NOT COPY your complaint to any other ARIN
• Comment: XMission POC’s or email addresses on the XMission network.
• Comment: Failure to comply with this statement will result in your
• Comment: complaint being ignored.
• Ref: https://rdap.arin.net/registry/ip/166.70.0.0
• OrgName: XMission, L.C.
• OrgId: XMIS
• Address: 51 E 400 S
• Address: Suite 200
• City: Salt Lake City
• StateProv: UT
• PostalCode: 84111-2753
• Country: US
• RegDate: 1993-11-15
• Updated: 2024-02-09
• Comment: Please use the abuse@xmission.com email address for all
• Comment: complaints regarding UCE (spam), copyright violations,
• Comment: security intrusions, and other suspected network abuse sourcing from
• Comment: XMission networks. DO NOT COPY your complaint to any other ARIN
• Comment: XMission POC’s or email addresses on the XMission network.
• Comment: Failure to comply with this statement will result in your
• Comment: complaint being ignored.
• Ref: https://rdap.arin.net/registry/entity/XMIS
• OrgAbuseHandle: NETAB-ARIN
• OrgAbuseName: Netabuse Manager
• OrgAbusePhone: +1-801-539-0852
• OrgAbuseEmail: abuse@xmission.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/NETAB-ARIN
• OrgTechHandle: TECHN5-ARIN
• OrgTechName: Technical Support
• OrgTechPhone: +1-801-539-0852
• OrgTechEmail: support@xmission.com
• OrgTechRef: https://rdap.arin.net/registry/entity/TECHN5-ARIN
• OrgNOCHandle: NETWO22-ARIN
• OrgNOCName: Network Manager
• OrgNOCPhone: +1-801-539-0852
• OrgNOCEmail: net-manager@xmission.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/NETWO22-ARIN
• RTechHandle: TECHN5-ARIN
• RTechName: Technical Support
• RTechPhone: +1-801-539-0852
• RTechEmail: support@xmission.com
• RTechRef: https://rdap.arin.net/registry/entity/TECHN5-ARIN
• RAbuseHandle: NETAB-ARIN
• RAbuseName: Netabuse Manager
• RAbusePhone: +1-801-539-0852
• RAbuseEmail: abuse@xmission.com
• RAbuseRef: https://rdap.arin.net/registry/entity/NETAB-ARIN
• RNOCHandle: NETWO22-ARIN
• RNOCName: Network Manager
• RNOCPhone: +1-801-539-0852
• RNOCEmail: net-manager@xmission.com
• RNOCRef: https://rdap.arin.net/registry/entity/NETWO22-ARIN

Links to attack logs

****** digitaloceansingapore-ssh-bruteforce-ip-list-2023-12-26 vultrwarsaw-ssh-bruteforce-ip-list-2022-11-02 digitaloceantoronto-ssh-bruteforce-ip-list-2024-01-30 digitaloceanfrankfurt-ssh-bruteforce-ip-list-2024-01-11 ****** dolondon-ssh-bruteforce-ip-list-2023-03-11 ****** digitaloceanlondon-ssh-bruteforce-ip-list-2023-12-19