194.165.16.4 Threat Intelligence and Host Information

May 27, 2025 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 194.165.16.4 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 65/100

Host and Network Information

  • Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1048 - Exfiltration Over Alternative Protocol, T1055 - Process Injection, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1078 - Valid Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110 - Brute Force, T1133 - External Remote Services, T1134 - Access Token Manipulation, T1140 - Deobfuscate/Decode Files or Information, T1176 - Browser Extensions, T1218 - Signed Binary Proxy Execution, T1219 - Remote Access Software, T1486 - Data Encrypted for Impact, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1555 - Credentials from Password Stores, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1566 - Phishing, T1567 - Exfiltration Over Web Service, T1585 - Establish Accounts, T1588 - Obtain Capabilities, T1593 - Search Open Websites/Domains, T1595 - Active Scanning, T1598 - Phishing for Information, TA0004 - Privilege Escalation, TA0010 - Exfiltration

  • Tags: actors att, address, a http, aitm server, Alaska, amos steaker, amos stealer, analyzed, anydesk module, archive file, atomic https, atomic stealer, backmydata, bctt, beavertail, bha006, block, bloodhound, boinc c2, bootkitty iocs, brazanbamboo c2, breadcrumbs, brute force, burnsrat c, c2 address, c2 domain, c2 http, c2 https, c2 ip, c2 server, c2 servers, carljohnson1948, chat id, cheat engine, c http, cisa, ck techniques, cloud, cobalt strike, code, code issues, code snippets, compromise, compromise note, createdump tool, crypto cyber, cthulhu stealer, cyber security, cyber threat, damn, darkrace, data, decrypted, defanged, defanged file, defence, description, details, detected, devos, domain, domain hosting, domain name, domains, donex, download, downloader, download url, dropper, duoyi, education, eldorado, email addresses, enterprise, examples, execution, fake captcha, fake chrome, february, file, file hash, filehash, file hashes, filehashmd5, filehashsha256, file name, files, finaldraft, finaldraft elf, financial, find, fingerprint, first, first seen, first stage, footer, format, gh0strat, ghostgambit, ghostsocks, github, github users, gmer, google meet, googleupdate, guidloader, hashes, hashes payload, healthcare, helldown linux, hidden rootkit, horns, hta file, hta md5, hta script, html, html payload, http, icon, impact, indicator type, indicatortype, install, intermediary, invisibleferret, ioc, ioc hash, ioc http, iocs, iocs files, ioc sha256, iocs hash, iocs helldown, iocs https, iocs malicious, iocs zip, ioc url, ip address, ip addresses, IPs Attacking Alaskan Hosts, ips https, ipv4, ipv4 address, ituneshelper, js download, kfsensor, kongtuke, landing, latin america, lettointago, l files, links, linux, lnk file, loader, local, lockbit, lumma payload, magazine, malicious, malware, malware c2, malware hash, manipulation, march, md5 file, md5 hashes, mekotio banking, meshagent, mimikatz, mintsloader c2, mirai, mirrowsimps, mitre att, mlpea, monero, monitor, moral, msi, msi file, msisac, municipal, na majestic, na stark, neshta, network ip, Nextray, nirsoft, noopldr type1, noopldr type2, octoberdecember, opswat oesis, orgvgodpayment, original, page, panel, pantegana, passview, pathloader, payload, payload host, payload url, persistence, phishing, phishing urls, phobos, phobos threat, phpsert, phpsert variant, plugin, plugx, plugx c2, ports, powershower c2, pscp, psexec, public, pull, quite solsjoas, quoc, RaaS, ransom, ransomware, rdp, RDP, reddelta c2, reddit, reference, registry keys, remcos, remote access, rhadamanthys c2, rspackcore, samples, sample sha256, samuelwhite1821, search, seen, server, server http, servers, service dll, sftp, sha1, sha1 hashes, sha256, sha256 hash, sha256 hashes, sha256 lnk, sha256 pfman, sharphound, shell, shell commands, shortcut, sign, similar sha256, site, sites, smokeloader, solo airfield, sql injection, ssh, ssh access, sspiuacbypass, star, stealc c2, stealc payload, strike loaders, strong, studio code, subdomains, systembc, technique title, telegram bot, time, tls certificate, token, tools, trojan, trojanized, trojanspy, type name, ultravnc, url https, url hundreds, urls, url samples, urls http, urls https, userprofile, v4 removal, vant, vbshower c2, version, version b, version c, version d, version e, view, virustotal, visual studio, vssadmin delete, w32neshtad, Web Attack, wetransfer, windows payload, winscp, zipmsi

  • View other sources: Spamhaus VirusTotal

  • Contained within other IP sets: cleantalk_30d, cleantalk_new_30d

  • Country: Monaco
  • Network:
  • Noticed: 50 times
  • Protocols Attacked: SSH
  • Countries Attacked: Australia, Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Norway, Poland, Romania, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
  • Passive DNS Results: seed.bitcoinstats.com store.kontur-expres.com rss.mercurynews.biz

Malware Detected on Host

Count: 6276 bcfdf42151c555fdebb25fd7882bd412c7e6291c688561610283740c55434ae4 cdd23ad25c98df9187a7e8b2792fbe0cc99d258f190b2280b54af3fee4109468 74c1db55929de92b9323a1db1cc4866f955759644bfdb43c7b8ef34a67cf7afa d8c2bbc88ca90b2bb12f2feb7be9724900e7f0b126028e7c4276fbeaf72279c8 22be4c8b3e918520dc86d436d08d7f98da4e4280b694cf1f5604b4a374be61bb 37bc651598dc25b0b5d5702c0abecaddcb1f5b249bb0ddbd8ba6429e05baba12 c5b92712a2c933cce5c6c0099dfebd6e36eba427150d18baec00ce5968696f77 74a886a16090b935e7f5ac940b72322434244647b3faab5f52f77d82ce06c630 52a1c44fe97385fdbc7bfc0e9fae1d30bcba5483d3078fac36e46d3012837b96 977e74fff79d428044745176096db224562f453498280405fc0de4ad47f56d73

Map

Links to attack logs

****** nmap-scanning-list-2021-04-12 nmap-scanning-list-2021-07-24 nmap-scanning-list-2021-06-16 ****** ******

Share on: