37.48.80.171 Threat Intelligence and Host Information

Share on:
Jun 04, 2023 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 37.48.80.171 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Potentially Malicious Host 🟡 50/100

Host and Network Information

  • Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1005 - Data from Local System, T1006 - Direct Volume Access, T1008 - Fallback Channels, T1011 - Exfiltration Over Other Network Medium, T1016 - System Network Configuration Discovery, T1027 - Obfuscated Files or Information, T1034 - Path Interception, T1035 - Service Execution, T1036 - Masquerading, T1042 - Change Default File Association, T1043 - Commonly Used Port, T1047 - Windows Management Instrumentation, T1048 - Exfiltration Over Alternative Protocol, T1049 - System Network Connections Discovery, T1050 - New Service, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1058 - Service Registry Permissions Weakness, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1064 - Scripting, T1071 - Application Layer Protocol, T1072 - Software Deployment Tools, T1081 - Credentials in Files, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1086 - PowerShell, T1089 - Disabling Security Tools, T1093 - Process Hollowing, T1095 - Non-Application Layer Protocol, T1096 - NTFS File Attributes, T1098 - Account Manipulation, T1102 - Web Service, T1105 - Ingress Tool Transfer, T1106 - Native API, T1107 - File Deletion, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1120 - Peripheral Device Discovery, T1121 - Regsvcs/Regasm, T1122 - Component Object Model Hijacking, T1143 - Hidden Window, T1145 - Private Keys, T1158 - Hidden Files and Directories, T1173 - Dynamic Data Exchange, T1175 - Component Object Model and Distributed COM, T1176 - Browser Extensions, T1179 - Hooking, T1180 - Screensaver, T1181 - Extra Window Memory Injection, T1183 - Image File Execution Options Injection, T1185 - Man in the Browser, T1189 - Drive-by Compromise, T1192 - Spearphishing Link, T1193 - Spearphishing Attachment, T1201 - Password Policy Discovery, T1202 - Indirect Command Execution, T1217 - Browser Bookmark Discovery, T1218 - Signed Binary Proxy Execution, T1219 - Remote Access Software, T1483 - Domain Generation Algorithms, T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery, T1497 - Virtualization/Sandbox Evasion, T1499 - Endpoint Denial of Service
  • Tags: andromeda, cerber, cobalt strike, components, darkcomet, dealply, decrypt my, dyre, emotet, fareit, fusion, gamarue, hkcu, hklm, icedid, kovter, lokibot, maze, netwire, powershell, ramnit, ransomware, ryuk ransomware, smoke loader, smokeloader, t1027, ta0003, ta0005, ta0007, ta0011, tinba, trickbot, ursnif, users, zusy

  • View other sources: Spamhaus VirusTotal

  • Country: Netherlands
  • Network: AS60781 leaseweb netherlands b.v.
  • Noticed: 1 times
  • Protcols Attacked: spam

Malware Detected on Host

Count: 4 fb9952d3febeaee18bd520615fceb1dc7cd3f9226183b35819c1b1df9e8987eb e6179c802bd59d4e41d947eef3e5c05a354093a8dd34134b0baf7e4900ba4099 37c83b11eb81dfdc3e304b3027a2112d9a1892ff9ae4f632e41745c6c3284056 085f1d1e14211ec06c111249ddb0b8415d6c37792f91168f4735211238825c13

Map

Whois Information

  • inetnum: 37.48.64.0 - 37.48.127.255
  • netname: NL-LEASEWEB-20120124
  • country: NL
  • org: ORG-OB3-RIPE
  • admin-c: lswn1-RIPE
  • tech-c: lswn1-RIPE
  • status: ALLOCATED PA
  • mnt-by: RIPE-NCC-HM-MNT
  • mnt-by: LEASEWEB-NL-MNT
  • mnt-lower: LEASEWEB-NL-MNT
  • mnt-domains: LEASEWEB-NL-MNT
  • mnt-routes: LEASEWEB-NL-MNT
  • created: 2012-01-24T10:32:05Z
  • last-modified: 2017-11-16T10:27:09Z
  • organisation: ORG-OB3-RIPE
  • org-name: LeaseWeb Netherlands B.V.
  • country: NL
  • org-type: LIR
  • address: Postbus 93054
  • address: 1090BB
  • address: Amsterdam
  • address: NETHERLANDS
  • phone: +31203162880
  • fax-no: +31203162890
  • admin-c: lswn1-RIPE
  • abuse-c: LWAD-RIPE
  • mnt-ref: RIPE-NCC-HM-MNT
  • mnt-ref: LEASEWEB-NL-MNT
  • mnt-by: RIPE-NCC-HM-MNT
  • mnt-by: LEASEWEB-NL-MNT
  • created: 2004-04-17T11:42:05Z
  • last-modified: 2020-12-16T12:49:01Z
  • role: Leaseweb NL NOC
  • address: Hessenbergweg 95, 1101 CX. Amsterdam
  • admin-c: SPW1-RIPE
  • nic-hdl: lswn1-RIPE
  • mnt-by: LEASEWEB-NL-MNT
  • created: 2017-11-16T10:05:00Z
  • last-modified: 2022-07-05T12:59:36Z
  • route: 37.48.64.0/18
  • descr: LEASEWEB
  • origin: AS60781
  • mnt-by: LEASEWEB-NL-MNT
  • created: 2014-03-10T13:15:47Z
  • last-modified: 2020-04-22T12:18:40Z

Links to attack logs

forum-spam-ip-list-2015-01-23