37.48.80.173 Threat Intelligence and Host Information

Share on:

Jun 04, 2023 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 37.48.80.173 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Potentially Malicious Host 🟡 50/100

Host and Network Information

Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1005 - Data from Local System, T1006 - Direct Volume Access, T1008 - Fallback Channels, T1011 - Exfiltration Over Other Network Medium, T1016 - System Network Configuration Discovery, T1027 - Obfuscated Files or Information, T1034 - Path Interception, T1035 - Service Execution, T1036 - Masquerading, T1042 - Change Default File Association, T1043 - Commonly Used Port, T1047 - Windows Management Instrumentation, T1048 - Exfiltration Over Alternative Protocol, T1049 - System Network Connections Discovery, T1050 - New Service, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1058 - Service Registry Permissions Weakness, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1064 - Scripting, T1071 - Application Layer Protocol, T1072 - Software Deployment Tools, T1081 - Credentials in Files, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1086 - PowerShell, T1089 - Disabling Security Tools, T1093 - Process Hollowing, T1095 - Non-Application Layer Protocol, T1096 - NTFS File Attributes, T1098 - Account Manipulation, T1102 - Web Service, T1105 - Ingress Tool Transfer, T1106 - Native API, T1107 - File Deletion, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1120 - Peripheral Device Discovery, T1121 - Regsvcs/Regasm, T1122 - Component Object Model Hijacking, T1143 - Hidden Window, T1145 - Private Keys, T1158 - Hidden Files and Directories, T1173 - Dynamic Data Exchange, T1175 - Component Object Model and Distributed COM, T1176 - Browser Extensions, T1179 - Hooking, T1180 - Screensaver, T1181 - Extra Window Memory Injection, T1183 - Image File Execution Options Injection, T1185 - Man in the Browser, T1189 - Drive-by Compromise, T1192 - Spearphishing Link, T1193 - Spearphishing Attachment, T1201 - Password Policy Discovery, T1202 - Indirect Command Execution, T1217 - Browser Bookmark Discovery, T1218 - Signed Binary Proxy Execution, T1219 - Remote Access Software, T1483 - Domain Generation Algorithms, T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery, T1497 - Virtualization/Sandbox Evasion, T1499 - Endpoint Denial of Service
Tags: andromeda, cerber, cobalt strike, components, darkcomet, dealply, decrypt my, dyre, emotet, fareit, fusion, gamarue, hkcu, hklm, icedid, kovter, lokibot, maze, netwire, powershell, ramnit, ransomware, ryuk ransomware, smoke loader, smokeloader, t1027, ta0003, ta0005, ta0007, ta0011, tinba, trickbot, ursnif, users, zusy
View other sources: Spamhaus VirusTotal
Country: Netherlands
Network: AS60781 leaseweb netherlands b.v.
Noticed: 1 times
Protcols Attacked: spam
Passive DNS Results: gem2services.hellemansconsultancy.nl gem2.hellemansconsultancy.nl detertmang.co.vu webestetick.com airdns.org 87568479563487956.airdns.org danhunter.ddns.net

Malware Detected on Host

Count: 8 95749de99087fc32360712f7acd1e057bd189a6d72c277cd64fb4f37793a6a72 2d903a496d844a8a9d485f1dc7db0b3e03ebd440007331577b683446aa2d7a11 ac433a44657c8bb58ed5fac9d9bd9eda854141fe4982f24d57fc058178f94394 58e3040546708b5b1132725a6fc82eedef71af9a7fca876184608947fe3ee35d 7e37e9e58a45c55add0d123fe77b312f36e37d57be50160b01abf28e2d5b0aff 41818182ccb1d541684923e238629cea13cfe1c30914eeaab768bbdccf54b11a 702d0d6f568b692c4b79982a71a640a6d7f8919c304c1e529aee8c7ea254c00a 8b7f83408f0b298aed7d3c25aa5f8fb6c67867c2f27a7f0c3d1f6f3f802d059d

Open Ports Detected

25 443 80

Map

Whois Information

inetnum: 37.48.64.0 - 37.48.127.255
netname: NL-LEASEWEB-20120124
country: NL
org: ORG-OB3-RIPE
admin-c: lswn1-RIPE
tech-c: lswn1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: LEASEWEB-NL-MNT
mnt-lower: LEASEWEB-NL-MNT
mnt-domains: LEASEWEB-NL-MNT
mnt-routes: LEASEWEB-NL-MNT
created: 2012-01-24T10:32:05Z
last-modified: 2017-11-16T10:27:09Z
organisation: ORG-OB3-RIPE
org-name: LeaseWeb Netherlands B.V.
country: NL
org-type: LIR
address: Postbus 93054
address: 1090BB
address: Amsterdam
address: NETHERLANDS
phone: +31203162880
fax-no: +31203162890
admin-c: lswn1-RIPE
abuse-c: LWAD-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: LEASEWEB-NL-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: LEASEWEB-NL-MNT
created: 2004-04-17T11:42:05Z
last-modified: 2020-12-16T12:49:01Z
role: Leaseweb NL NOC
address: Hessenbergweg 95, 1101 CX. Amsterdam
admin-c: SPW1-RIPE
nic-hdl: lswn1-RIPE
mnt-by: LEASEWEB-NL-MNT
created: 2017-11-16T10:05:00Z
last-modified: 2022-07-05T12:59:36Z
route: 37.48.64.0/18
descr: LEASEWEB
origin: AS60781
mnt-by: LEASEWEB-NL-MNT
created: 2014-03-10T13:15:47Z
last-modified: 2020-04-22T12:18:40Z

Links to attack logs

forum-spam-ip-list-2015-04-07 forum-spam-ip-list-2015-04-10 forum-spam-ip-list-2015-04-08 forum-spam-ip-list-2015-04-13 forum-spam-ip-list-2015-04-17 forum-spam-ip-list-2015-04-19 forum-spam-ip-list-2015-04-23 forum-spam-ip-list-2015-04-20 forum-spam-ip-list-2015-04-24 forum-spam-ip-list-2015-04-25