93.115.28.104 Threat Intelligence and Host Information

Aug 13, 2025 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 93.115.28.104 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Known Malicious Host 🔴 80/100

Host and Network Information

  • Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1005 - Data from Local System, T1012 - Query Registry, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036 - Masquerading, T1040 - Network Sniffing, T1045 - Software Packing, T1047 - Windows Management Instrumentation, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056.001 - Keylogging, T1056 - Input Capture, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1070 - Indicator Removal on Host, T1071 - Application Layer Protocol, T1081 - Credentials in Files, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1095 - Non-Application Layer Protocol, T1096 - NTFS File Attributes, T1105 - Ingress Tool Transfer, T1106 - Native API, T1110.002 - Password Cracking, T1112 - Modify Registry, T1113 - Screen Capture, T1119 - Automated Collection, T1129 - Shared Modules, T1133 - External Remote Services, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1158 - Hidden Files and Directories, T1189 - Drive-by Compromise, T1203 - Exploitation for Client Execution, T1210 - Exploitation of Remote Services, T1222 - File and Directory Permissions Modification, T1457 - Malicious Media Content, T1480 - Execution Guardrails, T1485 - Data Destruction, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1498 - Network Denial of Service, T1518 - Software Discovery, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1552 - Unsecured Credentials, T1553 - Subvert Trust Controls, T1555 - Credentials from Password Stores, T1564 - Hide Artifacts, T1566 - Phishing, T1568 - Dynamic Resolution, T1569 - System Services, T1573 - Encrypted Channel, T1574 - Hijack Execution Flow, T1583 - Acquire Infrastructure, T1590 - Gather Victim Network Information

  • Tags: aaaa, accept, access ta0001, active related, added active, address, adobe portable, a domains, adversaries, adware, aig, akamai rank, alerts, alexa, alexa top, alf features, algorithm, all scoreblue, amazon 02, america flag, analysis date, analyzer paste, analyzer threat, android device, a nxdomain, apple, apple ios, apple notepad, artemis, as16552 tiggee, as29789, as397240, as397241, as62597 nsone, as9009 m247, ascii, ascii text, asnone united, asyncrat, august, australia, autodesk, avast avg, av detections, awful, azure tls, bambernek, bank, banker, basic, b body, best targets, betabot, blacklist, blacklist http, blacklist https, blocklist, body, body doctype, body length, boot, bootkits, brent kimball, brian sabey, cachecontrol, capture, catalog tree, centerchecks, certificate, china, ch ua, cisco umbrella, ck id, ck matrix, ck techniques, class, classname, click, clickjacking, clipper dos, close, cname, cnc beacon, cnc feodo, cnc server, coalition et, cobalt strike, code, command, command decode, communications, compiler, connect azurepc, connection, contact, contacted, contacted hosts, contact phone, contained, control ta0011, cookie, copy, copy md5, copyright, copy sha1, copy sha256, core, country, covid19, crash, create, create c, created, create new, creation date, critical risk, cronup threat, crossrider, csc corporate, cus cnmicrosoft, cyber attack, cyber security, cyberstalking, cyber threat, dan.com, dangeroussig, dark consultants, darkgate, date, date hash, date mon, dded active, december, ded active, default, defense evasion, delete, delete c, denver co, detecting, detection list, detections dns, discovery, dll sideloading, dns resolutions, dock, document format, domain, domain address, domain name, domains, domain tracker, dos borland, dos com, download, downloader, dridex, drivertalent, dynamicloader, e1082 impact, e1203 data, e1564 discovery, emails, emotet, emotet ip, encrypt, engineering, entries, erase, error, et info, etpro malware, evasion ob0006, evil, evil c, exe32, executable, execution, execution att, expiration date, expires thu, exploitation, facebook, failure, fakedout threat, fancy bear, feodo, file, filehash, filehashmd5, filehashsha1, filehashsha256, files, file samples, file score, files domain, files location, files matching, file type, final url, find, findwindowa, flag, flag united, flow t1574, font format, format, formbook, found, foundry, fuery, fusioncore, g2 issuer, g2 name, gamers, gandi sas, gecko, general, generic, generic windos, getdc0x2a, get http, get https, global outage, gmt cache, gmt connection, gmt server, guard, gui32, h1 center, hackers, hacktool, hashes, header intel, headers, headers date, healthy check, heur, hide artifacts, high, high level, highly targeted, high process, high security, historical ssl, history, hitmen, host, hostmaster, hostname, hostnames, hstr, html, html info, http, http attacker, http requests, http response, hybrid, hyperv, ids detections, igmp, indicator, indicator role, industry_and_commerce, info compiler, info header, information, informative, injection t1055, installcore, intel, internal, ioc, iocs, ip address, ip detections, ip summary, ipv4, ireland, issuing ca, javascript, jpeg image, june, kb body, kb pe, keylogger, khtml, kraken, language, learn, life, light dark, linker, local, location united, logon autostart, lowfi, mail spammer, malicious, malicious ids, malicious site, malicious url, maltiverse, malware, malware site, malware type, manjusaka, markmonitor, media center, medium, memcommit, memory pattern, meta tags, metro, mike, million, mitre att, mivast, modify system, mon jul, moved, mozilla, mr windows, msclkidn, msie, ms visual, ms windows, murderers, my boy dan, name md5, name server, name servers, name tactics, nanocore rat, nemucod, next, Nextray, no data, no entries, no expiration, nxdomain, ob0005 defense, ob0007 system, ob0012 hide, oc0006 http, oc0008, october, ollydbg, open, openioc, os2 executable, overlay, panda, panda banker, panel item, pass, passive dns, path, pattern match, pcap, pcidump rasman, pdf document, pdf report, pe32, pe32 compiler, pe32 executable, pe32 packer, persistence, phishing, phishing site, phishtank, plasma, please, pony, porkbun llc, post, post http, pragma, present apr, present feb, present mar, privacy badger, process32nextw, processes tree, process t1543, products id, protocol, proxy, pulse pulses, pulses, pulse submit, pulses url, quasi, query, ransom, ransomware, raspberry robin, read c, redline stealer, redrum, referrer, regbinary, regdword, registrar abuse, registrar url, registry keys, regsetvalueexa, related nids, related pulses, remote, remote keylogger, remote system, replacement, report spam, reputation, request, resolved ips, response, reverse dns, review, rgba, riskware, roboto, role title, safe site, sakula, sakula rat, sale, sameorigin, sample, samplepath, samples, samuel, samuel tulach, sandbox, san rafael, scan endpoints, script urls, search, sec ch, september, serial number, server, servers, service, services, serving ip, sha1, sha256, shell commands, shelltraywnd, show, showing, show technique, siendownloader, signing ca, site, sites, size, slcc2, slug, snanning_host, snatch, sneaky server, source domain, spawns, spotify artist, sqli dumper, ssl bypass, ssl certificate, stamping, startpage, start service, status, status code, stealer, steganography, stix, stop service, strings, sub domain, summary, suppobox, suricata ipv4, suricata udpv4, suspicious, suspicioussectioname, suspicious ua, symantec time, t1027, t1057, t1063, t1071, t1105, t1119, t1129, t1189 found, ta0004 process, ta0007 command, tag count, tag manager, team, team phishing, team top, telefonica co, threat roundup, threats et, thumbprint, title, title added, title error, tls handshake, tls sni, tmobile, tool transfer, tor role, tracker, tre att, trojan, trojanclicker, trojan.crypted, trojanspy, tsara brashears, tulach, twitter, type, type indicator, ua platform, unauthorized, united, united kingdom, unknown, url analysis, url http, url https, urls, urls http, urls https, url summary, ursnif, usd twitter, user, utc google, utc gtmsxrf, vadokrist, ver2, vids0, vipre, virustotal, vmware, vs2003, w11 pc, web open, wewatta, whitelisted, win16 ne, win32, win324shared, win32 exe, win32mediadrug, win32spigot, win64, windows, windows control, windows nt, windows service, wininet c0005, workers compensation, world, worm, wow64, write, write c, writeconsolew, writing gui, x8bxe5, xport, yara detections, yara rule, youtube, zbot, zeus, zusy

  • View other sources: Spamhaus VirusTotal

  • Contained within other IP sets: coinbl_hosts_browser, coinbl_hosts, hphosts_ats, hphosts_emd, hphosts_fsa, hphosts_pha, hphosts_psh, hphosts_wrz

  • Country: Lithuania
  • Network:
  • Noticed: 41 times
  • Protocols Attacked: SSH
  • Countries Attacked: Australia, Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Netherlands, Norway, Poland, Romania, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America

Malware Detected on Host

Count: 433 d9e450f700d6c8295a1d59136d0fe228e231b7d386929783aefdb35cb4d58120 f1fa6d153374d5b948325fd04e15944a11ea5ae179ec2793150a3687afaf3457 bf068a6e8ce2aa89642a9f07a89028680807db0509f3b3db7a6e00677e515617 75bef2a220c68aa379a7f559a3c63587dcf0fb60de5ba7c5795ede09dbb6fe54 96ae772265b3ceb85b3281cb060b6446190b532dd8948893852d3b8a2640bf1f 333156f7f60ce9257f92539434ce8f71839539e9be19abff9dd02e70eccadbc0 655388c71923caadd6b8efa371ca6006894e44e83900ca43d5ca223a23831c40 5e522437424505981d694f1416d4cdc8f984cea8be5364213b56212acaa8c903 e4e9b9da347009dbeb76c327d84b2cbdc49207e34e2bf59e80bbe89b05481e82 8cdb5de1cdc619a8fd08e06b5c181392fd1d977d300fd7f8671bb2d3c8bd9d92

Map

Whois Information

  • inetnum: 93.115.28.0 - 93.115.28.255
  • netname: CHERRYSERVERS-LT-DEDICATED
  • descr: Dedicated servers
  • country: LT
  • admin-c: MS33333-RIPE
  • tech-c: MS33333-RIPE
  • status: ASSIGNED PA
  • mnt-by: DUOMENUCENTRAS-MNT
  • created: 2015-11-04T12:38:25Z
  • last-modified: 2015-11-04T12:38:25Z
  • person: Martynas Simkevicius
  • address: Tilzes 74
  • address: LT-76140 Siauliai
  • phone: +37070005030
  • nic-hdl: MS33333-RIPE
  • mnt-by: DUOMENUCENTRAS-MNT
  • created: 2012-08-21T11:54:54Z
  • last-modified: 2017-10-30T22:21:22Z
  • route: 93.115.28.0/24
  • descr: CHERRY SERVERS
  • origin: AS16125
  • mnt-by: DUOMENUCENTRAS-MNT
  • created: 2020-09-08T07:10:20Z
  • last-modified: 2020-09-08T07:10:20Z

Links to attack logs

****** ****** ******

Share on: