IPMediumSignal 64/100
104.152.52.114
Location
United StatesChicago, Illinois
ASN
AS51088
Rethem Hosting LLC
First Seen
Dec 15, 2021
Last Seen
Jun 9, 2026
Found in 29 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
64%
Signal Score
64 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionChicago, Illinois
ASNAS51088
OrganizationRethem Hosting LLC
Feed Intelligence Summary
29 reports64% confidence
29
Source reports
64%
Confidence score
Category tags
abuseabuseipdbaccount compromiseackactive scanactive scanningadbhoney activityadbhoney honeypotaerospace & defenseaptattackattacker ipsattacker-ipaustraliaauthenticationauthentication attemptauthentication attemptsauthentication_bypassauto-generated securityautomated attackautomated attacksautomated threatautomotive manufacturingbad reputationbad web botblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcecanadacisco devicecisco device attackcisco exploitation attemptscivil servicescloud infrastructurecloud infrastructure attackcloud servicescloud-infrastructurecommand and controlcommunication protocolcompromise attemptconpot activityconpot honeypotconpot ics attackcowriecowrie activitycowrie datacowrie honeypotcowrie interactionscowrie ssh attackcowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential harvestingcredential stuffingcredential-accessdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase enumerationdatabase exploitation attemptsdatabase securityddosddos attackdecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdigital oceandigitalocean infrastructuredionaeadionaea activitydionaea capturedionaea honeypotdionaea malware detectiondionaea payloadsdistributed attackselectronics manufacturingencryptionenterprise networkingeuropeexploitexploit attemptsexploitationexploitation activityexploited hostexternal access attemptsexternal-threatexternal_threatfattfatt detectionsfilefin scanfinlandfrancefraud voipftpftp brute forceftp brute-forcegermanygovernment technologyhackinghoneynet connecthoneytrap datahoneytrap eventshoneytrap honeypothttp brute forcehttp scannerhttp scanninghttp/sics securityidentity & access exploitationimapimap attackindicatorindustrial automationindustrial control systemsindustrial iotindustrial productioninformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksinternet-facing assetsintrusion detectioniocioc.ipiot attackiot securityiot targetediot/ics attackiplistipv4ipv4 trafficipv4-addressesipv4_addresslamplamp server attacklamp stack attacklamp stack targetinglateral movementlinux serverslinux systemsloginlogin attemptlogin failuremailoney activitymailoney email spoofingmailoney eventsmailoney honeypotmalicious activitymalicious emailmalicious file transfermalicious login attemptsmalicious softwaremalicious trafficmalwaremalware behaviourmalware capturemalware detectionmalware distributionmanualmanufacturing technologymilitary operationsmssqlmssql brute forcemysql brute forcenational securitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork monitoringnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork servicesnetwork traffic analysisnetwork-reconnaissancenetwork_reconnaissancenetwork_scannetwork_service_exploitationnextraynorth americanull scanoceaniap0fp0f signaturespassword attackpassword attacksphishingphishing attackphishing trappolandport-scanningportscanpossible mirai variantprocess injectionprocess manufacturingprotocol exploitationpublic administrationpublic infrastructurepublic policyquality controlransomwarereconnaissanceredis exploitationredis honeypotregulatory agenciesremote accessremote access attemptremote servicesremote_accessresearchresearchedresource hijackingsansscams & fraudscannerscannersscanning activityscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer p2p attackserver exploitationservice enumerationservice probingservice scanservice scanningsftp access attemptsftp activitysftp attacksftp attemptsftp exploitation attemptssftp scanningsip brute forcesip scanningsmb brute forcesmtpsmtp attackersmtp brute forcesocial engineeringspamsql injectionsshssh attackssh monitoringssh-brutesupply chain attacksupply chain managementsuricata alertssynt1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1040t1041t1046t1053t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1071t1071.001t1071.004t1076t1077t1078t1078.004t1083t1087t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1203t1204.002t1486t1496t1499.001t1499.002t1499.003t1505.002t1555t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1587.001t1588t1588.004t1589t1590.001t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner web attacktargeting databasetcp protocoltcp scantelecommunicationstelnet threatthreat actorthreat detectionthreat intelligencetor nodetpotudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunited statesunknown threat actorusvnc protocolvoidtrapvoipvoip attackvulnerability scanvultrweb app attackweb application attackweb application scanningweb attackweb exploitationweb spamweb trafficxmas scan
Activity Timeline
Jun 9Jun 9
Threat Activity Heatmap
LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
64
SIGNAL
Signal Score
64%
Confidence
29
Reports
First seenDec 15, 2021
Last seenJun 9, 2026
GeolocationUS
CountryUnited States
LocationChicago, Illinois
ASNAS51088
OrgRethem Hosting LLC
Coords37.7510, -97.8220
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
- raw
- NetRange: 104.152.52.0 - 104.152.55.255 CIDR: 104.152.52.0/22 NetName: RETHEM-HOSTING NetHandle: NET-104-152-52-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Rethem Hosting LLC (RHL-18) RegDate: 2014-07-11 Updated: 2014-07-11 Ref: https://rdap.arin.net/registry/ip/104.152.52.0 OrgName: Rethem Hosting LLC OrgId: RHL-18 Address: 500 N. Michigan Ave Address: Suite 300 City: Chicago StateProv: IL PostalCode: 60611 Country: US RegDate: 2011-03-16 Updated: 2012-05-25 Ref: https://rdap.arin.net/registry/entity/RHL-18 OrgAbuseHandle: NOC11885-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-212-257-2998 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgTechHandle: NOC11885-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-212-257-2998 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgNOCHandle: NOC11885-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-212-257-2998 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN
- references
- https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/vultrwarsaw-telnet-bruteforce-ip-list-2025-09-02/, https://jamesbrine.com.au, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, http://cinsscore.com/list/ci-badguys.txt, https://github.com/borestad/blocklist-abuseipdb/blob/main/abuseipdb-s100-3d.ipv4
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 years ago · Last seen 1 day ago
Appeared in 29 threat reports