IPMediumSignal 63/100
104.152.52.138
Location
United StatesChicago, Illinois
ASN
AS51088
Rethem Hosting LLC
First Seen
Oct 11, 2021
Last Seen
Jun 17, 2026
Found in 30 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
63%
Signal Score
63 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionChicago, Illinois
ASNAS51088
OrganizationRethem Hosting LLC
Feed Intelligence Summary
30 reports63% confidence
30
Source reports
63%
Confidence score
Category tags
abuseaccount compromiseactive scanactive scanningadbhoney honeypotaerospace & defenseasiaattackattack source ipattacker ipattacker-ipattacker_ipaustraliaauto-generated securityautomated attack attemptsautomated attacksautomated threatautomated threatsautomated-attackautomotive manufacturingbad ip'sbad reputationbad web botblocklist_allblog spambotnetbotnet activitybrutebrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcecanadachinacisco brute forcecisco devicecisco exploitation attemptscivil servicescloud infrastructurecloud infrastructure attackcloud servicescode executioncode injectioncommand and controlcommand executioncommunication protocolcompromised hostcowriecowrie attackscowrie honeypotcowrie interactionscowrie ssh honeypotcredential accesscredential attackscredential brute forcecredential harvestingcredential stuffingcredential-bruteforcingcredential_accessdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase enumerationdatabase securityddosddos attackdecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdigital oceandionaeadionaea activitydionaea attacksdionaea honeypotdistributed attackselectronics manufacturingencryptionenterprise networkingeuropeexploitexploit attemptsexploit probingexploitationexploitation activityexploitation of vulnerabilityexploited hostexternal access attemptsexternal ipfattfatt analysisfinlandfranceftpftp attacksftp brute forcegermanygovernment technologyhackingherolding attackshoneynet connecthoneytrap activityhoneytrap datahoneytrap honeypothttp brute forcehttp scannerhttp scanninghttp/shttpsidentity & access exploitationindicatorindustrial automationindustrial iotindustrial productioninfrastructure acquisitionreconnaissanceinitiator ipinjection activityinjection attacksinternet-facing assetsintrusion detectioniociot securityiot targetedip-addressesipphoney honeypotipv4kfsensor honeypotlamplamp attacklamp attackslamp exploitation attemptslamp server attacklamp stack attacklamp stack targetinglateral movementlcialinux serverslinux systemslogin attemptmailoney activitymailoney honeypotmalaysiamalicious activitymalicious activity detectedmalicious email activitymalicious ipsmalicious login attemptsmalicious payloadmalicious softwaremalicious trafficmalwaremalware activitymalware behaviourmalware capturemalware deliverymalware distributionmanualmanufacturing technologymilitary operationsmonthlymssqlnational securitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-reconnaissancenextraynorth americaoceaniaopportunistic-attackp0fp0f signaturespassword attackpassword attacksphishingphishing attackphishing trappolandportscanpossible malware distributionpossible malware probingpossible mirai variantpossible reconnaissancepotential_compromiseprocess injectionprocess manufacturingprotocol exploitationpublic administrationpublic infrastructurepublic policyquality controlransomwarereconnaissanceregulatory agenciesremote accessremote servicesresearchresearchedresource hijackingsansscanscannerscannersscanning activityscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionservice enumerationservice scanservice scanningsftp access attemptsftp activitysftp attacksftp attackssingaporesip attackssip brute forcesip heraldingsip scanningsmb brute forcesmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringspamsshssh attackssh attacksssh monitoringssh-brutesupply chain attacksupply chain managementsuricata alertssuspected malicious activitysystem accesssystem discoveryt-pott1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1040t1041t1046t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1076t1077t1078t1082t1083t1087t1110t1110.001t1110.002t1110.003t1110.004t1133t1136t1137t1187t1189t1190t1203t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1555t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1587.001t1588.001t1588.002t1588.003t1589t1590t1590.001t1590.006t1591t1592t1592.002t1593t1594t1595t1595.001t1595.002t1595.003tannertanner activitytargeting databasetcp protocoltcp scantelecommunicationstelnettelnet threatthreat actorthreat detectionthreat intelligencetor nodetpotudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized loginunauthorized login attemptsunauthorized probingunited kingdomunited statesunited states of americaunknown threat actorusvoidtrapvoipvoip attackvoip systemsvulnerability scanvultrvultr tokyoweb app attackweb application attackweb application scanningweb attackweb exploitweb exploitationweb scannerweb serversweb spamweb traffic
Activity Timeline
Jun 17Jun 17
Threat Activity Heatmap
· Peak: 2026-06-17LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
63
SIGNAL
Signal Score
63%
Confidence
30
Reports
First seenOct 11, 2021
Last seenJun 17, 2026
GeolocationUS
CountryUnited States
LocationChicago, Illinois
ASNAS51088
OrgRethem Hosting LLC
Coords37.7510, -97.8220
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning DigitalOcean Toronto (CA) honeypot
- raw
- NetRange: 104.152.52.0 - 104.152.55.255 CIDR: 104.152.52.0/22 NetName: RETHEM-HOSTING NetHandle: NET-104-152-52-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Rethem Hosting LLC (RHL-18) RegDate: 2014-07-11 Updated: 2014-07-11 Ref: https://rdap.arin.net/registry/ip/104.152.52.0 OrgName: Rethem Hosting LLC OrgId: RHL-18 Address: 500 N. Michigan Ave Address: Suite 300 City: Chicago StateProv: IL PostalCode: 60611 Country: US RegDate: 2011-03-16 Updated: 2012-05-25 Ref: https://rdap.arin.net/registry/entity/RHL-18 OrgAbuseHandle: NOC11885-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-212-257-2998 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgNOCHandle: NOC11885-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-212-257-2998 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgTechHandle: NOC11885-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-212-257-2998 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN
- references
- https://github.com/telekom-security/tpotce, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://redpiranha.net
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 years ago · Last seen 6 days ago
Appeared in 30 threat reports