IPMediumSignal 91/100
104.238.61.144
Location
United StatesLos Angeles, HE
ASN
AS8100
Crowncloud US LLC
First Seen
Aug 4, 2024
Last Seen
Jun 7, 2026
Found in 17 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
91%
Signal Score
91 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionLos Angeles, HE
ASNAS8100
OrganizationCrowncloud US LLC
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
17 reports91% confidence
17
Source reports
91%
Confidence score
Category tags
abuseactiveactive scanactive scanningaddressadsiaitm serveralienvault_ransomwareamos steakeramos stealeranydesk moduleaptarchive fileas14576 hostingas215540 globalas26383 baxetatomic httpsatomic stealerautobackdoorbad reputationbcttbha006blockboinc c2bootkitty iocsbotnetbotnet activitybrazanbamboo c2brute forceburnsrat cc2c2 addressc2 domainc2 httpc2 httpsc2 ipc2 serverc2 serverscertcheat enginecivil servicescloudcloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecobalt strikecodecode executioncode injectioncode issuescode snippetscommand & controlcommand and controlcommand executioncommercial bankingcommunication protocolcompromise notecompromised websitescovert channelcredential accesscredential harvestingcredential stuffingcredential theftcthulhu stealercyber threatsdamndarkracedatadata encryptiondata exfiltrationdata store exposuredatabase securitydefanged filedemo realmdetailsdigital signaturedistributed attacksdns attackdnshostnamedomaindomainsdonexdownload urldownloaderdropperduoyieldoradoencryptioneuropeeurope/asiaevasionexecutable fileexploitationexploitation activityextortionfake captchafake chromefake updatesfilefilesfinaldraft elffinancefinancial institutionfinancial servicesfindfingerprintfirstfirst seenfirst stagefooterftp brute forcegermanygh0stratghostgambitghostsocksgithubgithub usersgmergoogle meetgovernment technologyguidloaderhasheshashes payloadhelldown linuxhidden rootkithornshta filehta md5hta scripthtmlhtml payloadhttphttp attackhttp brute forcehttp scannerhttp serverhunticonidentity & access exploitationindicatortypeinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjection activityinjection attacksiocsiocs filesiocs hashiocs helldowniocs maliciousiocs zipips httpsipv4ipv4 addressit infrastructureit ptyjavascript injectionjs downloadkeepkeitaro tdsl fileslandinglatin americalazagnelinkslinuxlnk fileloaderlockbitlumma payloadmaasmailmalicious downloadmalicious linksmalicious softwaremalvertisingmalwaremalware c2malware distributionmalware hashmalware signingmanualmekotio bankingmintsloader c2mlpeamoneromonitormore_eggsmsimsi filemulti-cloud managementmultiple protocolsna majesticna starkneshtanetworknetwork ipnetwork reconnaissancenetwork scanningnetwork signaturesnoopldr type1noopldr type2north americaopen-sourceopswat oesispanelpasspassword attackpathloaderpayloadpayload deliverypayload hostpayload urlphishingphishing attackphishing urlsphobosphpsertphpsert variantpluginplugxplugx c2portspost-exploitationpowershower c2process injectionproxypscppsexecpublicpublic administrationpublic infrastructurepublic policypullpyramidpyramid c2pyramid pentestingpythonpython backdoorquite solsjoasquocransomransomhubransomwarereconnaissancereddelta c2redditredirectorregistry keysregulatory agenciesremcosremcos trojanremote accessremote servicesresearchedrhadamanthys c2sample sha256samplesscams & fraudsearchseenserverserver httpserversservice dllservice scansftpsftp attackshell commandssignsimilar sha256sitesitessocial engineeringsocks proxysocradarsoftware developmentsoftware integritysolo airfieldsql injectionssh accessssh attackstarstatestealc c2stealc payloadstrike loadersstrongstudio codesyn scansystem disruptionsystembct1003.002t1016t1021t1021.001t1021.002t1027t1041t1046t1053.005t1055t1059t1059.001t1059.003t1059.006t1059.007t1069.001t1069.002t1070.004t1071t1071.001t1074.001t1076t1078t1082t1083t1087.002t1095t1105t1110t1110.002t1133t1135t1188t1189t1190t1204t1204.001t1204.002t1482t1486t1490t1496t1499.001t1499.002t1499.003t1552t1554.001t1554.003t1555t1563t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1572t1573t1587.001t1589t1590.001t1595t1595.001t1595.002t1595.003t1608t1608.004targeting databasetcp scanthreat actortls certificatetokentor nodetriggertrojanizedtrojanspyturkeytype nameudp scanunited statesupdate siemurlsurls httpurls httpsusv4 removalvantvbshower c2versionversion bversion cversion dversion eviewvisual studiovssadmin deletewater scyllaweb application attackweb exploitationweb securityweb trafficwebsite compromisewindows payloadzipmsi
Activity Timeline
Jun 7Jun 7
Threat Activity Heatmap
· Peak: 2026-06-07LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
91
SIGNAL
Signal Score
91%
Confidence
17
Reports
First seenAug 4, 2024
Last seenJun 7, 2026
GeolocationUS
CountryUnited States
LocationLos Angeles, HE
ASNAS8100
OrgCrowncloud US LLC
Coords50.1049, 8.6295
Proxy
VirusTotal
Not checked
WHOIS
- description
- CC=US ASN=AS8100 quadranet enterprises llc
- raw
- Web2Objects LLC NET104-238 (NET-104-238-32-0-1) 104.238.32.0 - 104.238.63.255 Crowncloud US LLC CROWNCLOUD-US (NET-104-238-60-0-1) 104.238.60.0 - 104.238.61.255
- references
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html, https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers, IOCs.April.pdf, https://labs.infoguard.ch/posts/slithering_through_the_noise/#introduction, Aug1.pdf, https://threatfox.abuse.ch/export/csv/recent/, https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt, Bootkitty, Glove-Stealer, Fake Discount Sites Exploit Black Friday, Helldown Ransomware, HawkEye Malware, PXA Stealer, Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack, BrazenBamboo, SpyGlace, RustyStealer and New Ymir Ransomware, PyPI-AIOCPA, Python NodeStealer, romcom-exploits-firefox-and-windows, Rockstar-Phishing, Silent Skimmer Gets Loud (Again), SteelFox Trojan, WezRat Malware, Avast-Anti-Root-KIt, Winos4.0 RAT, APT36, WolfsBane Backdoor, APT-K-47, Remcos RAT, babbleloader, Bitter APT, UAC-0194’s Exploitation of CVE-2024-43451 in Ukraine for Phishing, CloudScout_ Evasive Panda scouting cloud services, clickfix-tactic, Akira Ransomware, Bumblebee Malware, ELDORADO RANSOMWARE, Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan, Demodex rootkit, BugSleep Malware, HotPage.exe (malware), Qilin Ransomware, NOOPDOOR Malware, Shadowroot Ransomware, play ransomware, MALLOX RANSOMWARE, New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users, ACR Stealer, Suspicious Domains Exploiting the Recent CrowdStrike Outage!, Gh0stGambit, MEKOTIO BANKING TROJAN, TAG-100, Fake game sites lead to information stealers, Chrome Extensions Hijacked, 2.6 Million Users Impacted, macOS Users Targeted by the New Variant of Banshee Infostealer, Hundreds of fake Reddit sites push Lumma Stealer malware, GamaCopy APT Group Mimicking GamaRedon, InvisibleFerret Malware Leveraging Python for Targeted Attacks, Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer, REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors, Phishing Campaigns Fuel Compiled AutoIt Malware Distribution, The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads, New Star Blizzard spear-phishing campaign targets WhatsApp accounts, RansomHub Affiliate leverages Python-based backdoor, Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques, Advanced Evasion Techniques Used by NonEuclid RAT, The Return of PlugX Malware with Fresh Tricks, The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts, Weaponized Software Targeting Chinese Organizations, Threat Surge as Lumma Stealer Expands Its Reach, Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain, MintsLoader_Stealc, North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks, North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware, Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques, Salt Typhoon Target U.S. Telecom Networks, SecTopRAT, Stealers on the Rise, Snake Keylogger, AsyncRAT Reloaded, The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation, FatalRAT, SystemBC RAT Poses New Risks to Linux System, Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations, FERRET Malware Targets macOS in Sophisticated North Korean Attacks, Espionage Campaign Targeting South Asian Entities, Astral Stealer Strikes Again Stealing More Than Just Your Cookies, The New Ransomware Menace Vgod Gains Momentum, Microsoft Advertisers Phished via Malicious Google Ads, LegionLoader Malware Expands Global Reach, NEW.txt, From Stealers to Ransomware PureCrypter Delivers It All, New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs, FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux, LockBit Ransomware Attack Leveraging Cobalt Strike, Rspack_Compromised_Packages, SmokeLoader, Sock5Systemz-PROXY-AM, solana-backdoor, U.S. Organization in China Targeted by Attackers, UAC-0185 attacks warned by CERT-UA, BellaCpp, bootkitty(logofail), Visual Studio Code Remote tunnels, Cloud Atlas seen using a new tool in its attacks, Christmas-Themed LNK Files Used for Malware Delivery, DarkGate, MirrorFace Campain, horns-hooves, Developers Targeted by New ‘OtterCookie’ Malware with Fake Job Offers, NetSupport RAT and BurnsRAT, Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery, MUT-1244-GitHub, Phobos ransomware, Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data, PUMAKIT, OtterCookie used by Contagious Interview, Ransomware-Lockbit3-IOCs.csv, https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 5 days ago
Appeared in 17 threat reports