IOC Radar
IPMediumSignal 100/100

167.94.138.131

Location
United StatesUnited States
Ann Arbor, Michigan
ASN
AS398324
Censys, Inc
First Seen
Jan 25, 2022
Last Seen
May 10, 2026
Jan 25
First Seen
1612d ago
May 10
Last Seen
46d ago
32
Reports
source reports
99%
Confidence
medium
Found in 32 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

98 techniques

Network Information

CountryUSUnited States
RegionAnn Arbor, Michigan
ASNAS398324
OrganizationCensys, Inc

IP Category

Proxy
Proxy server

Feed Intelligence Summary

32 reports99% confidence
32
Source reports
99%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount discoveryaccount securityackack scanactive reconnaissanceactive scanactive scanningadbhoney honeypotadministrative accessamerican expressapacheapache attackerapplication layer protocolaptasiaattackattack attemptattack preparatoryattack surface discoveryattack vectorsaustraliaauthentication attemptsauto-generated securityautomated attackbad ip'sbad reputationbad web botbanner grabbing attemptblacklist candidateblacklist ipblacklisted ipblock listbotnetbotnet activitybrutebrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcec2c2 communicationcanadacensys-benigncertchina mobilecisco devicecisco exploit attemptcisco exploitation attemptcisco exploitation attemptscloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcommunication securitycompany limitedcompromised credentialscompromised credentials attemptcompromised devicecompromised hostcompromised hostscompromised systemcompromised systemsconfig manipulationconnect scanconpotconpot activityconpot honeypotconpot ics exploitationcontainer securitycowriecowrie activitycowrie attackscowrie honeypotcowrie interactionscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh logscredential accesscredential attackcredential brute-forcingcredential harvestingcredential stuffingcredentialscron injectionctacurlcvecyberattackdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase login attemptdatabase securitydcerpcdcom exploitationddosddos attackddos attack indicatorsddos attacksddos probeddospotdecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdionaeadionaea activitydionaea attacksdionaea exploitsdionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackdockerelasticpot attackselasticpot honeypotelasticsearchelasticsearch monitoringemailencryptionenterprise networkingenumerationexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal network scanexternal reconnaissanceexternal scanexternal threatexternal_threatextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinfin port scanfin scanfirewall detectionfirewall evasionfirewall probingfraud voipftpftp attackftp attacksftp brute forceftp brute-forcegalahgithubgluttongopothackinghellpotheralding probeshk abusehandlerhoneytrap activityhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttpshuaweiicmpics securityidentity & access exploitationimapindicatorindicators of compromiseindustrial control systemsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access attemptinitial access vectorinjection activityinjection attacksinternet facing systemsinternet of thingsinternet-facinginternet-facing assetsinternet-wide scaninternet_scannersintrusion detectioniociot botnetiot securityiot targetediot/ics attackipphoney honeypotipv4ipv4 activityipv4 addressesipv4 iocipv4 port scanningipv4 scanningipv4_activityjapankfsensor honeypotkibanalamplamp attacklamp exploit attemptlamp exploitation attemptslamp server targetlamp stack attacklamp stack targetinglateral movementlog4potmailoney activitymailoney attacksmailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious file transfermalicious ip activitymalicious ip listmalicious ipsmalicious ipv4malicious network activitymalicious scanmalicious sftp activitymalicious sip activitymalicious softwaremalicious ssh activitymalicious trafficmalwaremalware activitymalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware propagationmalware-related botnet activitymanualmass port scanmass scanningmass scanning activitymasscanmassive scanningmedpotmelbourne regionmicrosoft technologiesmirai botnetmodule loadingmssqlnation-state activitynetworknetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service discoverynetwork service scanningnetwork trafficnetwork traffic analysisnetwork-based attack attemptsnetwork_discoverynetwork_enumerationnetwork_reconnaissancenetwork_scannetworkscanningnmapnorth americanull port scannull scanoceaniaopen port detectionopen port enumerationopen port identificationoperating systemoperating system detectionoperating system securityopportunistic attackeros credential dumpingos detectionos fingerprintingp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpgp signphishingphishing attackphishing trapping of deathpossible botnet activitypossible botnet infectionpossible exploit attemptspossible malicious activitypossible reconnaissancepossible reconnaissance activitypossible vulnerability probingpossible vulnerability scanpotential attack vectorpotential compromisepotential credential compromisepotential intrusionpotential intrusion attemptpotential malware activitypotential threatpotential threat activitypotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability probingpotential vulnerability scanpotential vulnerability scanningprivilege escalationprocess injectionprotocol abuseprotocol exploitationproxyproxy accessproxy protocolpythonransomwareransomware activityrcerdp attacksrdp scanningreconnaissancereconnaissance activityredis exploitation attemptredis exploitation attemptsredis honeypotremote accessremote access attackremote code executionremote servicesresearchedresource developmentresource hijackingrpcrtbhsansscams & fraudscanscannerscanner ipscanner ipsscannersscanning activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationservice detectionservice discoveryservice enumerationservice probingservice scanservice version detectionsftpsftp access attemptsftp attacksftp attemptshell accessshell access attemptsipsip attackssip brute forcesip scanningsip vulnerability exploitationsip vulnerability scansippslaveofslugsmb scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsocradarsoftware exploitationsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh key injectionssh monitoringstealthstealth scansurface websuricata alertsuricata alertssweep scansynsyn port scansyn scansystem discoverysystem disruptiont1003t1005t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1053t1055t1056.001t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1136.001t1187t1189t1190t1195t1203t1204t1204.002t1210t1213t1486t1490t1496t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1550t1550.002t1550.003t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1574.001t1583t1587.001t1588t1588.002t1588.006t1589t1589.002t1590t1590.001t1590.003t1590.005t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner exploit attemptstanner exploit kittanner exploitstanner honeypot activitytanner interactionstargeted scantargeting databasetcp protocoltcp scantcp scanningtelecommunicationtelecommunicationstelnet attackstelnet scanningtelnet threatthreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat-intelligencethreat_intelligencetimeouttokyotor nodetorontotpottpotcetsecudp port scanudp scanunattributed activityunauthorized accessunauthorized access attemptunauthorized activityunauthorized login attemptunauthorized network activityunauthorized probingunited statesunited states of americaunknown threat actorusus noneverified-benignvnc protocolvoipvoip attackvulnerabilityvulnerability scanvultr cloud infrastructurevultr infrastructure targetedvultr_platform_activityweb app attackweb application attackweb application attacksweb attackweb exploitationweb exploitsweb login attemptweb shellweb shell attemptweb shell detectionweb shell uploadweb trafficwestpac new zealandwgetwordpotxmasxmas port scanxmas scanzmap

Activity Timeline

1 total obs
May 10May 10

Threat Activity Heatmap

· Peak: 2026-05-10
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
32
Reports
First seenJan 25, 2022
Last seenMay 10, 2026
GeolocationUS
CountryUnited States
LocationAnn Arbor, Michigan
ASNAS398324
OrgCensys, Inc
Coords37.7510, -97.8220
Proxy

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=suricata; threshold?1; private IPs excluded.
raw
NetRange: 167.94.138.0 - 167.94.138.255 CIDR: 167.94.138.0/24 NetName: CENSY NetHandle: NET-167-94-138-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: AS398324 Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2024-03-29 Ref: https://rdap.arin.net/registry/ip/167.94.138.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN
references
https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://github.com/telekom-security/tpotce, https://example.com, https://list.rtbh.com.tr/output.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, http://cinsscore.com/list/ci-badguys.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 1 month ago
Appeared in 32 threat reports