IPMediumSignal 38/100
185.242.226.28
Location
NetherlandsAmsterdam, North Holland
ASN
AS202425
AI Spera
First Seen
Feb 14, 2024
Last Seen
Jun 17, 2026
Found in 26 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
38%
Signal Score
38 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryNetherlands
NetherlandsRegionAmsterdam, North Holland
ASNAS202425
OrganizationAI Spera
Feed Intelligence Summary
26 reports38% confidence
26
Source reports
38%
Confidence score
Category tags
abuseaccess controlackack scanactive scanactive scanningapacheapache attackerapplication layer protocolattackauthentication abuseauthentication attemptsbad reputationbad web botbeningbening scannerbotnetbotnet activitybrute forcebrute force attackbrute force attacksbrute force attemptsc2 communicationc2 servercisco attackcisco devicecisco device attackcisco device targetingcisco exploit attemptcisco exploitation attemptscitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securitycode executioncommand & controlcommand and controlcommand executioncommunication protocolcompromised hostcompromised hostsconnect scancowrie activitycowrie honeypotcowrie interactionscredential accesscredential harvestingcredential stuffingcriminal_ip-benigndata exfiltrationdata store exposuredata theftdatabase exploitationdatabase securityddosddos attackddos attemptdecoy systemdefense evasiondenial of servicedevice managementdionaea activitydionaea honeypotdionaea interactionsdistributed attacksenterprise networkingenterprise securityenumerationeuropeexploit attemptexploit scanexploitationexploitation activityexploitation of privilegeexternal scanfailed login attemptsfinfin port scanfin scanfirewall detectionftp brute forcefull connect scanhackinghoneytrap honeypothttp brute forcehttp probehttp scanninghttps probehttps scanningidentity & access exploitationimap brute forceindicatorinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksinternal scaniockfsensor honeypotlamplamp attacklamp attack attemptlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp stack attacklamp stack targetinglateral movementlateral movement techniquesmalicious activitymalicious payloadmalicious softwaremalwaremalware attemptmalware behaviourmalware capturemalware distributionmalware hostingmanualmasscanmysql brute forcenetherlandsnetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusion attemptsnetwork mappingnetwork port scanningnetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnlnmapnmap scannorth americanull port scannull scanopen port detectionos credential dumpingos detectionos fingerprintingpassword attackpassword attacksphishingphishing attackping of deathpop3 brute forcepossible malicious activitypossible malware distributionpossible malware probingpossible reconnaissance activitypossible vulnerability scanpotential exploit attemptspotential exploit targetingpotential intrusionpotential intrusion attemptpotential threat activitypotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability probingpotential vulnerability scanprivilege escalationprobing activityprocess injectionprotocol exploitationransomwarereconnaissancereconnaissance activityremote accessremote service exploitationremote servicesresearchedsansscannerscanning activityscripting attackssecurity policyservice detectionservice discoveryservice enumerationservice scanservice version detectionsftp access attemptssftp attacksip scanningsmb scanningsmtp brute forcesocial engineeringsoftware exploitationspamsql injection attemptssh attackssh monitoringstealthstealth scansynsyn port scansyn scansystem discoveryt1016t1016.001t1018t1021t1021.001t1021.002t1021.004t1027t1040t1041t1046t1047t1048t1053t1053.005t1055t1057t1059t1059.003t1059.004t1059.005t1059.007t1065t1068t1071t1071.001t1076t1078t1078.001t1078.002t1078.004t1083t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1189t1190t1199t1203t1204t1204.002t1205t1210t1486t1496t1499.001t1499.002t1499.003t1539t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1573t1573.001t1583t1587.001t1588t1588.002t1589t1589.001t1589.002t1590.001t1592t1592.004t1595t1595.001t1595.002t1595.003tannertargeted scantargeting databasetcp protocoltcp scantelnet threatthreat actorthreat detectionthreat intelligencethreat preventiontor nodeudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized login attemptunauthorized network activityunited statesunsolicited network probeuser enumerationverified-benignversion detectionvulnerability scanweb application attackweb application attacksweb attackweb exploitationweb server exploitationweb shell uploadxmasxmas port scanxmas scanzmap
Activity Timeline
Jun 17Jun 17
Threat Activity Heatmap
· Peak: 2026-06-17LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
38
SIGNAL
Signal Score
38%
Confidence
26
Reports
First seenFeb 14, 2024
Last seenJun 17, 2026
GeolocationNL
CountryNetherlands
LocationAmsterdam, North Holland
ASNAS202425
OrgAI Spera
Coords52.3676, 4.9041
VirusTotal
Not checked
WHOIS
- description
- 2024-11-17T22:33:34.000Z Honeypot : Honeytrap : Source: 185.242.226.28 : Port: 27015 Message: {'payload': {'md5_hash': '6dc40d9ee1c20f138a137801f3303287', 'sha512_hash': 'cfce7e829180bb81a18db0db1cc4fdd8dd0de1d10a41622bf390bbca4737cc4b15e166b777456567f8a3b6da567ed0e5827dbef893aa0f8ca46c72b2eba8ddb6', 'length': 208, 'data_hex': '474554202f20485454502f312e310d0a486f73743a2039392e31382e32362e32313a32373031350d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38382e302e343332342e313930205361666172692f3533372e33360d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a'}, 'protocol': 'tcp'}
- raw
- NetRange: 185.0.0.0 - 185.255.255.255 CIDR: 185.0.0.0/8 NetName: RIPE-185 NetHandle: NET-185-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2011-01-04 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/185.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 10 days ago
Appeared in 26 threat reports