IPMediumSignal 51/100
188.68.49.235
Location
GermanyNuremberg, Bavaria
ASN
AS197540
NETCUP-GMBH
First Seen
Aug 12, 2022
Last Seen
Jun 7, 2026
Found in 32 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
51%
Signal Score
51 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryGermany
GermanyRegionNuremberg, Bavaria
ASNAS197540
OrganizationNETCUP-GMBH
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
32 reports51% confidence
32
Source reports
51%
Confidence score
Category tags
#supportsitewebsiteabuse #rootcertificatefailure #cryptographicfabuseabuseipdbaccessaccess controlactive scanactive scanningadbhoney honeypotaerospace & defenseanonymity network abuseanonymity serviceanonymization networkanonymization network trafficanonymization networksanonymization servicesanonymization_network_originanonymization_service_trafficanonymous proxiesanonymous proxy networkanonymous_proxyapple security bypassapplication layer protocolaptas path poisoningattackattack infrastructureattack-vector:brute-forceattack-vector:port-scanaustraliaauthbypassauthentication attacksauthentication attemptsauthorization bypassauto-generated securityautomated attackautomated feedautomated network attacksautomated_attackautomotive manufacturingbad reputationbad web botbgpblacklisted ip addressblocklist_allbotnetbotnet activitybotnet c2botnet indicatorsbrute forcebrute force attackbrute force attacksbrute force attemptsbrute-forcebrute_forcebrute_force_attackc2c2 addressesc2 communicationc2 infrastructurec2 serverchatgptcisco devicecisco exploitation attemptcisco securecisco taloscivil servicescode executioncommand & controlcommand and controlcommand executioncommand injectioncommentcommunication protocolcommunication technologiescompromised credentialscompromised hostcompromised host indicatorscompromised hostscompromised infrastructure indicatorscore network compromisecowrie honeypotcowrie interactionscredential accesscredential attackcredential harvestingcredential stuffingcredential_accesscredential_attackcredential_guessingcredential_stuffingcryptocurrencycve exploitcve exploitationcyber securitycymtdarkforumsdata encryptiondata exfiltrationdata interceptiondata store exposuredatabase securityddosddos attackddos attacksdedecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdictionary attackdionaea honeypotdistributed attacksdnsdns attackedge infrastructure exploitelectronics manufacturingencryptionenterprise networkingenumerationenumeration activityeuropeevent-type:credential-accessevent-type:initial-accessevent-type:reconnaissanceexecutable fileexit nodeexit node threatexploitexploit attemptsexploitation activityexploitation attemptexploitation attemptsexploited hostexternal threatfailed login attemptsfattfeedfeed-harvestfeodofeodo trackerfilefinlandfireholfirmware attackfranceftpftp attacksftp brute forceftp_attemptsftp_brute_forcegeofencing malwaregermanygovernment technologygroupshackinghashhoneynet connecthoneytrap honeypothttp brute forcehttp floodhttp scannerhttp scanninghttp/httpshttp/shttp_httpshttpshttps scanninghunterhybrid analysisi2p networkidentity & access exploitationidmsa abuseimage hostingimagesimapimap attackindicatorindicatorsindicators of compromiseindicators_of_compromiseindustrial automationindustrial iotindustrial productioninformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial_accessinitial_access_attemptinjection activityinjection attacksinter-as route manipulationinternet of thingsinternet-facingintrusion detectioniociocsiot botnetiot deviceiot securityiot/ics attackit infrastructureja3ja3 fingerprintja3 fingerprintsja3 hashja3 hash iocja3 hashesja3 hashingjtag exploitationkbell kallenkwilson kmillerlamplamp server targetinglateral movementlateral network movementlinuxlinux serverlinux targetslogin attemptmailoney honeypotmalicious activitymalicious domainmalicious domainsmalicious filemalicious hashesmalicious ipsmalicious linksmalicious softwaremalicious urlsmalicious_activitymalicious_ip_activitymalwaremalware behaviourmalware capturemalware communicationmalware deliverymalware distributionmalware domainmalware domainsmalware indicatorsmalware urlsmanualmanufacturing technologymilitary operationsmirai botnetmobile carriersmobile networksnational securitynemucodnetnetworknetwork attacksnetwork devicenetwork enumerationnetwork infrastructurenetwork infrastructure attacknetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork trafficnetwork traffic analysisnetwork-based attack attemptsnetwork_attacknetwork_enumerationnetwork_indicatorsnetwork_reconnaissancenextraynorth americaoceaniaopen proxyopenaiopenphish feedopenphish iocp0fpassword attackpassword attackspdfpersistence mechanismphishingphishing attackphishing campaignphishing campaignsphishing domainphishing domainsphishing trapphishing urlspmic manipulationpngpolandpossible credential stuffingpossible ddos activitypossible intrusion attemptpossible reconnaissancepotential botnet activityprivilege escalationprocess injectionprocess manufacturingprotocol exploitationprotocol scanningprotocol:ftpprotocol:httpprotocol:httpsprotocol:rdpprotocol:smtpprotocol:sshprotocol:telnetprotocol_scanningproxyproxy ipsproxy networkproxy serverproxy serverspublic administrationpublic infrastructurepublic policyquality controlransomwarerdp attacksrdp_attemptsrdp_brute_forcereconnaissancereconnaissance activityregulatory agenciesremote accessremote code executionremote servicesresearchedresource hijackingrouting protocolrtbhscannerscanning activityscriptsecurity operationssecurity policysecurity_eventsensor-taggedsentrypeer botnetserverserver exploitationservice discoveryservice enumerationservice scanservice scanningsftp attackslugsmb brute forcesmtpsmtp attackersmtp attackssmtp brute forcesocial engineeringsoftware developmentsoftware exploitationsophisticated firmware persistencespamspam campaignsspam domainsspam sourcespamhausspamhaus dropspamhaus drop feedspamhaus drop iocspamhausdropsql injectionsshssh attackssh attacksssh monitoringssh_attemptsssh_brute_forcessl blacklistssl certificatessl certificatessslblsslblackliststixstix feedsupply chain attacksupply chain compromisesupply chain managementsurface websuspected malicious activitysynsyn floodsyn scansystem compromiset1003t1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1027t1040t1041t1046t1048t1055t1059t1059.001t1059.003t1059.004t1068t1071t1071.001t1071.002t1071.004t1076t1077t1078t1078.001t1078.002t1083t1090t1090 - proxyt1090 proxyt1090.002t1090.003t1105t1110t1110 brute forcet1110.001t1110.002t1110.003t1110.004t1113t1132t1133t1189t1190t1192t1195t1195.001t1195.002t1199t1203t1204t1204.001t1204.002t1213t1486t1496t1497.001t1499.001t1499.002t1499.003t1505.002t1542.001t1542.005t1550t1563t1564.001t1564.003t1565t1566t1566.001t1566.002t1566.003t1571t1572t1573t1573.001t1583t1583.001t1583.006t1584t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.001t1589.002t1590t1590.001t1590.005t1592t1592.004t1595t1595 active scanningt1595.001t1595.002t1595.003tannertanner interactionstargeting databasetcp protocoltcp scantcp scanningtelecom servicestelecommunicationstelnet attackstelnet threattelnet_attemptstftpthreatthreat actorthreat detectionthreat feedthreat infrastructurethreat intelligencethreat intelligence aggregationthreat intelligence feedthreat preventionthreat-actor:unattributedthreat-intelthreat_activitythreat_actor_activitythreat_indicatorthreat_intelligencethreat_intelligence_feedtier-1 network vulnerabilitytls fingerprinttortor activitytor exittor exit nodetor exit nodestor networktor network activitytor nodetor-exit-nodestor-guard-nodestor_exit_nodetorexittorexitnodestpotudp scanunattributed_threat_activityunauthenticated accessunauthorized accessunauthorized access attemptunauthorized access attemptsunidentified threat actorunited statesunix targetsunknown threat actorurlhausvalidatorvnc protocolvoipvoip attackvpnvpn gatevpn ipvpn networkvpn servicevpn trafficvulnerability scanweb app attackweb application attackweb application attacksweb crawlerweb crawlingweb exploitationweb hostingweb securityweb serverweb server attackweb spamweb trafficzallen wwilsonzbrooks zbellzdaviszhoward zbutlerzlong zleezortiz zmorriszthomas ztaylor
Activity Timeline
Jun 7Jun 7
Threat Activity Heatmap
· Peak: 2026-06-07LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
51
SIGNAL
Signal Score
51%
Confidence
32
Reports
First seenAug 12, 2022
Last seenJun 7, 2026
GeolocationDE
CountryGermany
LocationNuremberg, Bavaria
ASNAS197540
OrgNETCUP-GMBH
Coords49.0291, 8.3569
ProxyVPN
VirusTotal
Not checked
WHOIS
- description
- Anonymization_Network indicators. Date: Apr 8, 2026. Part 3/5. For more threat intelligence visit https://ltna.com.au/cyber
- raw
- inetnum: 188.68.48.0 - 188.68.51.255 netname: NETCUP_NET-16 org: ORG-nG51-RIPE descr: netcup GmbH country: DE admin-c: OW395-RIPE tech-c: OW395-RIPE status: ASSIGNED PA remarks: INFRA-AW mnt-by: NETCUP-MNT created: 2016-07-04T06:14:53Z last-modified: 2016-07-04T06:14:53Z source: RIPE organisation: ORG-nG51-RIPE org-name: netcup GmbH country: DE org-type: LIR address: Daimlerstrasse 25 address: 76185 address: Karlsruhe address: GERMANY phone: +4972175407550 fax-no: +4972175407559 admin-c: OW395-RIPE abuse-c: NA4042-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: NETCUP-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: NETCUP-MNT created: 2010-11-03T10:05:19Z last-modified: 2020-12-16T12:52:13Z source: RIPE # Filtered person: Oliver Werner address: netcup GmbH address: Daimlerstrasse 25 address: 76185 Karlsruhe phone: +49721 75407550 nic-hdl: OW395-RIPE mnt-by: NETCUP-MNT created: 2010-11-03T14:34:38Z last-modified: 2017-10-30T22:11:28Z source: RIPE # Filtered route: 188.68.48.0/21 descr: NETCUP-GMBH origin: AS197540 mnt-by: NETCUP-MNT created: 2015-08-12T06:55:26Z last-modified: 2015-08-12T06:55:26Z source: RIPE
- references
- https://www.hybrid-analysis.com/sample/cf28065e6e2a8ac8812d5cc41ae2141d229a085afb155e158572d9c2fd36d540/66bbc7e33b8b45473008558b, https://www.virustotal.com/graph/embed/gb3908392fffd416897fdba90855a10f8c6da0c83d6a14fc78d62c02db8af634e, https://www.virustotal.com/graph/embed/gc3788134fb984a599fbe5d92802d605be2afeb3505b14133910e150c49a5aa06, https://www.virustotal.com/graph/embed/gc506b9318cdc451fb978cb7e201885605b0ab4ffca7344f3af0f76846bae8626, https://www.virustotal.com/graph/embed/gf7f57a7abbc14cf3bf154e66e1bd8b3a4cd225542f9d4c0e92cb567c86940425, https://www.virustotal.com/graph/embed/gd5ad7b36d7624fe48377ef36384ae281b540af91c4c14a1791d96a8a79712135, https://www.virustotal.com/graph/embed/g2363a9b3ae0a422caff8d99caa57563691cf0817bd9346a8ba5a500349e71c2e, https://www.virustotal.com/graph/embed/g064afe96384849bc81925f0defec631142ebb68b53854add8aba403d2989138a, https://check.torproject.org/torbulkexitlist, https://list.rtbh.com.tr/output.txt, https://github.com/borestad/blocklist-abuseipdb/blob/main/abuseipdb-s100-3d.ipv4, https://www.bleepingcomputer.com/news/security/cisco-warns-of-large-scale-brute-force-attacks-against-vpn-services/, https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/coralraider-targets-socialmedia-accounts.txt, https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials.txt, https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/offlrouter-virus-causes-upload-confidential-documents-to-virustotal.txt, https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/starry-addax.txt
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 3 years ago · Last seen 3 days ago
Appeared in 32 threat reports