IOC Radar
IPMediumSignal 61/100

193.23.244.244

Location
GermanyGermany
Berlin, State of Berlin
ASN
AS39788
Tor Authority Network in Berlin
First Seen
Aug 26, 2020
Last Seen
May 30, 2026
Aug 26
First Seen
2115d ago
May 30
Last Seen
12d ago
19
Reports
source reports
61%
Confidence
medium
Found in 19 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
61%
Signal Score
61 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

114 techniques

Network Information

CountryDEGermany
RegionBerlin, State of Berlin
ASNAS39788
OrganizationTor Authority Network in Berlin

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

19 reports61% confidence
19
Source reports
61%
Confidence score
Category tags
802.11 protocola serviceaaaaabcdabout contactabuseabuse contactacceptaccessaccess controlaccountaccount compromiseaccount securityacidrainacintactive attackactive scanactive scanningad environmentad groupadded activeaddressaddress googleaddress rangeadfindadministratoraerospace & defenseaes keyafghanistanafricaagentagent teslaahnlabahsai securityaigaitbalbaniaalbanianalbertaalertsalexalexaalexa topalexoalexo virustotalalienvault_ransomwarealiveall octoseekall scoreblueall searchallegatoallocation typeamadeyamerica flagamsi telemetryanalyzeanchoranchordnsandroidanliseanunakanydeskanydesk remoteapacheapache tomcatapi abuseapi blogapi callapi hashapi hashingappdataappeappearanceappleapple iosaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearchive phishingarmadillov171armeniaartefactsfolderartemisascii textascii valueascii85asec analysisasiaasnoneasnone unitedasyncratateraatera agentatomatomicattackattack overviewauroraauthentication attemptsauthorityautoitautomated activityautomotive manufacturingav evasionavastavosavoslockeraxeljgazaz09azorultbackbackdoorbad rabbitbad reputationbangladeshbankbank securitybankerbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbingbitcoinbitsblack paperblackcatblackie virusblacklist httpblacklist httpsblacknet ratblackshadesblisterblobblockchainblockerbluenoroffboatlaunchbodybody doctypebokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbrian sabeybridgebrowserbrute forcebrute force attackbughatchbuildbumblebee c2bumblebee dllbundledbypassc activityc serverc2c2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcatalog filecec listcenterallcerbercertchachachamelgangchanitorchannelchaprochatcheat servicecheckcheck mutexcheckinchecks-network-adapterschecks-user-inputchimerachinachina asnchina chopperchina unknownchinese-speaking cybercrimechiselchm filecidrcisacisco securecisco taloscisco threatcisco umbrellacivil servicesck idck matrixck techniqueclassclassloadercleanercleanupclickclick-based attackclosecloudcloud backupcloud infrastructurecnccnc servercnuserscnwe1 ogooglecobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode executioncode injectioncode overlapcoinminercolor1cometcommandcommand & controlcommand and controlcommand decodecommand executioncommentcommercial bankingcommodity contracts intermediationcommunication protocolcommunication technologiescommunications networkscommunity analysiscompilecompromised infrastructurecompromised ios devicecompromised systemcomputer securitycomspecconceptconduitconficonfigconfluence dataconnect scanconnected devicesconsolecontcontactcontacted urlscontentcontent homecontent typeconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcouriercovewarecovid19cp1250creation datecredential accesscredential harvestingcredential stuffingcredential theftcredit card servicescritical infrastructurecrlf linecrowdstrikecrphcry killcryptcryptercryptocrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackerscryptojackingcs loadercsirtcsv geoipct6fnctrltcubacuba ransomwarecus cnr3cus oletcus subjectcustomerloadercvecvsscybercyber espionagecyber espionage solutionscyber riskscyber securitycyber threatcyber threat hunterscyber threatscyber warfarecyber weaponscybercrime hascybereason xdrcybersecurity architectcyclopsczechiada utrechtdapatodarkdark cometdark webdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata encryptiondata exfiltrationdata harvestingdata riskdata store exposuredatabase securitydatopdatoploaderdaveshelldbatloaderdc serverdclocalddosddos attacksdede summarydeadeyedeautherdecentralized financedecoydecryptdef condefenderspynetdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefraydefray777deletedelete cdelphidemodenial of servicedenial-of-servicedenis legezodesktopdetectdetect-debdetection listdevice managementdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdigital currencydircreatedirect systemdirect-cpu-clock-accessdirectorydiscorddiscovery attdisplaynamedistributed attacksdiv divdiv formdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdnsdns attackdockdocs pricingdoddoesndomaindomainabusedonald trumpdonedone addingdonutdoormedoorme backdoordoppelpaymerdoradorkbotdosdos headerdownldrdownload tlsdownloaderdownragedpiawaredragdridexdropboxdropbox loaderdroppeddropperdrops cobaltduckdukedumpdumpingduqudustpandworddynamicdynamic apidynamicloaderearth wendigoeasyeasylookedr hooksedreppeducationefnoegregoregregor payloadel torelectronic health recordselectronics manufacturingelfeliteemergency servicesemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireempty fileenableencoderencpkencryptencrypt cne6encryptionendgame systemsendpoint1energyenergy systemsengineeringenglishenjoyenterprise securityenterpssessionentityentriesentries disaentropyentry pointenumerateenumerate guiepochepochsepochtimeequation group toolserik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploitet infoet toreuropeeurope/asiaevasion attevil corpexcelexecutable fileexfiltrationexisting pulseexitexitendififexotic lilyexpert perspectiveexpiration dateexpiredexploitexploitation activityexploited hostexploits & vulnerabilitiesexport functionexternal threatextortionfailfalconfalcon completefali contactedfali maliciousfalsefastfbi flashfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilerepmalwarefilesfiles ipfiles matchingfillerfin scanfin7finalfinancefinance and insurancefinancial crimesfinancial institutionfinancial servicesfinancial systemsfinancial technologyfindfinlandfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfoodfooterfoozerforceforeignforeign affairsformform divformatfortunefoundfoundry typeframe injectionfrancefrance asnfrom karakurtfrontfrpftpftp brute forcefunctionfusioncoreg o2g2 cgap analysisgasgategate variantgaussgeckogenco labsgeneratorgenericgeneric malwaregeneric.933739georgiagermanyget diskget fileget httpget httpsget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegoogle safegootkitgootkit loadergootloadergotrojgovernment facilitiesgovernment overreachgovernment sector targetinggovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhackinghacking teamhadeshaixi mongolhancintorhancitorhancitor c2hancitor dllhancitor exehandlehandoverharpyharvesterhashhashes fileshatching triagehavocheaderheader intelheadlineshealthhealth care and social assistancehealth information technologyhealthcare information systemshellhellohello packethellokittyheurhidehidedrvhighhighesthikithillhistorical sslhivehoneymytehoneynet connecthong konghookhookshospital managementhostilehostnamehostname addhostname enumerationhta filehtmlhtml filehtml objecthttphttp attackhttp brute forcehttp c2http gethttp methodhttp posthttp requestshttp scannerhttp traffichttpshttps traffichumanhuntershwinithlwhybridhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationids detectionsiframeigosiis workeriit appil fileil messaggioimages evidenceimapimpactimportincident responseindia-chinaindicatorindonesiaindustrial automationindustrial iotindustrial productionindustrial spyinfectionidinfoinfo compilerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress toolingress tool transferinitial accessinitial contactinjectinjection activityinjection attacksinjection t1055injectorinput validation bypassinstallinsurance carriers and related activitiesintelintel macinternet of thingsinternet stormintro contiinvestigation servicesinvestigationsiobitiocioc510iocindicatoriocsiosiot analyticsiot applicationsiot botnetiot platformsiot securityiot/ics attackipcountipv4ipv4 addiran, islamic republic ofirataiso fileiso filesystemiso imageissuer cusissuer orgit infrastructureitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjapan as4713japan unknownjarmjarm signaturejarsjasonjavascript codejavascript injectionjitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkeep alivekerrdown samplekey identifierkey infokeyloggerkeyplugkhalesikhtmlknightknown torkoadickorea, republic ofkoreankportscankronoslameroslapsus nvidialaterlateral movementlateral movement attemptslatinlatvialazagnelearnlearn morelegacylegallegezolemon ducklengthleviathanlibrelifelimelink librarylinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogicloginlogin attemptlogmeinlokibotlolbinslondonlong-sleepslooklowfilpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmaktub lockermalaysiamalcatmaldocmalicious activitymalicious downloadmalicious filemalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious url repositorymalspammalvertizingmalwaremalware analysismalware descriptionsmalware distributionmalware noradmalware sitemalware technologiesmalwarebazaarman-in-the-middlemanagemanaged xdrmanualmanufacturing technologymarchx8664 gmaremarkmark sabeymarkusmaskmass port scanningmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemcsfmediamedical servicesmediummedium windowsmedremeetingmegamenu closemenu homemespinozametametadata analysismetasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmilitary operationsmillionmindminermiraimirai botnetmisc attackmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobile threatmodelmodulemodule downloadmodule stompmodules t1129mongoliamonitored targetmonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovedmovingmozillams visualms windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemsilmssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filename md5name servername serversname tacticsname verdictnanjingnanocore ratnarilamnation-state activitynational securitynativenativezonenbtscannebulaneitherneshtanetnetbiosnetherlandsnetscannetspynetsupport ratnetwalkernetwirenetwire rcnetworknetwork attacksnetwork disruptionnetwork enumerationnetwork forensicsnetwork intrusionnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork trafficnetwork traffic analysisnetworks unitnetwormnevernew pulsenew zealandnewsnextnext associatednextraynexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernjratnltestnobeliumnodenode trafficnonamenoname057north americansansa exploitsnsa weaponsntdsntlmntlm hashnull scannumbero2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinonloadoofficeopenopen processopen sourceopen_source_toolopenfieldopensopenssloperating systemoperating system securityoperation pawnoperationsopsecor filefullnameoracle weblogicorgidorionos versionos xotx octoseekoverownerp4bnzr0packedpalo altopanamapandapartpasspassive dnspassword attackpassword attackspatchpatch managementpathpath traversalpatient carepattern matchpawn stormpayloadpayloadbinpayment processingpayment securitypayment system attackpaypalpcappdf documentpe headerpe resourcepe sectionpe32 compilerpe32 executablepegasusloaderphasephishphishingphishing attackphishing intelligencephishing sitephotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpng imagepoisonpolandpoliceponypoortryportportalportal openpos softwareposhc2postpost bodypost methodpost-incident analysispotential data breachpotential scanpowerpowershellpowershell ratpredatorprefecturepresent aprpresent augpresent decpresent janpresent julpresent junpresent marpresent seppress enterprimary threatprint debugpriorprivacyprocessprocess hackerprocess injectionprocess manufacturingprocess: csrss.exeprojector libraprophetprophet spiderprotectprotocol exploitationproxyproxy avoidanceproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policypulse as16509pulse pulsesputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquality controlquasarqueryquesto certquietexitraasraccoonradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanrate limiting bypassratsrazyrc4 encryptionread creadsreaves6 minrecaptcha bypassreconrecon villagereconnaissancerecord valueredlineredline stealerreferrefreshregszregulatory agenciesregwriterelated nidsrelated pulsesrelatedtoremcomremcosremcos trojanremcosratremote accessremote servicesremoverenamereportreportsrequestresearchresearchedresolverrorresource hijackingresponse iprestartreturn addressreverse dnsreverse iprevilrevilcontirich textripe nccritarmsrobinhoodrollcoastromcomromcom ratrootroot caroot pathrostpayrozenarpcsrubeusrubyrun registryruntime modulesruntime-modulesrussiarussia unknownrussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsabey typesafe browsingsafe sitesafetykatzsagesample cubasamplessandboxsandbox reportscalescams & fraudscan activityscan behavioralscan endpointsscannerscanning activityscoutscriptscripting attacksscripting languageseadukesearchsearch engine overlaysearch liveseatbeltsecurexsecurity groupssecurity operationssecurity policysekhmetsekurselectserbiaserverserver helloserversserviceservice disruptionservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow brokersshadow chasersharpkatzshathakshellshellcodeshowshowingshownshutsignsignal jammingsilentsilent breaksilent trinitysilentbreaksilk roadsitesizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmart devicessmb beaconsmb brute forcesmokeloadersmtpsmtp brute forcesnakesnortsnowsoarsocsocgholish netsupportsocial engineeringsocial media securitysocssodinokibisofacysoftethersoftware developmentsoftware exploitationsoftware vulnerabilitiessolarstormsolarwindssomniasorry index networksortsourceimagesouth africasouth americasouth koreaspamspansparklinggoblinsparkratspawnspawnsspear phishingspeedsphwspidersprite spiderspyeyespyrixkeyloggerspywaressh attackssl certificatesslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestatusstdoutstealerstealthstealth scan techniquesstellarparticlestolen toolsetstoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsubjectsubject publicsublime editorsummarysuncryptsupernovasupply chain attacksupply chain managementsurfnet bvsusp_confuserex_obfuscatedsusp_net_name_confuserexsvchostswedishswiftswrortsyn scansyscallsysdigsystem disruptionsystembcsyswhispers2szdrft1005t1012t1014t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1027t1040t1041t1045t1046t1047t1053t1054t1055t1055.012t1056.001t1057t1059t1059.001t1059.003t1059.004t1059.007t1060t1063t1064t1067t1068t1069.001t1071t1071.001t1071.004t1076t1077t1078t1078.002t1082t1086t1087t1090t1095t1105t1110t1110.001t1110.002t1110.003t1110.004t1112t1113t1114t1119t1129t1133t1134t1140t1143t1176t1189t1190t1195t1203t1204t1204.001t1204.002t1205t1210t1480t1480 executiont1486t1490t1491t1496t1497t1497.001t1498t1499t1499.001t1499.002t1499.003t1499.004t1547t1553t1555t1560t1561t1561.001t1561.002t1563t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1571t1573t1574t1583t1583.005t1587.001t1588t1589.001t1590.001t1592t1595t1595.001t1595.002t1595.003t1608.001ta0002 sharedta413ta471ta551ta578ta800tag counttalostargettargeted attackstargetimagetask managertcp porttcp protocoltcp scanteamteamt5teamt5 teamt5techtelecomtelecom servicestelecommunicationstelnet threattemptencenttexttext geoip6text statetftptheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat networkthreat preventionthreat reportthreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbackthustibetan targetstinbatipstitletldstls clienttls handshaketls servertoolstortor directorytor exittor nodetor relaytor relay routertotaltouchtracingtrackertraffic group 238traffic group 252traffic group 333traffic group 778traffic group 815traffic groupstransferxl urltransferxl urlstransportation networkstravelextreaty 6treaty sixtrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojan featurestrojan malwaretrojandroppertrojanspytrojanxtrumptrusttsara brashearstsara brashness deadttpstulachtulach typeturkeyturkishturlatvrattwittertycoontypetype indicatoruac0056udp a83f8110udp port scanudp scanukraineunauthorized access attemptunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunionunitunitedunited kingdomunited statesunix.dropper.miraiunknown nsunsafeunusual porturisurlcampourlsurls httpurlshxxpursnifus as15169us as396982uscertuseuse sectionuser executionuserpcnameutorrentuuid variantuuidsuwagav3 serialvaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptverifyvhashvidarvietnamviewvincssvirgin islandsvirusvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvpnvscodevulnerability scanvy binhwacatacwaf rulewater systemswdigestwealth managementweb application attackweb application exploitationweb developmentweb exploitationweb scrapingweb securityweb trafficweblogic accesswebshellwherewhois recordwhois serverwhois whoiswi-fi password theftwifi deauthentication attackwim biemoltwin16 newin32 dynamicwin32 exewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwine emulatorwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwireless attackwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx applex.509xcnfexll filexmas scanxml titlexmrigxor algorithmsxratxss attackxtunnelxyzcampobb hxxpyahxzyakesyanluowangyarayara detectionsyara ruleyara signatureyour ipz85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
May 30May 30

Threat Activity Heatmap

· Peak: 2026-05-30
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
61
SIGNAL
Signal Score
61%
Confidence
19
Reports
First seenAug 26, 2020
Last seenMay 30, 2026
GeolocationDE
CountryGermany
LocationBerlin, State of Berlin
ASNAS39788
OrgTor Authority Network in Berlin
Coords51.2993, 9.4910
ProxyVPN

VirusTotal

Not checked

WHOIS

raw
inetnum: 193.23.244.0 - 193.23.244.255 netname: DANNENBERG-NET org: ORG-CCCE3-RIPE remarks: Dannenberg Tor Authority Network country: DE admin-c: BSD-RIPE tech-c: BSD-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: IN-BERLIN-MNT mnt-by: CHAOS-MNT mnt-routes: CHAOS-MNT mnt-domains: CHAOS-MNT created: 1970-01-01T00:00:00Z last-modified: 2016-04-14T11:05:32Z source: RIPE organisation: ORG-CCCE3-RIPE org-name: Chaos Computer Club e.V. country: DE org-type: LIR address: Zeiseweg 9 address: 22765 address: Hamburg address: GERMANY phone: +49404018010 admin-c: CCC-RIPE tech-c: CCC-RIPE abuse-c: CCC-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: CHAOS-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: CHAOS-MNT created: 2015-06-24T13:32:44Z last-modified: 2020-12-16T13:31:39Z source: RIPE # Filtered person: Andreas Lehner address: Chaos Computer Club e.V. address: Postfach 64 02 36 address: 10048 Berlin address: Germany phone: +49 40 401801-0 fax-no: +49 40 401801-40 org: ORG-CCCE3-RIPE nic-hdl: BSD-RIPE mnt-by: CHAOS-MNT created: 2002-03-24T18:04:53Z last-modified: 2015-08-23T16:44:33Z source: RIPE # Filtered route: 193.23.244.0/24 origin: AS39788 descr: DANNENBERG-NET6 via AS39788 in Berlin mnt-by: CHAOS-MNT created: 2022-05-22T18:25:11Z last-modified: 2022-05-22T18:25:11Z source: RIPE route: 193.23.244.0/24 descr: Tor Authority Network via AS50472 in Berlin origin: AS50472 mnt-by: CHAOS-MNT created: 2010-01-22T15:49:57Z last-modified: 2010-01-22T15:49:57Z source: RIPE
references
https://www.cisa.gov/uscert/ncas/alerts/aa22-335a, https://www.virustotal.com/graph/ga30c6413c45144b1a221e1aff89d0409388da1a555bc4109bbc3d1391bcab10f, Ransomware»TrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32, Antivirus Detections Win32:Filecoder-AD\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn, IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake, Domains Contacted: fbi.gov, IP’s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57, IP’s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76, tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles, External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare, Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes, Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov, PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string EEEEEEEEEEEEEEEEEEEEEEEEE, DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3, https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32, Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy, Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception, Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name, Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef, Interesting Strings: http://www.w3.org/1999/02/22, Virus: "ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer", Cryptographical plain text c�h7��1Q�ʆ�ɔE�W�΂� Rw�e��% ���reudt���, IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682, Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval, IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval, IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding, Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt, YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth, RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only ⚡- RULE_AUTHOR: Florian Roth, RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:, Detects malware used in activity noticed 05/2020 likely related to Chinese actor, REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth, https://www.nextron-systems.com/notes-on-virustotal-matches/, 114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work, IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,, IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,, IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,, IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread, IP 114.114.114.114 Domain 114dns.com: PegasusPlus, Emails: [email protected] Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc., Address: Room 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country, https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/, https://asec.ahnlab.com/en/61164/, https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/, https://www.virustotal.com/graph/embed/gd4cd9ebde2344dd0b9fd4c969352ba6db553994d23a3492d99413f6107a2243c?theme=light, https://hybrid-analysis.com/sample/ee534a0e8a8bc013fadef020f518d44925b2adf0126444aee53b7a51aadfcb7a/654f6940ec2068706b0ae5ca, Domain nr-data.net (Apple Private Data Collection), Hostname www.bing.com (pattern match), URL https://assets.msn.com/bundles/v1/homePage/latest/midlevel/vendors.ef7dde432bed42c1b7db.js. (t .map "pattern match"), Hostname www.pornhub.com (password cracker), URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker), Hostname vortex-nlb-http2-fed-us-taut-purple.nr-data.net, URL http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, FileHash-MD5 879623feffedf5672dffc85c269af125, img-prod-cms-rt-microsoft-com.akamaized.net (img-prod-cm Nagano east amazonaws), https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= (nr-data.net email collection contractual agreement), Hostname www.assurant.com (nr- data email collection from apple devices), http://url3308.macorva.com/asm/UNSUBSCRIBE/?user_id=10055259&data=bQ0N-GNp87vailMH8NcX8hVikM6oRFcaYffHPXNvHhxoMDAwdTAwMIZgp6VEcimR2OR6-FgE5LbQmvMKgBcNzfKlzFUlyGhihCTfgGNhqBwYspOmdyExodXueDIXSrpmprp7qqmciBoXxvis5p6MnzhFBM5DSEXvhwy8DunkXxGDBX-Jps3Ihyo3TwAwGKJrlBnUc9b0m9OrG0Gnn8WUnB94unMY8ZMOgaCblwprg85sSdpRgipzAMyP_KxiQKceH-blAFTSIxL5MCSDStpmbiQZ4hVBNMKVaD7KsxSMie09qyTXMdiTsBZv57uwBpGLwpsKyNyJRNDag3flmayRklZ3XkMkhxm8epKkbxiASkjL8XqOpRh1MYS92ivMoL0YvpNeaKc_svs=, URL http://movies.waploaded.ng/search/Horse-Sex-Women.html (, https://ftp.zedz.net/vir/Trojan-PSW.HTML.YahooLogon/, time-a.nist.gov (DNS ipify Control), local -> 199.249.230.162:80 (TCP) Potential Corporate Privacy Violation ET P2P Tor Get Server Request 2008113, https://otx.alienvault.com/indicator/url/http://blacklist1.dnsblocklist.com, https://otx.alienvault.com/indicator/url/http://cinefest.com/en/submissions/, hostnameobject.prototype.hasownproperty.call. (API commands to newly acquired property of target and family), e.call (API call invasion), t.call (targets communication storage), https://app.call-em-all.com/broadcasts/all/login?redirect=/broadcasts/all, http://call-em-all.com/DeleteNumberFromBroadcast. (Brutes), http://call-em-all.com/AddNumbersToBroadcast, http://call-em-all.com/AddPersonsToList, http://call-em-all.com/GetAccountKeywords, http://call-em-all.com/CheckPhoneNumber, http://call-em-all.com/GetSMSOptIns, http://call-em-all.com/UpdateAccountInfo, http://call-em-all.com/InsertCustomCall, http://call-em-all.com/GetSchedules, ec2-35-161-55-221.us-west-2.compute.amazonaws.com. (Boardman, Oregon), Detections Potential SSH Scan OUTBOUND, Tor Get Server Request, monitoring.akhavan.pro, https://wallpapers-nature.com/tsara-brashears/urlscan-io, alohatube.xyz, https://www.anyxxxtube.net/search-porn/tsara-brashears/, http://alohatube.xyz/search/tsara-brashears, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, ww.google.com.uy, https://alohatube.xyz/search/tsara-brashears, https://wallpapers-nature.com/%20tsara-brashears/urlscan-io, https://polling.portal.gov.bd/js/npc.script.js, polling.portal.gov.bd, https://polling.portal.gov.bd/js/npop.script.js, http://watchhers.net/index.php, https://brandyallen.com/2022/11/23/sexy, m.pornsexer.xxx.3.1.adiosfil.roksit.net, http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc, http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf, https://twitter.com/PORNO_SEXYBABES, https://alohatube.xyz/search/sex-mom-dog-animal, https://www.colorfulbox.jp/, Hybrid Analysis, Any.run, OTX AlienVault, Urlscan, UrlVoid, http://emrd.gov.bd/dead.php, http://titasgas.portal.gov.bd/dead.php, http://mincom.gov.bd/dead.php, http://cabinet.gov.bd/dead.php, September 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3255 Cuba’s BurntCigar malware, https://www.ic3.gov/Media/News/2021/211203-2.pdf, https://www.cisa.gov/uscert/sites/default/files/publications/AA22-335A-2.stix.xml

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 12 days ago
Appeared in 19 threat reports