IOC Radar
IPMediumSignal 0/100

216.239.38.120

Location
United StatesUnited States
Austell, Virginia
ASN
AS15169
Google LLC
First Seen
Jan 20, 2021
Last Seen
Jun 9, 2026
Jan 20
First Seen
1967d ago
Jun 9
Last Seen
yesterday
4
Reports
source reports
0%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Network Information

CountryUSUnited States
RegionAustell, Virginia
ASNAS15169
OrganizationGoogle LLC

Feed Intelligence Summary

4 reports0% confidence
4
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Jun 9Jun 9

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

This indicator of compromise (IOC), an IPv4 address 216.239.38.120, has been officially whitelisted across multiple threat intelligence feeds, indicating its benign nature. With a score of 0.0 and an explicit "Yes" whitelist status, this IP address is not associated with any malicious activities or threats. Its inclusion in various intelligence feeds primarily serves to confirm its legitimate operation rather than flagging it as a risk. Organizations can therefore consider this IOC as low-risk, …

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
4
Reports
First seenJan 20, 2021
Last seenJun 9, 2026
GeolocationUS
CountryUnited States
LocationAustell, Virginia
ASNAS15169
OrgGoogle LLC
Coords34.0544, -118.2440

VirusTotal

Not checked

WHOIS

raw
NetRange: 216.239.32.0 - 216.239.63.255 CIDR: 216.239.32.0/19 NetName: GOOGLE NetHandle: NET-216-239-32-0-1 Parent: NET216 (NET-216-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Google LLC (GOGL) RegDate: 2000-11-22 Updated: 2012-02-24 Ref: https://rdap.arin.net/registry/ip/216.239.32.0 OrgName: Google LLC OrgId: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US RegDate: 2000-03-30 Updated: 2019-10-31 Comment: Please note that the recommended way to file abuse complaints are located in the following links. Comment: Comment: To report abuse and illegal activity: https://www.google.com/contact/ Comment: Comment: For legal requests: http://support.google.com/legal Comment: Comment: Regards, Comment: The Google Team Ref: https://rdap.arin.net/registry/entity/GOGL OrgAbuseHandle: ABUSE5250-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-650-253-0000 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5250-ARIN OrgTechHandle: ZG39-ARIN OrgTechName: Google LLC OrgTechPhone: +1-650-253-0000 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN RTechHandle: ZG39-ARIN RTechName: Google LLC RTechPhone: +1-650-253-0000 RTechEmail: [email protected] RTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN
references
Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e, https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html, api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1, Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc, Apple: emails.redvue.com, apple-dns.net, nr-data.net, IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0), IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin, DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84, DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82, Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported, Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated, Malware Behavior: Command and Control OB0004 C2 Communication B0030, Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001, https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles., Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com, Ebury Botnet: alt14.gstatic.com, alt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com cofr.jquery.com, Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com, Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com , brand.jquery.com, brandon.jquery.com, calendar.jquery.com, Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com, Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it encrypted-tbn3.gstatic.com, jquery.com www.code.jquery.com, api.jquery.com ,blog.jquery.com, bugs.jquery.com ,codeorigin.jquery.com Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com www.trellian.com, d2tobj9dlmyzd8.cloudfront.net alt001.www.gstatic.com error.www.gstatic.com, a.www.gstatic.com sddoodlepups.com ransomed.vc not found Data, Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966, Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/, Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info, https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior, I really have no idea what's going on or how safe this platform is., www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast, https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2], message.htm.com [Ransom | Malware Spreader], Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae, Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752, Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea, Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI], Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 • 303 status redirect to Bot server., host.secureserver.net • htm.com • rue.services • 199.22.109.208.host.secureserver.net • n1s.18b.mywebsitetransfer.com • mywebsitetransfer.com, godaddy.com • prod.phx3.secureserver.net, Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab, Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5, Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d, Amadey: FileHash-SHA1 e44a9e7ec6fe06ae6ba1b9518db78e95ad451942, Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357, Amadey: IP 104.26.5.15, CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed., Attempted to send viewer to own server., How about stop harming people, xxx.developer.android.com, Activity Kotlin Extensions (1.1.0) Tracking • Modification Privileges • Remote Install • Enable Camera • Enable Microphone • User w/Login Privileges • Picasa, Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01, Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\ [Adw], Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee, Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379, Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5, Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3, Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\ [Adw] ,, https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5, https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5, Large DNS Query possible covert channel 192.168.56.101, Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,, Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom, 114-45-52-152.dynamic-ip.hinet.net→.hinet.net | Domain has its own nameserver, track.adminresourceupdate.com • postracking100.online, 2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com, http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0, http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339, mobile.detectivesoliver.com • callback.mobileboost.me, IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\ filepath observed in HTTP header, Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan, https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115, https://www.google.com/?authuser=0, Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence, AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va, 207 Iowa.gov domains and hosts acting as cyber security [cyberreason], iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov, appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?], lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,, https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,, Domains Contacted: smtp.gmail.com www.google.com, DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company, www.fcc.gov? DGA Domains : Certificate Subject US 443 Certificate Subject District of Columbia 443 Certificate Subject Washington 443 Certificate Subject Federal Communications Commission 443 Certificate Subject Government Entity 443 Certificate Subject 1934-06-19 443 Certificate Subject affordableconnectivity.gov 443 Certificate Issuer Entrust, Inc. 443 Certificate Issuer See www.entrust.net/legal-terms 443 Certificate Issuer, (c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer Entrust Certification Authority - L1M, https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???], https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos, https://any.run/malware-trends/remcos

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 1 day ago
Appeared in 4 threat reports