IPMediumSignal 35/100

`217.20.57.20`

Location

Germany

Frankfurt am Main, Berlin

ASN

AS20253

EU FRA

First Seen

Jul 4, 2024

Last Seen

Mar 31, 2026

Jul 4

First Seen

707d ago

Mar 31

Last Seen

72d ago

Reports

source reports

35%

Confidence

medium

Found in 5 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

35%

Signal Score

35 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

55 techniques

Network Information

Country

Germany

RegionFrankfurt am Main, Berlin

ASNAS20253

OrganizationEU FRA

Feed Intelligence Summary

5 reports35% confidence

Source reports

35%

Confidence score

Category tags

aaaaaccess ta0006account discoveryaccount hijackingaccount profilingaccount securityaccount takeoveractive relatedactive scanadded activealertsam sizeameranalysis dateandarielandariel highascii textasiaauurtonany dataav detectionsb0047 modifybackdoorbad actorbinary filebodybotnetbotnet activitybrute forcebusiness impersonationc2 communicationcheckincheckschinack idck idsck techniquesclick-based attackcnamazon rsacode executioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontent lengthcontrol ta0011copy md5copy sha1copy sha256countrycreation datecredential accesscredential stuffingcredential theftd-link exploitdata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondelete cdelphidenmarkdevices homedistributed attacksdns attackelectronic health recordsencryptencryptionenigmaentriesentries peentries tlserroreuropeeurope/asiaexcludeexecution flowexploitation activityf0012 filefailedfilesfiles locationfinanceflag unitedfoundfoundryfraudgermanyhealth care and social assistancehealth information technologyhealthcare information systemshidden fileshighhome networkshong konghospital managementhostname enumerationhours agohtml documenthttp attackhttp headershttp scannerhybridicmp trafficid deadhostidentity & access exploitationids detectionsimpact ob0008impact ta0040include reviewindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelinternet of thingsiot botnetiot securityiot/ics attackipv4it infrastructurejapan unknownkeyslearnlocallowfimalicious linksmalicious softwaremalwaremalware distributionmalware droppermalware trafficmarkusmatch infomatch unknownmedical servicesmediummirai botnetmitre attmodify systemmonitored targetmore filemovedmsiename tacticsnetworknetwork scanningnextnext associatednidsnone filenorth americansisoamazonob0009 installob0012 installodigicert incoperating systemoperating system securitypacked executablepassive dnspath traversalpatient carepattern matchphishingpornpresent julpresent marpresent novprocess injectionprocess t1543pulse pulsespulsespulses nonepulses urlransomransomwarereconnaissanceregistry e1112registry modificationregistry runrelated nidsrelated pulsesrelated tagsremote accessremote servicesreport spamresearchedresolverrorrole titlerussiascams & fraudsearchserversshowshowingsizesocial engineeringsoftware developmentsoftware exploitationspamspawnsstartup folderstatusstatus domainstringssu datasuspsystem oc0008t1005t1010t1021t1021.001t1027t1030t1036t1055t1056t1057t1059t1060t1069.001t1070t1071t1071.001t1078t1082t1083t1105t1112t1113t1125t1129t1133t1134t1190t1192t1202t1203t1204.001t1204.002t1480t1485t1486t1496t1497t1499.002t1499.003t1543t1547t1553t1562t1564t1565t1566t1566.003t1567t1567.001t1574t1574 dllt1583t1587.001t1589t1589.001t1590.001tagstargetstcp includethemidathemida andariethreat actortitle addedtop destinationtop sourcetor nodetriestrojan malwaretrojandroppertwittertypetype indicatorunitedunited kingdomunited statesunknown cnameunknown nsurlsurls showuser executionuss cusvwusvwuvirustotal apiweb application attackweb application exploitationweb securityweb trafficwget commandwin32 exewin32 malwarewindo alertswindowwindows malwarewindows ntwormwriteyarayara detections

Activity Timeline

1 total obs

Mar 31Mar 31

Threat Activity Heatmap

· Peak: 2026-03-31

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreLow Risk

SIGNAL

Signal Score

35%

Confidence

Reports

First seenJul 4, 2024

Last seenMar 31, 2026

GeolocationDE

CountryGermany

LocationFrankfurt am Main, Berlin

ASNAS20253

OrgEU FRA

Coords55.7123, 12.0564

VirusTotal

Not checked

WHOIS

description: Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.
raw: NetRange: 217.0.0.0 - 217.255.255.255 CIDR: 217.0.0.0/8 NetName: 217-RIPE NetHandle: NET-217-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2000-06-05 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/217.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
references: TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}, Crowdsourced Signa: Schedule system process by Joe Security, Sigma • Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel, Sigma • System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems), Yara • NSIS from ruleset NSIS by kevoreilly, Yara • rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde), Yara • Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security, Alerts: persistence_autorun • persistence_autorun_tasks stealth_hiddenreg • suspicious_command, IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI, Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0, *Themida_2xx. Oreans,Technologies, *Andariel Backdoor Activity (Checkin), Alert: dead_host nids_malware_alert network_icmp nolookup_communication, IDS: WGET Command Specifying Output in HTTP Headers, IDS: D-Link Devices Home Network Administration Protocol Command Execution, foundry2-lbl.dvr.dn2.n-helix.com • http://foundry2sdbl.dvr.dn2.n-helix.com • https://foundry2sdbl, https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ • https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe • m.pornsexer.xxx.3.1.adiosfil.roksit.net, x.com • nr-data.net • apple.k8s.joewa.com, http://apple.cc.lvlid.com/ • http://apple.cc.lvlid.com/ios/ • http://www.apple.cc.lvlid.com/ios, Devices remotely connected, tracked , monitored

`217.20.57.20`

MITRE ATT&CK TTPs

Network Information

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy