IOC Radar
IPMediumSignal 35/100

217.20.57.26

Location
GermanyGermany
Frankfurt am Main, Berlin
ASN
AS20253
EU FRA
First Seen
May 20, 2024
Last Seen
Mar 31, 2026
May 20
First Seen
753d ago
Mar 31
Last Seen
74d ago
5
Reports
source reports
35%
Confidence
medium
Found in 5 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
35%
Signal Score
35 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

70 techniques

Network Information

CountryDEGermany
RegionFrankfurt am Main, Berlin
ASNAS20253
OrganizationEU FRA

Feed Intelligence Summary

5 reports35% confidence
5
Source reports
35%
Confidence score
Category tags
aaaaacademic institutionsaccess ta0006account discoveryaccount hijackingaccount profilingaccount securityaccount takeoveractive relatedactive scanadd tagadded activeadversary tagsaerospace & defenseahmannahmann specialakamaiasn1alertsam sizeameramericaanalysis dateandarielandariel highapacheascii textasiaattauurtonany dataav detectionsb0047 modifybackdoorbad actorbinary filebodybotnetbotnet activitybrian sabeybrute forcebusiness impersonationc2 communicationcanadacapture t1140checkincheckschinachristopher ahmanncivil servicesck idck idsck t1027ck techniquesclick-based attackcloud infrastructurecnamazon rsacode executioncode injectioncolorado statecommandcommand & controlcommand and controlcommand executioncommand historycommunication protocolcommunication technologiescommunity managementcontactcontent lengthcontent sharingcontrol ta0011controls t1562copy md5copy sha1copy sha256corporate lawcounselcountries addcountrycountry malwarecreation datecredential accesscredential stuffingcredential theftcubad-link exploitdata accessdata breachdata copyingdata exfiltrationdata leakdata store exposuredata transferdata uploadddosddos attacksdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydelete cdelphidenmarkdevices homedigital platformsdirectory enumerationdiscovery t1069distributed attacksdll sideloadingdns attackdoxingedge htmleducational resourceseducational serviceseducational technologyelectronic health recordsencryptencryptionenigmaentityentriesentries peentries tlserrorethics violationeuropeeurope/asiaexcludeexecution flowexploitation activityf0012 filefailedfastly errorfilesfiles locationfinanceflag unitedfor privacyfoundfoundryfraudfunctiongeneral fullgeoipgermanyghostgirls doporngooglegovernment technologygravity ratgroups addhall renderhealth care and social assistancehealth information technologyhealthcare information systemshidden fileshighhigher educationhistoryhome networkshong konghospital managementhostname enumerationhours agohtml documenthttp attackhttp headershttp scannerhybridicmp trafficid deadhostidentity & access exploitationids detectionsimpact ob0008impact ta0040include reviewindicatorindonesiainformation gatheringinformation technologyinformation theftinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassinstalltypec2rintelintellectual property lawinternet of thingsionosionosasiot botnetiot securityiot/ics attackipv4it infrastructurejapan unknownjohn marshallk-12 educationkeyslaw practicelaw schoollearnlegal consultinglegal professionlegal researchlegal sector targetinglegal serviceslegal technologylevel3locallogging t1568lowfimainmalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmalware droppermalware trafficmarkusmatch infomatch unknownmediamedia contentmedical servicesmediummetadata analysismexicomicrosoft officemilitary operationsminimirai botnetmitre attmobile carriersmobile networksmodify systemmodify toolsmonitored targetmore filemovedmsiename tacticsnation-state activitynational securitynetworknetwork scanningnextnext associatednidsnone filenorth americansisoamazonob0009 installob0012 installodigicert inconline harassmentopen source intelligenceoperating systemoperating system securityosintother services (except public administration)packed executablepassive dnspath traversalpatient carepattern matchpayload deliveryphishingpleasepornpornhubpotential malware infectionpresent julpresent marpresent novprocess injectionprocess t1543protocol t1105protonprovidepublic administrationpublic infrastructurepublic policypublic tlppublic urlpulse providepulse pulsespulsespulses nonepulses urlqshellransomransomwarereconnaissancereferences addregistry e1112registry modificationregistry runregulatory agenciesregulatory compliancerelated nidsrelated pulsesrelated tagsremoteremote accessremote servicesreport spamreputation damageresearchedresolverrorreverse dnsrole titlerussiascams & fraudscriptscript urlssearchserverssessionidseznamshowshowingsizesmear campaignsocial analyticssocial engineeringsocial mediasocial media marketingsocial media securitysocial networkingsoftware developmentsoftware exploitationspamspawnsspecial counselstartup folderstatusstatus domainstringssu datasubvert trustsuspsystem oc0008t1005t1010t1021t1021.001t1027t1030t1036t1045t1053t1055t1056t1057t1059t1059.007t1060t1069t1069.001t1070t1071t1071.001t1078t1082t1083t1095t1105t1112t1113t1114t1125t1129t1133t1134t1140t1189t1190t1192t1197t1202t1203t1204t1204.001t1204.002t1210t1480t1485t1486t1496t1497t1499.002t1499.003t1543t1547t1553t1562t1564t1565t1566t1566.003t1567t1567.001t1568t1574t1574 dllt1583t1587.001t1589t1589.001t1590.001t1593t1598t1608tagstam legaltargetstcp includetelecom servicestelecommunicationsthemidathemida andariethreat actortitle addedtop destinationtop sourcetor nodetrackertreece alfreytriestrojan malwaretrojandroppertwittertypetype indicatorukraineunitedunited kingdomunited statesunknown cnameunknown nsurlsurls showuser engagementuser executionuss cusvwusvwuvirustotal apiweb application attackweb application exploitationweb exploitationweb scrapingweb securityweb trafficwget commandwhitewin32 exewin32 malwarewindo alertswindowwindows 11windows malwarewindows ntwormwriteyarayara detections

Activity Timeline

1 total obs
Mar 31Mar 31

Threat Activity Heatmap

· Peak: 2026-03-31
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
35
SIGNAL
Signal Score
35%
Confidence
5
Reports
First seenMay 20, 2024
Last seenMar 31, 2026
GeolocationDE
CountryGermany
LocationFrankfurt am Main, Berlin
ASNAS20253
OrgEU FRA
Coords55.7123, 12.0564

VirusTotal

Not checked

WHOIS

description
Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.
raw
NetRange: 217.0.0.0 - 217.255.255.255 CIDR: 217.0.0.0/8 NetName: 217-RIPE NetHandle: NET-217-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2000-06-05 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/217.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
references
TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}, Crowdsourced Signa: Schedule system process by Joe Security, Sigma • Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel, Sigma • System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems), Yara • NSIS from ruleset NSIS by kevoreilly, Yara • rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde), Yara • Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security, Alerts: persistence_autorun • persistence_autorun_tasks stealth_hiddenreg • suspicious_command, IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI, Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0, *Themida_2xx. Oreans,Technologies, *Andariel Backdoor Activity (Checkin), Alert: dead_host nids_malware_alert network_icmp nolookup_communication, IDS: WGET Command Specifying Output in HTTP Headers, IDS: D-Link Devices Home Network Administration Protocol Command Execution, foundry2-lbl.dvr.dn2.n-helix.com • http://foundry2sdbl.dvr.dn2.n-helix.com • https://foundry2sdbl, https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ • https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe • m.pornsexer.xxx.3.1.adiosfil.roksit.net, x.com • nr-data.net • apple.k8s.joewa.com, http://apple.cc.lvlid.com/ • http://apple.cc.lvlid.com/ios/ • http://www.apple.cc.lvlid.com/ios, Devices remotely connected, tracked , monitored, https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1, https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c, https://n0paste.eu/UH6n5pD/, https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark, https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d, https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs, https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 2 months ago
Appeared in 5 threat reports