IOC Radar
IPMediumSignal 52/100

37.19.200.155

Location
United StatesUnited States
Dallas, Texas
ASN
AS212238
Cdnext DAL
First Seen
Dec 8, 2022
Last Seen
May 28, 2026
Dec 8
First Seen
1290d ago
May 28
Last Seen
22d ago
16
Reports
source reports
52%
Confidence
medium
Found in 16 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
52%
Signal Score
52 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

56 techniques

Network Information

CountryUSUnited States
RegionDallas, Texas
ASNAS212238
OrganizationCdnext DAL

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

16 reports52% confidence
16
Source reports
52%
Confidence score
Category tags
abuseaccessaccess controlaccount discoveryaccount profilingaccount takeoveractive scanactive scanningadversary ipadversary mfaaliasanydeskasnas9009 m247attackauthenticationauto-generated securityautomated attackazure mfaazure vmsazureadbackconnect tcpbad reputationbad web botbotnetbotnet activitybpobrute forcebrute force attackbrute force attemptsbrute-forcebruteforcebyvalc2callcaseccnlccroccuscf e8cf movcisacloud infrastructurecobalt strikecobalt-strikecobaltstrikecode executioncode injectioncode issuescommand & controlcommand and controlcommand executioncommunication protocolcommunication technologiescompromised credentialscompromised hostcopycowriecowrie honeypotcredential accesscredential harvestingcredential stuffingcrowdstriked0 addd0 movd3 movdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferddosddos attackdecoy systemdefense evasiondenial of servicedigital signaturedionaeadionaea honeypotdistributed attacksenablesencryptionesp4europe srlexploitation activityexploited hostf1 jlf9 movfalcon completefalcon identityfalsefattff c0ff d5ff fffilehash sha256footerformatforticare_tktfortiosftpgctigithubhackinghoneytrap honeypothttp scanneridentity & access exploitationimpactinformation technologyinfrastructure acquisitionreconnaissanceinjection activityinstalliocsipsec vpnipv4ipv6ipv6 ipv6it infrastructurejumplateral movementlicenselimitedlinpeas localmailoney honeypotmalicious activitymalicious powershell activitymalicious softwaremalwaremalware behaviourmalware capturemalware signingmanualmfa fatiguemobile carriersmobile networksmobile threatmonthlymultiple threat actorsnetworknetwork probingnetwork protocolnetwork scanningnetwork securitynorth americaopenp0fpassword attackpassword attacksphishingphishing attackphishing trapping of deathpleasepowershellprocess injectionprotocol exploitationproxypullpushransomwareraxrbprdpwrapreconnaissanceremote accessremote access trojanremote servicesresearchedresource hijackingreverse proxyreverse sshrmm toolssaasscannerscattered spiderscripting attackssecurity operationssecurity policysensor-taggedsentrypeer botnetsftp attacksignsimsim swappingsliversocial engineeringsoftware developmentsoftware exploitationsoftware integritysourcespiderssh attackssh monitoringssl vpnstarstealsstrongt1005t1021t1021.001t1021.002t1027t1030t1040t1041t1046t1055t1059t1059.001t1059.007t1071t1071.001t1076t1077t1078t1078.001t1078.004t1086t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1190t1203t1204.001t1204.002t1486t1495.001t1496t1497t1499.001t1499.002t1499.003t1554.001t1554.003t1555t1555.003t1563t1565t1566.001t1566.002t1566.003t1567t1569.002t1587.001t1590.001t1595t1595.001t1595.002t1595.003tannertelecomtelecom servicestelecommunicationstelnet threatthreat actorthreat detectionthreat intelligencethreat preventiontor nodetpotttpsunauthorized accessunicodeunited statesunited states of americaurlsusvidarviewvoipvoip attackvpnvpn ipwarzoneweb application attackweb crawlerweb exploitationweb trafficwithoutyara

Activity Timeline

1 total obs
May 28May 28

Threat Activity Heatmap

· Peak: 2026-05-28
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
52
SIGNAL
Signal Score
52%
Confidence
16
Reports
First seenDec 8, 2022
Last seenMay 28, 2026
GeolocationUS
CountryUnited States
LocationDallas, Texas
ASNAS212238
OrgCdnext DAL
Coords32.7767, -96.7970
ProxyVPN

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=ciscoasa, p0f; threshold?1; private IPs excluded. geo=US; ports=8443 Location=Sydney, Australia.
raw
NetRange: 37.0.0.0 - 37.255.255.255 CIDR: 37.0.0.0/8 NetName: RIPE-37 NetHandle: NET-37-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2010-11-30 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/37.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
references
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/, Julypt1.pdf, https://github.com/telekom-security/tpotce, https://cybersecuritynews.com/fbi-scattered-spider-hacker-group/, November 19th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3604 - Tactics & Techniques Used by Scatter Spider Exposed.pdf, https://occamsec.com/scattered-spider-iocs/, December 06th, 2022 - CryptoGen Cyber Threat Intelligence -SIM Swapping Hackers Target Telecommunication Companies.pdf, SIM Swapping Hackers Target Telecommunication Companies.pdf, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_32bit.yara, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_64bit.yara, https://github.com/chronicle/GCTI/tree/main/YARA/CobaltStrike, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara, https://www.virustotal.com/gui/file/018ef51a2af287a3d665e5057e6367eb0a5d5ef5a807af6c255eba26d20b4ccf/community, Axelo - vaet.com.json, Axelo - Robtex.com.csv, https://www.virustotal.com/gui/collection/threatfox_win_cobalt_strike, ThreatFox - Raspberry Robin.stix, Axelo - Stolec kradnie krypto.stix, ThreatFox - BRATA.stix, ThreatFox - Sliver.stix, ThreatFox - RM3.stix, https://github.com/bartblaze/Yara-rules/blob/master/rules/hacktools/RDPWrap.yar, Axelo - Robtex.com.stix, cobalt.json, ThreatFox - IRATA.stix, ThreatFox - Sorillus RAT.stix, ThreatFox - FTCODE.stix, ThreatFox - Nymaim.stix, ThreatFox - Erbium Stealer.stix, ThreatFox - Brute Ratel C4.stix, ThreatFox - Lumma Stealer.stix, ThreatFox - PrivateLoader.stix

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 22 days ago
Appeared in 16 threat reports