IOC Radar
IPMediumSignal 27/100

62.0.58.94

Location
IsraelIsrael
Bet Hashmonay, Hefa
ASN
AS1680
013 Netvision Network
First Seen
Jun 25, 2021
Last Seen
Jun 15, 2026
Jun 25
First Seen
1821d ago
Jun 15
Last Seen
6d ago
7
Reports
source reports
27%
Confidence
medium
Found in 7 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
27%
Signal Score
27 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

71 techniques

Network Information

CountryILIsrael
RegionBet Hashmonay, Hefa
ASNAS1680
Organization013 Netvision Network

IP Category

Proxy
Proxy server

Feed Intelligence Summary

7 reports27% confidence
7
Source reports
27%
Confidence score
Category tags
a h2aaaaaaaa nxdomainabuseacceptaccessaccess controlacintactive scanactive scanningactive threatadam leeaddressadwareafricaafrinicagentagent teslaalexaalexa topalienvault_ransomwareall scoreblueallocates_execute_remote_processallocates_rwxamadeyamazonamazon dataamazon ec2amazonawsamericaanalyzer threatandroidanydeskapache cmsapi blogapi get ipapnicappleapplication developmentarinartemisartroascii textasiaasia pacificasnone unitedasyncratattattackav checkinavast avgavg clamavazorultazure tlsbabarbackbad reputationbad trafficbankbank securitybankingbc httpsbeach researchbehavblackcatblacklist httpblacklist httpsblacknet ratbodybody lengthbotnetbotnet activitybrian sabeybrute forcebusiness email compromisec2caascab chromecache entrycalls-wmicamaro dragoncascadecategory valuecentercentura healthch uacheckincheckin m1chromecisco umbrellacitycivil servicescivil societycleanercloseup viewcloud infrastructurecnamazon rsacnccobalt strikecodecode executioncode injectioncodes comments0coinminercolorado jobscom laudecommand & controlcommand _and_controlcommand and controlcommand executioncommand linecommunication protocolcommunication technologiescompany limitedconduitconfigcontacted urlsconticontrol servercookiecopycorecountrycountry unitedcreation datecredential accesscredential harvestingcredential stuffingcredential theftcredit card servicescrypcryptcryptocurrencycsc corporatecus odigicertcus subjectcyber threatcyber threatsdangerdarksidedarpadatadata accessdata centerdata copyingdata encryptiondata exfiltrationdata store exposuredata theftdata transferde indicatorsdeepscandeletedelete cdescription ypedetection listdevelopment methodologiesdevopsdistributed attacksdnsdns attackdnssecdocs pricingdomaindomainsdorkbotdownldrdropperdumped_bufferdumped_buffer2eburyeeo publicemailemailsemotetencryptencryptionengineeringenterprise securityentriesentries relatederika leeetet infoethiopiaeuropeevasiveexcelexcel microsoftexchange metaexecutable fileexfiltrationexpiration dateexploitexploitationexploitation activityexploitation of vulnerabilityexploitsexportexternal ipexternal ip lookupextortionfailefailurefake hostfalse layerfastlyfilesfiles ipfiles notfiles showfiling urlfinal urlfinancefinance and insurancefinancial institutionfinancial servicesfinancial technologyfireholfirstflagfollowfont formatfor privacyforbidden smallformfoundfound networkfound sigmafraudfraud servicesfromdisplaynameftp brute forcefull namefusioncoregaming service exploitgandi sasgeckogeneral fullgenericgeneric malwaregermanygesponsert urlget h2get ip addressghost ratglobal g2gmbhgmbh versiongooglegoogle safegoogle taggovernment technologygraphgraph communitygrumgvb gelimedgzipgzip chromehashhashesheaders dateheurhighhighwinds3hilotihistorical sslhistory firsthostinghostnamehostname enumerationhtmlhtml filehtml infohtml internethttphttp attackhttp attackerhttp responsehttp scannerhuntianaice fogidentity & access exploitationids detectionsiframeiframe tagsilimages embeddedimpacting azureinc cndigicertindiaindicatorindonesiaindustry and commerceinfoinfo idsinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinitial checkininjectioninjection activityinjection_createremotethreadinjection_modifies_memoryinjection_ntsetcontextthreadinjection_resumethreadinjection_runpeinjection_write_memoryinjection_write_memory_exeinput validation bypassinstalliocsipv4ipv4 addressircisraelissuing cait infrastructureja3 mitreja3sjapan unknownjimburkedentistryk dcomlaunchkey algorithmkey identifierkey infokhtmllacniclaplasclipperlateral movementlearnlimitedlimited yottalinelisten liveloaderlockbitloginlokibotlow risklowfilsan franciscom03 oamazonmacrosmagic htmlmail spammermainmakopmalformed domainsmalicious activitymalicious downloadmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious urlmaltiverse qratmalvertizingmalwaremalware analysismalware distributionmalware foundmalware genericmalware sitemalware trafficmalware.300983manager anchormarkmonitormarkmonitor incmarkup languagemazemediummedium highmemory patternmetametadata analysismetasploitmetromillionmillion alexaminerminimal lowmisc activitymitremitre1 iocs8mobilemobile carriersmobile networksmobile securitymobile threatmodifies_proxy_wpadmodulesmonitoringmovedmsdefender marmsiemsilmutexesn haydenname domainname serversname valuenapolarnation-state activitynetherlandsnetworknetwork activitynetwork communicationnetwork probingnetwork protocolnetwork scanningnetwork servicenetwork threatnetwork trafficnetwork_httpnetwork_ircnextnexus categorynidsnids_alertnids_malware_alertnircmdno datanolookup_communicationnoname057north americanot foundnreumnsa utahnumberoffice openogoogle trustopen packagingopen threatoperating systempage urlparallax ratparked domainspartrupassive dnspastepatch managementpathpath traversalpayment processingpe resourcepersistence_autorunphishphishingphishing attackphishing sitephishingb64pinnacol insuranceporkbunpossible fakepragueprismprivate limitedprivateloaderprocessprocess injectionproduct developmentprojectprotocol h2proxypublic administrationpublic infrastructurepublic policypulse pulsespulse submitpurpose p1pushqakbotqbotquality assurancequasarqueryramnitransomransom demandransom noteransomexxransomwareransomware attack incidentrd suiteread creconnaissanceredline stealerregistry modificationregulatory agenciesrelicremcosremcos ratremcos trojanremoteremote accessremote connectionsremote servicesresearchedresponse finalreverse dnsrevilripe nccrules notruntime modulesryuksafe sitesamplesscamscamsscams & fraudscan endpointsscanning hostscript tagsscripting attackssearchsearch livesecure serversecurity policysecurity risksecurity tlsserverserversserviceservice ipservice modificationshellshell commandsshowshowingsitesite safesite topskynetsliqsoa nxdomainsocial engineeringsocial media attacksocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsoftware vulnerabilitiesspamspeakez securusspywaressdeepssh attackssh hijackingssl certificatestatestatesstatusstatus codestealersteamsteam exploitsteam get ipsubjectsubject keysubject publicsummarysummary iocssupersupply chain attacksuspswitch dnsswrortsystem disruptiont1003t1005t1016t1021t1021.001t1021.002t1027t1030t1040t1041t1046t1053t1055t1056.004t1057t1059t1059.001t1059.003t1064t1068t1069.001t1071t1071.001t1076t1077t1078t1082t1083t1086t1105t1110t1110.002t1112t1133t1189t1190t1203t1204t1204.001t1204.002t1210t1486t1490t1491t1495t1496t1499.001t1499.002t1499.003t1547t1560t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1569.002t1583t1583.005t1585.001t1587.001t1589.001t1590.001t1595t1595.001t1595.002t1595.003ta0007 commandtag counttag summarytagstags twitterteamteam genteam malwaretechtelecom servicestelecommunicationstexttext chromethreatthreat actorthreat analyzerthreat preventionthreat reportthreat rounduptiggretitle errortls handshaketls rsatofseetoolbartor nodetreetrid filetrid hypertexttrojantrojan malwaretrojandroppertrojanspytrojanxtsara brashearsttl valuetwittertypetyposquattingunionunitedunited kingdomunited statesunknown malwareunsafeurlsurls httpurls httpsus summaryuserutah datautc httputc submissionsv3 serialvaluevidarviewvirtoolvirus networkvulnerability scanwacatacwannacrywarningwealth managementweb application attackweb application exploitationweb openweb securityweb trafficwhois lookupwhois recordwhois whoiswin32 malwarewin32cve marwin32upatre marwindowswindows malwarewindows ntwoff chromewritewrite cxlsx microsoftxml eburyxml formatxml spreadsheetxratxtratyara detectionyara detectionsyottayotta datayotta networkzbot

Activity Timeline

1 total obs
Jun 15Jun 15

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
27
SIGNAL
Signal Score
27%
Confidence
7
Reports
First seenJun 25, 2021
Last seenJun 15, 2026
GeolocationIL
CountryIsrael
LocationBet Hashmonay, Hefa
ASNAS1680
Org013 Netvision Network
Coords32.0876, 34.8739
Proxy

VirusTotal

Not checked

WHOIS

description
CC=IL ASN=AS1680 Cellcom Fixed Line Communication L.P
raw
inetnum: 62.0.58.88 - 62.0.58.95 netname: NV-CP descr: NV-CP country: IL admin-c: AL993-RIPE tech-c: NN105-RIPE status: ASSIGNED PA mnt-by: NV-MNT-RIPE mnt-lower: NV-MNT-RIPE created: 2004-12-06T12:17:16Z last-modified: 2004-12-06T12:17:16Z source: RIPE role: CELLCOM NOC team address: Omega Building address: MATAM industrial park address: Haifa 31905 address: Israel phone: +972 4 8560 600 fax-no: +972 4 8551 132 abuse-mailbox: [email protected] remarks: Send Spam and Abuse complains ONLY to the above address! admin-c: NVAC-RIPE tech-c: NVTC-RIPE nic-hdl: NN105-RIPE mnt-by: NV-MNT-RIPE created: 1970-01-01T00:00:00Z last-modified: 2018-02-22T09:10:47Z source: RIPE # Filtered person: Reuven Toyota address: Check Point address: 3 a Jabitinsky st.Midgaley Hateomim, Ramat-Gan, Israel phone: +972-3-6131833 fax-no: +972-3-5759256 nic-hdl: AL993-RIPE created: 1970-01-01T00:00:00Z last-modified: 2020-06-04T13:00:09Z source: RIPE mnt-by: NV-MNT-RIPE route: 62.0.58.0/24 origin: AS1680 mnt-by: NV-MNT-RIPE created: 2025-07-23T19:58:15Z last-modified: 2025-07-23T19:58:15Z source: RIPE
references
Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e, https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html, api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1, Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc, Apple: emails.redvue.com, apple-dns.net, nr-data.net, IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0), IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin, DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84, DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82, Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported, Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated, Malware Behavior: Command and Control OB0004 C2 Communication B0030, Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001, https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles., Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com, Ebury Botnet: alt14.gstatic.com, alt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com cofr.jquery.com, Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com, Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com , brand.jquery.com, brandon.jquery.com, calendar.jquery.com, Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com, Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it encrypted-tbn3.gstatic.com, jquery.com www.code.jquery.com, api.jquery.com ,blog.jquery.com, bugs.jquery.com ,codeorigin.jquery.com Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com www.trellian.com, d2tobj9dlmyzd8.cloudfront.net alt001.www.gstatic.com error.www.gstatic.com, a.www.gstatic.com sddoodlepups.com ransomed.vc not found Data, Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966, Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/, Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info, https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior, I really have no idea what's going on or how safe this platform is., http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335, https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source, http://jcsservices.in/gkqikjxn/[email protected], http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567, http://tracks.theleders.family, photos.theleders.family, http://45.159.189.105/bot/regex (tracks Tsara Brashears), 45.159.189.105 (CNC IP • Tracking Tsara Brashears), http://mobtrack.trkclk.net, https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, nr-data.net, https://wallpapers-nature.com/%20tsara-brashears/urlscan-io, 103.233.208.9 (CNC IP), apex.jquery.com (scammer | works for who?), api.useragentswitch.com, bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified), dns.google (DNS client services - Doug Cole), https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/, https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333×tamp=1684541379839, apple-dns.net, emails.redvue.com (apple DNS w/amvima), 142.250.180.4 (init.ess), init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware), freeimdatingsites.thomasdobo.eu, https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators, https://urlscan.io/domain/maxwam.tk, https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators, analytics.x.com, Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs, Crypt: 1.3.6.1, Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062, Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1, Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20, Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files, IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com, Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0, IDS Detections: Observed External IP Lookup ip-api.com, Part II -Some users OTX accounts connected to the following | Unexpected revelation |, Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/, go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops..., https://www.milehighmedia.com/legal/2257, http://finishstrong.net/[email protected]&method=post&len, http://schoolcare.dyndns.org/soap/ISCKeyUpdater, http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/[email protected]&method=post&len, http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |, hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/, http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg, CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212, Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO, https://nsa.gov1.info/utah-data-center, https://softwaremill.com/grpc-vs-rest/, https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1, https://www.facebooksunglassshop.com [pegasus related], https://www.hybrid-analysis.com/sample/92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1/651057d67b30f0a0990f71ee, SHA256 92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1, Web Tools, Other online research, Analysis

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 6 days ago
Appeared in 7 threat reports