IOC Radar
IPMediumSignal 35/100

87.250.251.119

Location
Russian FederationRussian Federation
Moscow, Moscow
ASN
AS13238
Yandex LLC
First Seen
Dec 10, 2020
Last Seen
May 30, 2026
Dec 10
First Seen
2012d ago
May 30
Last Seen
14d ago
8
Reports
source reports
35%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
35%
Signal Score
35 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

96 techniques

Network Information

CountryRURussian Federation
RegionMoscow, Moscow
ASNAS13238
OrganizationYandex LLC

IP Category

Proxy
Proxy server

Feed Intelligence Summary

8 reports35% confidence
8
Source reports
35%
Confidence score
Category tags
aaaaaacracceptaccess controlaccount securityacintactive scanactive scanningaddressaddress googleadwareagentagent teslaalerts showalexa topall octoseekamadeyamazon awsamerica flagandroidansianti-vmantiavantivmapk downloadappdataappleapple iosapple phoneapple privateaptarcharchive hrefartemisartroascii textaslrassociated urlsatomattackauthentication attemptsauthentihashav detectionavast avgavg clamavawfulazorultbackbackdoorbad reputationbad requestbangatbankbank securitybankerbazaarbehavbelgium belgiumbingbitcoinblacklist httpsblockchainbodybody doctypebody lengthbotnetbotnet activitybrowse tobrute forcebrute force attackbundledbypassc2ca g2ca httpscalls processcanada canadacapach uachachachromecisco umbrellacity personalcivil servicesck idck matrixck techniqueclasscleanerclickclick-based attackclosecloud infrastructurecnamazon rsacntrustasia rsacntrustasia tlscobalt strikecodecode executioncode injectioncom executablecommandcommand & controlcommand and controlcommand decodecommand executioncommentcommodity contracts intermediationcommunication protocolcompromised hostcomspecconduitcontacted urlscookiecopycopy md5copy sha1copy sha256corecorporate lawcpm funcpm networkcrc32creation datecredential accesscredential harvestingcredential stuffingcrypto exchangecrypto miningcrypto walletcryptocurrencycustomcustom rulescyber criminalcyber warfaredatadata accessdata collectiondata copyingdata encryptiondata exfiltrationdata store exposuredata transferdata uploaddatabase securityddosdecentralized financedefense evasiondeletedelivery statusdelphidenial of servicedetection listdetections namedetections typedevcv5 ujrbdevelopment attdigital currencydirectdisabled hashdisplaynamedistributed attacksdns attackdnssecdockdomaindomainsdotnetdownldrdownload filedriver prodrop ordroppeddropped filesdropperdv tlseeeeeeelectronic health recordselon muskemailemailsemotetencryptencryptionenfalenomenter sourceentityentriesentropyerrorerror junerror maretet toreuropeeurope/asiaexe32executable fileexif standardexitexpiration dateexpires wedexploitexploitation activityextortionfakeavfakedout threatfalcon sandboxfederationfederation flagfilefilesfiles domainfiles ipfiles locationfiles matchingfiles relatedfinal urlfinancefinancial institutionfinancial servicesfindfireholflagflag unitedfoundftpfunctionfusionfusioncoregc abusegenericgetcursor getdcgetqueryurl409getqueryurl412googl2google llcgoogle safegoogle taggoogle updategovernment technologyguardhackers installhackinghashheader intelheaders datehealth care and social assistancehealth information technologyhealthcare information systemsheurhidden privacyhide sampleshighhighly targetedhistorical sslhospital managementhostilehostnamehostname addhostname enumerationhostshrefhtml infohttphttp attackhttp responsehttp scannerhttpshybridicmpicmp trafficidentity & access exploitationiframeimapimpactimphash pehashindicatorindicators of compromiseinfoinfo compilerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectinjection activityinjection attacksinput validation bypassinstallinstallertype4integration allintelintellectual property lawintrusion detectioniocsiot securityipv4ipv4 addircireland irelandit infrastructurejfifjpeg imagejsonkeylogkeyloggerkhtmlknown torlaw practicelearnlegallegal consultinglegal entitieslegal researchlegal serviceslegal technologyless whoislink librarylocalloggerlogologo analysislowfimachomagic pe32malicious activitymalicious document executionmalicious downloadmalicious hostmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalwaremalware analysismalware distributionmalware sitemarkmarkmonitormaui ransomwaremazemedia centermedical servicesmediummetameta namemeta tagsmetadata analysismillionmimeminemiragemisc attackmitre attmobilemobile securitymobile threatmodelmonitoringmoscowmovedmozimozillams defenderms visualms windowsmsdefender febmsiemulti scanmwdbna visitnaikonnamename md5name personalname servername serversname tacticsname verdictnation-state activitynetwalkernetworknetwork attacksnetwork communicationnetwork infonetwork intrusionnetwork protocolnetwork scanningnetwork securitynetwork trafficnew relicnextnext associatednext yaranircmdnjratno expirationnode trafficnone filenone relatednotes clamavnotifynumberoamazonofficial apkoglobalsignogoogle trustolyxonlineopenopensslopenurl coperating systemoperating system securityoptimizer proorgidos2 executableosintpacked executablepackerpacking t1045passive dnspasswordpassword attackspatcherpathpath cpath traversalpatient carepattern matchpayloadpcappcap processingpdfpe filepe resourcepe32 compilerpe32 executableperforms dnsphishingphishing attackphishing sitepipespleaseplugxpm sizepng imageportpowershellpragmaprefetch8 ansipresent aprpresent augpresent decpresent julpresent junpresent marpresent novpresent octpresent sepprivateloaderprocessprocess injectionproducts idprotocol exploitationproxypublic administrationpublic infrastructurepublic policypulsepulse pulsespulse submitpulses nonequasarquasar ratransomexxransomwareread creadsreconnaissanceregulatory agenciesregulatory compliancerelated nidsrelated pulsesrelated tagsrelicremote accessremote access trojanremote servicesresearchedresources whoisresponse ipresultsresults augresults julresults octreverse dnsriseprorogueantispywarerooterrootkitruruntime dataruntime processrussiarussia showingrussia unknownrussian attributionrussian federationsafe browsingsafe sitesafenetsalitysample analysissamplessamples showsandboxsansx22scams & fraudscan endpointsscanidscannerscriptscripting attacksscrollsearchsecurity operationssecurity policyselect fileserverserver responseserversserviceserving ipsetup sha256shellshell codeshellexecuteexwshowshow processshow techniqueshowingsiblings domainsides withsitesizesize81b typeslcc2smtpsocial engineeringsocial media securitysoftware developmentsoftware exploitationspanspawnsssdeepssh attackssl certificatestatusstatus codestopservice815stringssubmitsummarysuricata ipv4svg scalableswrortsystsystem disruptiont1003t1005t1007t1010t1012t1016t1018t1021t1021.001t1027t1030t1031t1033t1036t1040t1045t1046t1053t1053.005t1055t1055 processt1055 process injectiont1056t1057t1059t1059.001t1059.003t1059.004t1059.007t1060t1064t1069.001t1070t1071t1071.001t1076t1078t1078.002t1081t1082t1083t1086t1087t1089t1105t1110t1110.001t1110.002t1110.003t1110.004t1112t1114t1115t1119t1129t1133t1134t1189t1190t1203t1204t1204.001t1204.002t1204.002 malicious filet1213t1222t1480t1486t1490t1496t1497t1499.001t1499.002t1499.003t1518t1543t1547t1553t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1569t1569.002t1573t1583t1587.001t1588t1589.001t1590 gathert1590.001t1592t1595t1595.001t1595.002t1595.003t1614tags nonetcp protocolteamtelnet threattemptesla hackerstexttext dragtext iptftpthorthreat actorthreat intelligencethreat levelthreat preventionthreat reportthreat roundupthreats httpstiff imagetiggretitletitle kedencetls versiontlsv1tmobile metrotoolstor analysistor nodetrackertrid windowstridenttrojantrojan malwaretrojandroppertrojanspytsara brashearstwittertypetype datatype indicatortype nameua bitnessua fullua platformujrbunicodeunicode textuniqueunitedunited kingdomunknown nsunsafeupdate withurlsurls httpurls showurls urlursnifuse linuxuser executionusing iputc googlevalue emailsvector graphicsvendor findingverifymodule128vhashview detailsvirtoolvirusvirustotal apiwabotwacatacwarpwatchicufile185web application attackweb application exploitationweb exploitationweb securityweb trafficwhois lookupwhois privacywhois recordwhois registrarwhois whoiswife happywin16 newin32 dynamicwin32 exewin32 malwarewin32upatre janwindirwindowwindowswindows malwarewindows ntwindows sandboxwormwritexmlns httpxratxtratxtremeratyara ruleyara rule matchyayihyouth

Activity Timeline

1 total obs
May 30May 30

Threat Activity Heatmap

· Peak: 2026-05-30
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
35
SIGNAL
Signal Score
35%
Confidence
8
Reports
First seenDec 10, 2020
Last seenMay 30, 2026
GeolocationRU
CountryRussian Federation
LocationMoscow, Moscow
ASNAS13238
OrgYandex LLC
Coords55.7386, 37.6068
Proxy

VirusTotal

Not checked

WHOIS

raw
inetnum: 87.250.251.0 - 87.250.251.255 netname: YANDEX-87-250-251-0 status: ASSIGNED PA country: RU descr: Yandex enterprise network mnt-by: YANDEX-MNT admin-c: YNDX1-RIPE tech-c: YNDX1-RIPE org: ORG-YA1-RIPE remarks: INFRA-AW source: RIPE created: 2007-01-25T10:57:07Z last-modified: 2024-10-28T10:36:49Z organisation: ORG-YA1-RIPE org-name: YANDEX LLC country: RU org-type: LIR address: LVA TOLSTOY STREET, 16 address: 119021 address: Moscow address: RUSSIAN FEDERATION phone: +74957397000 fax-no: +74957397070 admin-c: YNDX1-RIPE tech-c: YNDX1-RIPE abuse-c: YAH6-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: YANDEX-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: YANDEX-MNT created: 2004-04-22T14:39:02Z last-modified: 2025-08-04T11:07:18Z source: RIPE # Filtered role: Yandex LLC Network Operations address: Yandex LLC address: 16, Leo Tolstoy St. address: 119021 address: Moscow address: Russian Federation phone: +7 495 739 7000 fax-no: +7 495 739 7070 remarks: trouble: ------------------------------------------------------ remarks: trouble: Points of contact for Yandex LLC Network Operations remarks: trouble: ------------------------------------------------------ remarks: trouble: Routing and peering issues: [email protected] remarks: trouble: SPAM issues: [email protected] remarks: trouble: Network security issues: [email protected] remarks: trouble: Mail issues: [email protected] remarks: trouble: General information: [email protected] remarks: trouble: ------------------------------------------------------ admin-c: MK24579-RIPE tech-c: EM3673-RIPE tech-c: AUR2-RIPE nic-hdl: YNDX1-RIPE mnt-by: YANDEX-MNT created: 2002-06-07T05:35:50Z last-modified: 2021-08-23T16:42:06Z source: RIPE # Filtered abuse-mailbox: [email protected] route: 87.250.224.0/19 descr: Yandex network origin: AS13238 mnt-by: YANDEX-MNT created: 2006-01-31T14:54:47Z last-modified: 2006-01-31T14:54:47Z source: RIPE # Filtered
references
https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary, https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs, https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark, https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings, https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264, https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules, http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+, CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable, CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection., CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst, CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt, donaldjtrump.com.pages.pdf

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 14 days ago
Appeared in 8 threat reports