IOC Radar
DomainMediumSignal 0/100

contaboserver.net

Location
JapanJapan
First Seen
Mar 2, 2025
Last Seen
Jun 21, 2026
Mar 2
First Seen
475d ago
Jun 21
Last Seen
today
8
Reports
source reports
0%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Feed Intelligence Summary

8 reports0% confidence
8
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Jun 21Jun 21

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **contaboserver.net** has been identified as a potential indicator of compromise (IOC) linked to malicious activities originating from Japan. First observed on March

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
8
Reports
First seenMar 2, 2025
Last seenJun 21, 2026

VirusTotal

Not checked

WHOIS

registrar
RegistryGate GmbH
description
Domain that is used for botnet Command&control (C&C)
domain rank
62977
raw
Admin City: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Email: [email protected] Admin Organization: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Email: [email protected] Billing Organization: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Creation Date: 2017-03-05T07:28:42Z DNSSEC: unsigned Domain Name: CONTABOSERVER.NET Domain Name: contaboserver.net Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS1.CONTABO.NET Name Server: NS2.CONTABO.NET Name Server: NS3.CONTABO.NET Name Server: ns1.contabo.net Name Server: ns2.contabo.net Name Server: ns3.contabo.net Registrant City: 1f8f4166599d23ee Registrant Country: DE Registrant Email: [email protected] Registrant Fax Ext: 1f8f4166599d23ee Registrant Fax: 1f8f4166599d23ee Registrant Name: 1f8f4166599d23ee Registrant Organization: 1f8f4166599d23ee Registrant Phone Ext: 1f8f4166599d23ee Registrant Phone: 1f8f4166599d23ee Registrant Postal Code: 1f8f4166599d23ee Registrant State/Province: 3432650ec337c945 Registrant Street: 1f8f4166599d23ee Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +49.1805734437 Registrar IANA ID: 1328 Registrar Registration Expiration Date: 2026-03-05T07:28:42Z Registrar URL: http://www.registrygate.com Registrar URL: www.registrygate.com Registrar WHOIS Server: whois.registrygate.com Registrar: RegistryGate GmbH Registry Admin ID: REDACTED FOR PRIVACY Registry Billing ID: REDACTED FOR PRIVACY Registry Domain ID: 2102383277_DOMAIN_NET-VRSN Registry Expiry Date: 2026-03-05T07:28:42Z Registry Registrant ID: REDACTED FOR PRIVACY Registry Tech ID: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Email: [email protected] Tech Organization: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Updated Date: 2025-03-06T08:06:31Z
references
DISTINCTIO8.pdf, FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string, IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set, Tofsee: 'google.com' | https://www.gov50.icu |, ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...), Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk, Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing, hubt.pornhub.com | www.pornhub.com | pornative.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/, www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/, Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da, IDS Detections: WGET Command Specifying Output in HTTP Headers, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution, Yara Detections: is__elf , DemonBot, Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout, FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, IDS Detections: Andariel Backdoor Activity (Checkin), Alerts: dead_host nids_malware_alert network_icmp nolookup_communication, DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2, IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST, IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy, http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com, apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com, autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com, * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit, https://tulach.cc/ | tulach.cc |, http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com, google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl, 18teen.net | teensnow.com | grannies-porn.net | pornmd.com, www.pornhubselect.com | pornhub.software, https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/, https://asec.ahnlab.com/ko/88265/, https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph, https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.rules, https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591, https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71, https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527, https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt, ISP: Charter Communications Inc Usage Type Fixed Line ISP, dnvrco-pub-iedge-vip.email.rr.com spectrum.com Denver, Colorado USA, dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02., Reverse DNS dnvrco-pub-iedge-vip.email.rr.com, Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e, IDS Detections: Suspicious double Server Header Possible Kelihos, IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header, telemetry-incoming.r53-2.services.mozilla.com, https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel, http://www.door.net/ARISBE/arisbe.htm, talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov, https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl, mirai.json, https://threatintelligence.guardicore.com/download-guardicore-cyber-threat-intelligence-data.html, voyour-cams.xww.de, https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples, https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude, https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a, https://www.saal-digital.de/ordercockpit/[email protected]&ordernumber=802109030129517, ↓ Interesting ↓, owa.telegrafix.com, https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing), [email protected], https://simtk.org/projects/sv_tests (Tsara Brashears project?), https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8, https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de, BEELab_web_1.0.2-prerelease.exe, AfraidZad.exe, https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic, greycroftpartners.com, http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=, trkpls3.com, eg-monitoring.com, http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/, https://twitter.com/PORNO_SEXYBABES, https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware, https://www.shodan.io/search?query=Thanos+http.robots_hash%3A674385864, Thanos http.robots_hash:674385864
subdomains count
761305

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen today
Appeared in 8 threat reports