IntrusionLabs IntrusionLabs
← Back to feed

68.220.60.229

TAGGED MALICIOUS how we decide →
Threat Confidence
68%
Location
🇺🇸 US / San Jose
ASN
AS8075 · Microsoft Corporation
Cloud Provider
Microsoft Azure
Total Events
440
Top 10% by volume
Agent Count
2
First / Last Seen
2026-05-07 14:55 — 2026-05-07 15:18
Attack Types
ssh:bruteforce
MITRE ATT&CK Techniques
Reconnaissance
T1595
Initial Access
T1078
Credential Access
T1110 T1110.001 T1552.003
Discovery
T1016 T1046 T1082 T1083
Command and Control
T1105
External Corroboration
Blocklist.de
Reported 2026-05-07 17:01
blocklist_de:reported
Campaigns
Multi-Agent Scan SCAN Active medium
97 IPs 131198 events
2026-05-02 — ongoing · 97 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
74 IPs 107351 events
2026-04-17 — ongoing · 74 IPs independently targeted the same honeypot sensors within a 24-hour window. Hosted on Azure. Scanning the same …
Multi-Agent Scan SCAN Active medium
75 IPs 111026 events
2026-03-16 — ongoing · 75 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
76 IPs 113546 events
2026-03-16 — ongoing · 76 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
75 IPs 113566 events
2026-03-16 — ongoing · 75 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
17 IPs 3978 events
2026-03-16 — ongoing · 17 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
60 IPs 21213 events
2026-03-16 — ongoing · 60 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
74 IPs 47025 events
2026-03-04 — ongoing · 74 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Multi-Agent Scan SCAN Active medium
16 IPs 2883 events
2026-03-02 — ongoing · 16 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …
Session Forensics
scanner ×1 malware_dropper ×19
Sessions
20 (19 with login)
Avg Depth Score
0.96
Commands Executed
262
Files Downloaded
19
Notable Commands
  • echo "===HOSTNAME==="; hostname 2>/dev/null || echo EMPTY;; echo "===UNAME==="; uname -a 2>/dev/null || echo EMPTY;; echo "===WHOAMI==="; whoami 2>/dev/null || echo EMPTY;; echo "===PWD==="; pwd 2>/dev/null || echo EMPTY;; echo "===LS_ROOT==="; ls -la / 2>/dev/null | head -10 || echo EMPTY;; echo "===PS==="; ps aux 2>/dev/null | head -15 || echo EMPTY;; echo "===NETSTAT==="; netstat -tulpn 2>/dev/null | head -10 || echo EMPTY;; echo "===HISTORY==="; history 2>/dev/null | tail -5 || echo EMPTY;; echo "===SSH_VERSION==="; ssh -V 2>&1 || echo EMPTY;; echo "===UPTIME==="; uptime 2>/dev/null || echo EMPTY;; echo "===MOUNT==="; mount 2>/dev/null | head -5 || echo EMPTY;; echo "===ENV==="; env 2>/dev/null | head -10 || echo EMPTY;; echo "===CPU_CORES==="; nproc 2>/dev/null || grep -c '^processor' /proc/cpuinfo 2>/dev/null || echo 0;; echo "===ARCH==="; uname -m 2>/dev/null || echo unknown;; echo "===CPU_MODEL==="; grep 'model name' /proc/cpuinfo 2>/dev/null | head -1 | cut -d ':' -f2- | sed 's/^ *//' || echo unknown;; echo "===RESOURCES==="; echo MEMKB=$(awk '/MemTotal/{print $2}' /proc/meminfo 2>/dev/null) DISKKB=$(df / 2>/dev/null | awk 'NR==2{print $2}') USERCNT=$(wc -l < /etc/passwd 2>/dev/null) PKGCNT=$(dpkg -l 2>/dev/null | grep -c '^ii' || rpm -qa 2>/dev/null | wc -l || echo 0);; echo "===CONTAINER==="; cat /proc/1/cgroup 2>/dev/null | head -3; test -f /.dockerenv && echo DOCKERENV; test -f /run/.containerenv && echo CONTAINERENV; echo;; echo "===COWRIE==="; ls /opt/cowrie /home/richard /etc/cowrie 2>&1;; echo "===DMESG==="; dmesg 2>/dev/null | head -5 || echo EMPTY;; echo "===PORTS==="; ss -tulpn 2>/dev/null | grep LISTEN | head -20 || netstat -tulpn 2>/dev/null | grep LISTEN | head -20 || echo EMPTY;; echo "===NETCFG==="; ls -la /etc/network/interfaces /etc/sysconfig/network-scripts/ /etc/netplan/ 2>/dev/null | head -3 || echo EMPTY;; echo "===IPADDR==="; ip addr show 2>/dev/null | grep -E '^[0-9]+:' | head -5 || echo EMPTY;; echo "===IPROUTE==="; ip route show 2>/dev/null | head -3 || echo EMPTY;; echo "===WRITE==="; TF=/tmp/t_$$; echo test > $TF 2>&1 && echo WRITEOK && rm -f $TF || echo WRITEFAIL;; echo "===IDCHECK==="; id 2>/dev/null && echo IDOK || echo IDFAIL; whoami 2>/dev/null && echo WHOAMIOK || echo WHOAMIFAIL;; echo "===PKGMGR==="; which apt 2>/dev/null || which yum 2>/dev/null || which pacman 2>/dev/null || which zypper 2>/dev/null || echo NOPKG;; echo "===SERVICES==="; systemctl list-units --type=service --state=running 2>/dev/null | head -10 || echo NOSVC;; echo "===SOCKETS==="; ss -tuln 2>/dev/null | wc -l || echo 0;; echo "===GPU==="; nvidia-smi --query-gpu=name,memory.total,driver_version --format=csv,noheader 2>/dev/null || echo NOGPU;; echo "===MAXDISK==="; df -BG 2>/dev/null | awk 'NR>1{gsub("G","",$2); if($2+0>max) max=$2+0} END{print max+0}' || echo 0;; echo "===END==="
  • awk /MemTotal/{print $2} /proc/meminfo 2 > /dev/null
  • df / 2 > /dev/null | awk NR==2{print $2}
  • wc -l < /etc/passwd 2 > /dev/null
  • dpkg -l 2 > /dev/null | grep -c ^ii
  • rpm -qa 2 > /dev/null | wc -l
  • rpm -qa
  • echo 0
  • systemctl list-units --type=service --state=running
  • nvidia-smi --query-gpu=name,memory.total,driver_version --format=csv,noheader
  • dpkg -l
  • sed s/^ *//
Fingerprints
HASSH
41436928ad6c56162ccacb243cee8297
SSH Client
SSH-2.0-Go
Evidence Timeline
Malware Dropper cd1e68fa0e01 newark_01 · 2026-05-07 15:18
10 1 1 100%
Loading events...
Malware Dropper 5d1ca17672a6 newark_01 · 2026-05-07 15:18
10 1 1 100%
Loading events...
Malware Dropper 453e9b219575 w4m_seattle_01 · 2026-05-07 15:16
18 1 1 100%
Loading events...
Malware Dropper edb09c617273 newark_01 · 2026-05-07 15:14
10 1 1 100%
Loading events...
Malware Dropper 57924f28e3bd w4m_seattle_01 · 2026-05-07 15:13
18 1 1 100%
Loading events...
Malware Dropper b9bdac801908 newark_01 · 2026-05-07 15:13
10 1 1 100%
Loading events...
Malware Dropper d1246b3770ac w4m_seattle_01 · 2026-05-07 15:13
18 1 1 100%
Loading events...
Malware Dropper 27b0cd22393c w4m_seattle_01 · 2026-05-07 15:10
18 1 1 100%
Loading events...
Malware Dropper e268aa2a9069 w4m_seattle_01 · 2026-05-07 15:09
18 1 1 100%
Loading events...
Malware Dropper 4b67bab15fa0 w4m_seattle_01 · 2026-05-07 15:08
18 1 1 100%
Loading events...
Malware Dropper cbc7248fd381 newark_01 · 2026-05-07 15:06
10 1 1 100%
Loading events...
Scanner ac1f9a568b4a w4m_seattle_01 · 2026-05-07 15:04
15%
Loading events...
Malware Dropper 2342eeaee6ec w4m_seattle_01 · 2026-05-07 15:04
18 1 1 100%
Loading events...
Malware Dropper e4d437cf30d9 newark_01 · 2026-05-07 15:01
10 1 1 100%
Loading events...
Malware Dropper b2eb4a409a82 w4m_seattle_01 · 2026-05-07 15:01
18 1 1 100%
Loading events...
Malware Dropper 0e79840a032a newark_01 · 2026-05-07 15:00
10 1 1 100%
Loading events...
Malware Dropper 5c6eed2a5663 newark_01 · 2026-05-07 14:58
10 1 1 100%
Loading events...
Malware Dropper 9493bdf645dc newark_01 · 2026-05-07 14:57
10 1 1 100%
Loading events...
Malware Dropper 3ce6ba6a9fd8 newark_01 · 2026-05-07 14:56
10 1 1 100%
Loading events...
Malware Dropper 9c76c3f881c3 w4m_seattle_01 · 2026-05-07 14:55
18 1 1 100%
Loading events...