Dec 23, 2024 Intelligence Card

198.54.117.242
34 RECENT PHISHING HOST
IP Address

SUSPICIOUS

Overview

Summary

Assessment RECENT PHISHING HOST

Domain Risks Suspicious jlnichols.com +7 domains

Unusual gassep.com +24 domains
No Suspicious Content grindhood.com +550 domains
See 584 Domains

IP Location United States (Geo)

ASN AS22612

ASN Owner NAMECHEAP-NET

Latest Reference Dec 6, 2024

Reference Count 100+

Insikt Notes 2 Last Published Date: Nov 7, 2023

Included in Recorded Future Security Cloud Telemetry

Show Recent Events in Table View Open IP Address Community Page

Recorded Future AI Insights Narrative View

The IP address 198.54.117.242 has been associated with various malicious activities, including spam and phishing, as identified by
Bitdefender on July 16, 2024, and in reports to Recorded Future on October 9, 2022, and March 26, 2023. It has been linked to a domain
related to Suppobox malware (wishstock[.]net), with multiple alerts issued by organizations such as CSIRT Chile and Ukraine Cert. The
IP has also been recognized as a proxy in external sensor data analysis. Its presence has been noted in the realm of social engineering
operations and is currently trending within the services industry in Germany. Additionally, prior sightings of the IP have been reported
through various cybersecurity platforms between September 22, 2023, and early October 2022.

Generated based on 9 Risk Rules | Generated by Recorded Future AI | OpenAI GPT Model Share feedback?

Risk Rules

9 out of 81 Risk Rules Triggered

1 Suspicious 8 Unusual

Latest Suspicious Risk Rule

Recent Phishing Host
External Sensor Data Analysis. 198.54.117.242 was identified as phishing in External Sensor data. Reported to Recorded Future on Oct 09, 2022.
1 sighting on 1 source | Oct 9, 2022, 13:38

Open Risk Rules

Analyst Notes from Tamkeentech

All
 No Analyst Notes Created
Add Analyst Notes

Latest Insikt Group Note

GreenBravo Infrastructure Established; Parallel Social Engineering Operation Observed

Executive Summary

Insikt Group has identified newly registered infrastructure highly likely associated with GreenBravo (overlaps with APT42, TA453, Charming Kitten, and Mint Sandstorm)…
Insikt Research Lead 1 year ago

Show Insikt Group Notes

Risk Rules

Risk Rules Last 3 Months

Risk History

Very Malicious
Risk Level

Malicious

Suspicious

Unusual

Sep 27, 2024 Oct 2, 2024 Oct 7, 2024 Oct 12, 2024 Oct 17, 2024 Oct 22, 2024 Oct 27, 2024 Nov 1, 2024 Nov 6, 2024 Nov 11, 2024 Nov 16, 2024 Nov 21, 2024 Nov 26, 2024 Dec 1, 2024 Dec 6, 2024 Dec 11, 2024 Dec 16, 2024 Dec 23, 2024

Last 3 Months

Triggered Risk Rules on Dec 23, 2024

All (9)

Recent Phishing Host

External Sensor Data Analysis. 198.54.117.242 was identified as phishing in External Sensor data. Reported to Recorded Future on Oct 09, 2022.
1 sighting on 1 source | Oct 9, 2022, 13:38

Observed in the Wild by Recorded Future Telemetry

Recently Viewed Integrations Indicators. Observed in the wild by Recorded Future Telemetry. Trending in 1 area: Germany. Trending in 1 industry: Services.
4 sightings on 1 source | Dec 23, 2024, 12:05

Historically Referenced by Insikt Group

Insikt Group. 2 reports including GreenBravo Infrastructure Established; Parallel Social Engineering Operation Observed. Most recent link (Nov 07, 2023):
https://app.recordedfuture.com/portal/analyst-note/doc:tUAUJ5
2 sightings on 1 source | Nov 7, 2023, 03:00

Historical Spam Source

Bitdefender Feed. Bitdefender identified 198.54.117.242 as Spam on July 16, 2024
9 sightings on 1 source | Oct 3, 2023, 21:09

Historical Open Proxies

External Sensor Data Analysis. 198.54.117.242 was identified as proxy in External Sensor data. Reported to Recorded Future on Mar 26, 2023.
1 sighting on 1 source | Mar 26, 2023, 13:10

Historically Linked to Intrusion Method

CSIRT Chile | Alerts, @dubstard. 3 related intrusion methods: Suppobox, Phishing, Trojan. Most recent tweet: New suppobox Dom: wishstock[.]net IP:
198[.]54[.]117[.]242 NS: https://t.co/KS9pTI1jef https://t.co/cICQYdDbuX. Most recent link (Oct 28, 2022):
https://twitter.com/DGAFeedAlerts/statuses/1585801029056167936
4 sightings on 3 sources | Oct 28, 2022, 04:10

Historical Threat Researcher

@DGAFeedAlerts. Most recent tweet: New suppobox Dom: wishstock[.]net IP: 198[.]54[.]117[.]242 NS: https://t.co/KS9pTI1jef https://t.co/cICQYdDbuX. Most recent
link (Oct 28, 2022): https://twitter.com/DGAFeedAlerts/statuses/1585801029056167936
1 sighting on 1 source | Oct 28, 2022, 04:10

Historically Reported as a Defanged IP

 Ukraine Cert, OSINT Corp, @DGAFeedAlerts. Most recent tweet: New suppobox Dom: wishstock[.]net IP: 198[.]54[.]117[.]242 NS: https://t.co/KS9pTI1jef
https://t.co/cICQYdDbuX. Most recent link (Oct 28, 2022): https://twitter.com/DGAFeedAlerts/statuses/1585801029056167936
4 sightings on 3 sources | Oct 28, 2022, 04:10

Historically Reported in Threat List

Recorded Future Analyst Community Trending Indicators, Recently Viewed Integrations Indicators. Observed between Sep 22, 2023, and Sep 22, 2023.
Previous sightings on 2 sources

Detection Activity

Detections Last 90 Days

Connect More Security Tools

Expand visibility with integrations for XDR, email gateway, and more. See Available Integrations

Connect security tools to see if 198.54.117.242 is in your environment

Connect your security tools in the Integration Center to start seeing detections connected to
198.54.117.242

Insikt Group

Insikt Group Notes related to 198.54.117.242

Type All Filter By All

GreenBravo Infrastructure Established; Parallel Social Engineering Operation Observed

Executive Summary

Insikt Group has identified newly registered infrastructure highly likely associated with GreenBravo (overlaps with APT42, TA453, Charming Kitten, and Mint Sandstorm)…

Insikt Research Lead 1 year ago

Threat Actor Profile: johnsmith999

Based on information from Recorded Future’s Identity Intelligence module, Insikt Group has identified a United Kingdom (UK)-based threat actor named “johnsmith999” as
a victim of an information stealer (infostealer) infection, revealing their own past and current malicious infrastructure. johnsmith999’s credential data, as identified from
infostealer malware logs, revealed their likely involvement in the development and propagation of 2 families of infostealers: Vidar and Arkei. Additionally, we observed…
Actor Profile Flash Report 1 year ago

Insikt Group Related Entities Export as CSV

No Insikt Group related entities

No Insikt Group related entities available

DNS Records

Open Ports and Software

 Name Port Protocol Product Version Extra info

http 80 tcp OpenResty web app server - -

ssl/http 443 tcp nginx - -

Latest Seen Certificates

Subject Seen on Port Organization Location Validity

raa.namecheap.com 443 Sectigo Limited GB Nov 11, 2024 - Nov 30, 2025

Sectigo ECC Domain Validatio… 443 The USERTRUST Network US Nov 2, 2018 - Jan 1, 2031

USERTrust ECC Certification … 443 Comodo CA Limited GB Mar 12, 2019 - Jan 1, 2029

AAA Certificate Services 443 Comodo CA Limited GB Jan 1, 2004 - Jan 1, 2029

raa.namecheap.com 443 Sectigo Limited GB Oct 31, 2023 - Nov 30, 2024

1 - 5 of 7 1 of 2 pages

CIDR Details

247 IP addresses in CIDR 198.54.117.0/24 with risk score 1 or higher

198.54.117.210 10 000+ ● 39 198.54.117.254 3 ● 15 198.54.117.5 26 ● 10 198.54.117.20 64 ● 10 198.54.117.98 6 ● 5 198.54.117.88 3 ● 5

198.54.117.212 10 000+ ● 37 198.54.117.253 3 ● 15 198.54.117.3 14 ● 10 198.54.117.2 69 ● 10 198.54.117.96 5 ● 5 198.54.117.87 5 ● 5

198.54.117.242 100+ ● 34 198.54.117.21 6 ● 15 198.54.117.252 27 ● 10 198.54.117.19 40 ● 10 198.54.117.95 1 ● 5 198.54.117.86 6 ● 5

198.54.117.11 25 ● 26 198.54.117.205 1 ● 15 198.54.117.251 1 ● 10 198.54.117.18 3 ● 10 198.54.117.94 1 ● 5 198.54.117.85 2 ● 5

198.54.117.243 2 ● 25 198.54.117.10 73 ● 15 198.54.117.250 100+ ● 10 198.54.117.17 10 ● 10 198.54.117.93 1 ● 5 198.54.117.83 7 ● 5

198.54.117.200 100 000+ ● 24 198.54.117.97 1 000+ ● 10 198.54.117.24 39 ● 10 198.54.117.14 42 ● 10 198.54.117.92 5 ● 5 198.54.117.82 6 ● 5

198.54.117.198 100 000+ ● 24 198.54.117.9 15 ● 10 198.54.117.23 38 ● 10 198.54.117.13 71 ● 10 198.54.117.91 1 ● 5 198.54.117.81 1 ● 5

198.54.117.197 100 000+ ● 24 198.54.117.84 2 ● 10 198.54.117.22 4 ● 10 198.54.117.12 7 ● 10 198.54.117.90 3 ● 5

198.54.117.6 6 ● 15 198.54.117.8 8 ● 10 198.54.117.202 2 ● 10 198.54.117.99 5 ● 5 198.54.117.89 3 ● 5

1 - 52 of 247 1 of 5 pages

DNS

There are a total of 584 domains available

Reverse DNS N/A

Forward DNS grindhood.com, notsomecats.com, texasplayboys.net

Hostname First Seen Last Seen

jlnichols.com ● 26 Sep 1, 2008 Dec 22, 2024

thelordsprayer.shop ● 26 Dec 21, 2023 Dec 20, 2024

theqoodlawgroup.com ● 26 Dec 13, 2023 Dec 15, 2024

fena.lol ● 26 Dec 11, 2023 Dec 11, 2024

www.jeevantechnologie.com ● 26 Dec 8, 2023 Dec 8, 2024

levohealth.site ● 26 Dec 6, 2023 Dec 7, 2024

learningcogs.com ● 26 Sep 1, 2008 Dec 5, 2024

www.jbqconstruction.com ● 26 Apr 22, 2012 Nov 27, 2024

Hostname First Seen Last Seen

gassep.com ● 5 - -

rumbosolidario.com ● 10 - -

tribehq.com ● 5 - -

cowburn.info ● 5 - -

infoalbania.org ● 5 - -

grindelwald.travel ● 5 - -

logrones.net ● 5 - -

synthroidh.com ● 5 - -

gearluxes.shop ● 5 Nov 21, 2023 Dec 20, 2024

convoz.one ● 5 Jan 7, 2024 Dec 19, 2024

feetfix.xyz ● 5 Dec 14, 2023 Dec 16, 2024

megatron.meme ● 5 Dec 14, 2023 Dec 16, 2024

cpanel.1xbet-igrat.xyz ● 5 Dec 14, 2023 Dec 16, 2024

www.aniul.xyz ● 5 Dec 17, 2023 Dec 15, 2024

thewall.name ● 5 May 26, 2017 Dec 14, 2024

therealworld.live ● 5 Mar 7, 2021 Dec 14, 2024

thenimble.store ● 5 Dec 13, 2023 Dec 13, 2024

medialive.online ● 5 Nov 7, 2019 Dec 11, 2024

e-service.express ● 5 Nov 18, 2023 Dec 8, 2024

www.jandrindc.com ● 5 Oct 14, 2008 Dec 6, 2024

supersio.com ● 5 Sep 1, 2008 Dec 6, 2024

lentima.com ● 5 Jul 30, 2018 Dec 4, 2024

superiortacs.com ● 5 Jul 17, 2024 Dec 3, 2024

www.jcomenang88.xyz ● 5 Nov 22, 2023 Nov 24, 2024

www.crypteral.com ● 5 Jul 5, 2018 Nov 23, 2024

grindhood.com ● 0 - -

notsomecats.com ● 0 - -

texasplayboys.net ● 0 - -

ukie.info ● 0 - -

iranaffairs.com ● 0 - -

puydi.net ● 0 - -

areallybadidea.com ● 0 - -

bostonredevelopmentauthoritynews.org ● 0 - -
 Hostname First Seen Last Seen

pioneer-investors.com ● 0 - -

pressacademy.org ● 0 - -

jalcargobkk.com ● 0 - -

servercomparator.com ● 0 - -

markblanchardsyoga.com ● 0 - -

massoilheat.org ● 0 - -

danespfib.com ● 0 - -

collegematchup.net ● 0 - -

dylanfield.com ● 0 - -

1 - 50 of 584 1 of 12 pages

Technical Links

Technical Links Export as CSV

All Last 30 Days

Victims & Exploit Targets

Organization
Other

Actors, Tools & TTPs

MITRE ATT&CK Enterprise Identifier

T1566 (Phishing)

Indicators & Detection Rules

Domain URL
geologica-rando.net ● 26 http://geologica-rando.net/ ● 10

Extensions

Extensions

Lookup historical DNS records

Search REPdb, IOCdb, and DFIdb for a given IP address.

Search RBLs for this IP

Search for port information related to IP Addresses

Lookup geolocation information

Analyst Comments

Add Comments