不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様0社 -
2023/02/01
※2023/02/01 更新
マルウェア感染させると考えられるURLを検知(2023/02/01)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxps://senseofswitzerland[.]ch/t19[.]txt | Agent Tesla |
| URL | hxxp://62[.]204[.]41[.]72/hn85jlUn/index[.]php | Amadey |
| URL | hxxp://103[.]20[.]221[.]10/fwlink hxxp://103[.]20[.]221[.]10:8080/pixel[.]gif hxxp://103[.]96[.]129[.]49/j[.]ad hxxp://104[.]208[.]73[.]11/IE9CompatViewList[.]xml hxxp://124[.]223[.]96[.]251/ca hxxp://179[.]43[.]162[.]31/push hxxp://3[.]121[.]125[.]98/__utm[.]gif hxxp://38[.]34[.]253[.]57/fwlink hxxp://43[.]139[.]159[.]179/fwlink hxxp://47[.]102[.]147[.]243:9999/pixel[.]gif hxxp://47[.]102[.]147[.]243:9999/submit[.]php hxxp://62[.]182[.]85[.]254:4443/ga[.]js hxxp://68[.]178[.]206[.]43/cm hxxp://70[.]39[.]93[.]88/ptj hxxp://91[.]240[.]118[.]209:18010/cm hxxp://ns1[.]azure-atp[.]com/match hxxps://104[.]237[.]219[.]36/Collect/survey/KOFNGUFM8L hxxps://210[.]209[.]123[.]100/www/handle/doc hxxps://47[.]243[.]185[.]202:4444/match hxxps://chidao[.]icu:8443/image/ hxxps://ciruvowuto[.]com/Collect/survey/KOFNGUFM8L hxxps://dbx[.]formsift[.]io/itstheredteam hxxps://devcloudpro[.]com/nl[.]css |
Cobalt Strike |
| URL | hxxp://45[.]93[.]201[.]114/docs/ynupxDnDelE4X3wIwlgB92MU5VemJf[.]txt | CryptBot |
| URL | hxxp://94[.]250[.]255[.]214/bigload/requestserverCdn[.]php | DCRat |
| URL | hxxps://43301[.]signing[.]unitynotarypublic[.]com/subscribeEvent hxxps://73b7b[.]signing[.]unitynotarypublic[.]com/subscribeEvent hxxps://81207[.]fate[.]truelance[.]com/subscribeEvent hxxps://fd1df[.]signing[.]unitynotarypublic[.]com/subscribeEvent |
FAKEUPDATES |
| URL | hxxp://103[.]232[.]54[.]88/datacloud/vbc[.]exe hxxp://103[.]232[.]54[.]88/explorer/vbc[.]exe hxxp://94[.]131[.]98[.]175/lang/engUS/setup/sof[.]exe hxxp://www[.]keprom[.]works/pzb5/ |
Formbook |
| URL | hxxp://103[.]171[.]1[.]139/microsoft/csrss[.]exe hxxp://103[.]232[.]54[.]143/microsoft/[.]csrss[.]exe |
LokiBot |
| URL | hxxp://115[.]54[.]104[.]96:40901/Mozi[.]m hxxp://125[.]47[.]227[.]131:44732/Mozi[.]m |
Mozi |
| URL | hxxp://harddrystamp[.]com/rar/1[.]txt hxxp://harddrystamp[.]com/rar/i[.]php hxxps://antoniodelgadoarquitectos[.]com/Setup[.]rar |
NetSupportManager RAT |
| URL | hxxp://upcoming100[.]com/1[.]jpg hxxp://upcoming100[.]com/2[.]jpg hxxp://upcoming100[.]com/3[.]jpg hxxp://upcoming100[.]com/4[.]jpg hxxp://upcoming100[.]com/5[.]jpg hxxp://upcoming100[.]com/6[.]jpg hxxp://upcoming100[.]com/7[.]jpg |
Oski Stealer |
| URL | hxxp://americar[.]rs/email1/pony/gate[.]php | Pony |
| URL | hxxp://194[.]180[.]49[.]17/Pruwgxlsz[.]bmp | PureCrypter |
| URL | hxxp://103[.]214[.]71[.]45/87425[.]dat hxxp://91[.]235[.]234[.]97/63566[.]dat hxxp://studentservicespk[.]com/UTOU[.]php? hxxps://abmarketotomasyon[.]com/AMQU[.]php hxxps://abmarketotomasyon[.]com/AMQU[.]php? hxxps://acxtech[.]co[.]in/UT[.]php? hxxps://adventure1zone[.]com/ULU[.]php? hxxps://amartam[.]com/PI[.]php? hxxps://americaninnpeosta[.]com/MO[.]php? hxxps://beautyessentialsbyhaley[.]com/UA[.]php? hxxps://bestgraders[.]com/PSS[.]php? hxxps://bitrue[.]cc/ISUQ[.]php? hxxps://bitrue[.]cc/ISUQ[.]php?LVUTSPOA=6 hxxps://bossassistant[.]com/ESS[.]php? hxxps://bsab[.]com[.]au/SDPO[.]php? hxxps://careersreach[.]com/EST[.]php? hxxps://cdaaj[.]org[.]mx/LG[.]php? hxxps://centroclinicoendosalud[.]com/MUAU[.]php? hxxps://cinemaapk[.]info/AEM[.]php? hxxps://codezian[.]com/Nt57/300123[.]gif hxxps://comskillconnect[.]com/ON[.]php? hxxps://cyber-pulsa[.]com/EIOD[.]php? hxxps://danoi[.]co/AUN[.]php? hxxps://daymarkea[.]com/PS[.]php? hxxps://dfwmedicalclinic[.]com/LL[.]php? hxxps://dk-electrics[.]com[.]au/ULE[.]php? hxxps://dskscreen[.]com/CUA[.]php? hxxps://ear-link[.]com/EM[.]php? hxxps://earthly[.]pk/EET[.]php? hxxps://ecoterra[.]co[.]id/RNO[.]php? hxxps://edificiomestura[.]es/UIMS[.]php? hxxps://energizett[.]com/1llNOC1/300123[.]gif hxxps://expatsshipping[.]com/SEDU[.]php? hxxps://flashnewsbensedira[.]com/DLOO[.]php? hxxps://foodculturefiji[.]com/SI[.]php? hxxps://gaaws[.]go[.]tz/RMOE[.]php? hxxps://getyourfreelovebug[.]com/TI[.]php hxxps://gicegy[.]com/AATS[.]php? hxxps://goplus[.]com[.]co/SEDA[.]php hxxps://gotthelot[.]org[.]au/RTAM[.]php? hxxps://guide2green[.]com/ITFI[.]php? hxxps://hamamcpa[.]com/CLAI[.]php? hxxps://homeisland[.]com[.]ng/TNBD[.]php? hxxps://hukaam[.]store/DV[.]php? hxxps://hurtlockerrichmond[.]com[.]au/NUA[.]php? hxxps://huzerconsulting[.]com/OT[.]php? hxxps://ibird[.]jp/CRR[.]php? hxxps://ieet[.]pt/AD[.]php? hxxps://indianmores[.]com/ASIT[.]php? hxxps://inegypt[.]app/IISU[.]php? hxxps://inetaid[.]com/TLSR[.]php? hxxps://ineteck[.]com/EITN[.]php? hxxps://inopralim[.]com/SOU[.]php? hxxps://kalyannursery[.]com/SAE[.]php? hxxps://karingheartsagency[.]com/LT[.]php? hxxps://lerecom[.]com/EEDA[.]php? hxxps://livinglokal[.]com/MEU[.]php? hxxps://llc[.]edu[.]pk/UE[.]php? hxxps://locanadapharmacy[.]info/UO[.]php? hxxps://lubrisense[.]com[.]mx/NERV[.]php? hxxps://magnasonfilm[.]com/AU[.]php? hxxps://masterpiecedesigns[.]digital/IA[.]php? hxxps://media-hopper[.]com/OESR[.]php? hxxps://mgconstructioncorp[.]com/EI[.]php? hxxps://moringagaininc[.]com/PB[.]php? hxxps://mydgaccountants[.]co[.]za/LROB[.]php? hxxps://myron[.]ae/ECFF[.]php? hxxps://myvigyan[.]com/m1YPt/300123[.]gif hxxps://natacionsanfelipe[.]com/OIM[.]php? hxxps://neuropraxisrehab[.]com/SORU[.]php? hxxps://nubiotech[.]in/QM[.]php? hxxps://onlinelaudos[.]com[.]br/ITLO[.]php? hxxps://pasventures[.]in/QTEA[.]php? hxxps://prabhuecobags[.]com/XE[.]php? hxxps://primehealthnews[.]net/RI[.]php? hxxps://proresourceservice[.]com/SAU[.]php? hxxps://publicidad-practifood[.]com/ESE[.]php? hxxps://readyforfinance[.]in/MIEN[.]php? hxxps://restauranteavomaria[.]com/AUTU[.]php? hxxps://rjll[.]org[.]pk/TUEI[.]php? hxxps://sacredly[.]io/CECI[.]php? hxxps://sehamedical[.]net/QOE[.]php? hxxps://sekasao[.]go[.]th/OIL[.]php? hxxps://soundhealing[.]today/TRNC[.]php? hxxps://surticolchon[.]mx/IDI[.]php? hxxps://tesi[.]com[.]mx/ER[.]php? hxxps://tofreezeornottofreeze[.]com/DE[.]php? hxxps://toklar[.]com[.]br/PS[.]php? hxxps://trace2biometrics[.]com/AUT[.]php? hxxps://transcellonco[.]science/EE[.]php? hxxps://trendusedautoatlanta[.]com/PLT[.]php? hxxps://trustmedksa[.]com/BM[.]php? hxxps://vikdis[.]com/QTOD[.]php? hxxps://webley[.]in/SRUM[.]php? hxxps://yanezphoto[.]com/EE[.]php? hxxps://zanziflowerstours[.]com/NOIU[.]php? hxxps://zona-kaizen[.]com/SSA[.]php? hxxp://45[.]155[.]37[.]124/14449[.]dat hxxp://91[.]235[.]234[.]97/12826[.]dat |
QakBot |
| URL | hxxp://85[.]208[.]136[.]4/ERE[.]exe hxxp://85[.]208[.]136[.]4/IZF[.]exe hxxp://85[.]208[.]136[.]4/KYE[.]exe |
Remcos |
| URL | hxxp://194[.]180[.]49[.]147/mbak[.]exe | Snake Keylogger |
| URL | hxxp://116[.]203[.]6[.]107/14 hxxp://116[.]203[.]6[.]107/408 hxxp://116[.]203[.]6[.]107/726 hxxp://116[.]203[.]6[.]107/760 hxxp://116[.]203[.]6[.]107/869 hxxp://135[.]181[.]41[.]147/14 hxxp://135[.]181[.]41[.]147/408 hxxp://135[.]181[.]41[.]147/439 hxxp://135[.]181[.]41[.]147/498 hxxp://135[.]181[.]41[.]147/583 hxxp://135[.]181[.]41[.]147/682 hxxp://135[.]181[.]41[.]147/713 hxxp://135[.]181[.]41[.]147/872 hxxp://135[.]181[.]43[.]158/19 hxxp://135[.]181[.]43[.]158/255 hxxp://135[.]181[.]43[.]158/827 hxxp://135[.]181[.]43[.]158/831 hxxp://157[.]90[.]148[.]112/682 hxxp://157[.]90[.]148[.]112/869 hxxp://65[.]109[.]168[.]191/498 hxxp://65[.]109[.]168[.]191/713 hxxp://65[.]109[.]168[.]191/736 |
Vidar |
| URL | hxxp://127[.]0[.]0[.]1:4444/Vre | Vjw0rm |
