不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様2社 -
2024/02/09
※2024/02/09 更新
マルウェア感染させると考えられるURLを検知(2024/02/09)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxp://hubvera[.]ac[.]ug/net[.]exe hxxp://marksidfgs[.]ug/ghjkl[.]exe hxxp://marksidfgs[.]ug/net[.]exe hxxp://lastimaners[.]ug/ghjk[.]exe hxxp://hubvera[.]ac[.]ug/asdfg[.]exe hxxp://hubvera[.]ac[.]ug/asdf[.]EXE hxxp://mistitis[.]ug/native[.]exe hxxp://partadino[.]ac[.]ug/asdfg[.]exe hxxp://partadino[.]ac[.]ug/native[.]exe hxxp://mistitis[.]ug/asdf[.]EXE hxxp://marksidfg[.]ug/ghjkl[.]exe hxxp://mistitis[.]ug/ghjkl[.]exe hxxp://partadino[.]ac[.]ug/ghjk[.]exe hxxp://marksidfg[.]ug/native[.]exe hxxp://marksidfg[.]ug/net[.]exe hxxp://safetygear[.]pk/native[.]exe hxxp://scientific[.]pk/asdfg[.]exe hxxp://safetygear[.]pk/asdf[.]EXE hxxp://scientific[.]pk/asdf[.]EXE hxxp://opsdjs[.]ug/asdfg[.]exe hxxp://opsdjs[.]ug/ghjk[.]exe hxxp://scientific[.]pk/ghjk[.]exe hxxp://safetygear[.]pk/net[.]exe hxxp://opsdjs[.]ug/ghjkl[.]exe hxxp://mail[.]check-time[.]ru/ghjkl[.]exe hxxp://mail[.]check-time[.]ru/net[.]exe hxxp://mail[.]check-time[.]ru/ghjk[.]exe hxxp://smtp[.]qwertzx[.]ru/asdfg[.]exe hxxp://mail[.]check-time[.]ru/asdfg[.]exe hxxp://smtp[.]qwertzx[.]ru/native[.]exe hxxp://smtp[.]qwertzx[.]ru/ghjk[.]exe hxxp://smtp[.]qwertzx[.]ru/asdf[.]EXE hxxp://opesjk[.]ug/net[.]exe hxxp://opesjk[.]ug/ghjk[.]exe hxxp://opesjk[.]ug/native[.]exe |
Rhadamanthys |
| URL | hxxp://193[.]233[.]132[.]167/lend/lumma123142124[.]exe hxxp://77[.]91[.]68[.]222:8000/current[.]exe hxxp://5[.]42[.]67[.]14/12re/St/LM[.]exe hxxps://chubb-institute[.]com/temp/lumma[.]exe |
Lumma Stealer |
| URL | hxxp://193[.]233[.]132[.]167/lend/for[.]exe hxxp://193[.]233[.]132[.]167/lend/Goldprime[.]exe hxxp://193[.]233[.]132[.]167/lend/rwtweewge[.]exe hxxps://github[.]com/Sobaka212/n/releases/download/rr/ce0b953269c74bc[.]exe hxxps://predict-expert[.]pro/222[.]exe |
RedLine Stealer |
| URL | hxxp://195[.]20[.]16[.]45/api/flash[.]php hxxp://195[.]20[.]16[.]45/api/firecom[.]php |
PrivateLoader |
| URL | hxxp://5[.]42[.]67[.]14/doctr8fb7z9/index[.]php hxxp://5[.]42[.]66[.]32/g8samsA2/index[.]php |
Amadey |
| URL | hxxp://aitcaid[.]com/9659650c81ce1b984c58[.]js hxxp://pluralism[.]themancav[.]com/lbK9kO6Q3vnxkIeio4aRsueQh7L82d/o+dXbsug= hxxp://mwasro[.]com/25012024[.]js hxxps://xzfh[.]our[.]openarmscv[.]org/editContent |
FAKEUPDATES |
| URL | hxxp://185[.]202[.]175[.]135/kNFmLpb31[.]bin hxxp://103[.]183[.]115[.]241/XbSEyByLtjGfXxfjB139[.]bin hxxps://sinopbisikletkiralama[.]com/admin/NoEJqNRcdmzjHSSKztxFX223[.]bin hxxps://sinopbisikletkiralama[.]com/admin/Transve[.]prx hxxps://lacompile[.]fr/wp-includes/soggeoJTPyszy79[.]bin hxxps://lacompile[.]fr/wp-includes/Obeis[.]prm hxxps://sinopbisikletkiralama[.]com/admin/photosensi[.]cur hxxps://sinopbisikletkiralama[.]com/admin/tYbxMUtvmCmBeOx180[.]bin hxxps://sinopbisikletkiralama[.]com/admin/BeeHlVaWwr67[.]bin hxxps://sinopbisikletkiralama[.]com/admin/Testat[.]snp |
CloudEyE |
| URL | hxxp://45[.]74[.]19[.]84/xampp/bkp/bkp1_vbs[.]jpg hxxp://83[.]143[.]104[.]148/blub/ballonservicefrommicrosfotisgrwoingfasterthanbeforebecauseitsverygoodupgradeandupdationfromthemicrosoft[.]doC hxxp://83[.]143[.]104[.]148/3460/loveandlover[.]vbs hxxp://107[.]175[.]202[.]154/6666/lovegreatlover[.]vbs hxxp://107[.]175[.]202[.]154/rcp/ballonservicecenterdesignedfornewupdationandupgradenewprojectforimproveentirethinsgonthepctomakeiteasyandfasterpc[.]doC hxxp://107[.]175[.]202[.]154/6666/LLCR[.]txt hxxp://83[.]143[.]104[.]148/3460/BLUB[.]txt hxxps://flq22q[.]dm[.]files[.]1drv[.]com/y4m0y_mqSTM6KZjq4YolBC1lzAvPR1kItaFxfXqPjA9abW8O_SegMiNbhtYNDjUENodE6ryb4erzLEjvE8xggNxQmRRI1GEQ4MnzlcBPQ-0F3RTQe45R5PtxIZVfQhx8L1yvDBNvfEibWKPPmfYAYqG7KJ6Cx-L8Y3Te2una73_Rf3cxansaUuz8PiQmHgUrxxzmfR1xuYNGY8hq48SHh563w/255_Nrsdkpanrok?download&psid=1 |
Remcos |
| URL | hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/softokn3[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/msvcp140[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/sqlite3[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/freebl3[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/nss3[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/vcruntime140[.]dll hxxp://193[.]187[.]174[.]182/f79abd6a472c7e1d/mozglue[.]dll |
Stealc |
| URL | hxxp://172[.]245[.]214[.]91/wednewsmangero[.]vbs hxxp://172[.]245[.]214[.]91/wedfreshairgetfrommicrosfotballontechnologywithnewadvanceprocesstocompletenewthingsfrompc[.]doC hxxp://45[.]74[.]19[.]84/xampp/bkp/bkp_hta[.]jpg hxxp://172[.]245[.]214[.]91/comprobante%20de%20transferencia987586[.]hta hxxps://api[.]telegram[.]org/bot6448314066:AAGHs9VyDtDoh_LYPmdaTt3AQ5yr3qSwUkA/ |
Agent Tesla |
| URL | hxxp://553689cm[.]nyashsens[.]top/TosecurepacketgeocpuauthSqlWindowspublictemp[.]php hxxps://github[.]com/Sobaka212/n/releases/download/rr/DCRatBuild[.]exe hxxp://103761cm[.]nyashsens[.]top/EternalGameServeruniversal[.]php hxxp://185[.]16[.]39[.]248/Better/Multi2eternalRequest/6/MariadbUniversalMariadbExternal/TempDatalife/024update/Auth/DownloadsFlower5Downloads/dle/4Temporarysql/ApiCpu53/wordpressdownloads[.]php hxxp://265003cm[.]nyashtech[.]top/GameBigloadwindowscdnUploadsTemporary[.]php |
DCRat |
| URL | hxxp://172[.]245[.]135[.]142/3333/cupcakesweet[.]vbs hxxp://172[.]245[.]135[.]142/3333/b19/ballonprocessedbymicrosofttostickonnewindustrytodevelopnewproductupdateandupgradetheperformanceofpc[.]doC |
LokiBot |
| URL | hxxps://172[.]200[.]160[.]7/mod/resellers/2E4WLR6U3UV hxxp://107[.]174[.]253[.]49/api/3 hxxps://www[.]fucksec[.]buzz:8443/api/3 hxxps://88[.]214[.]25[.]254/Validate/v10[.]6/W2GE3SC8 hxxp://159[.]112[.]177[.]137/download/ hxxp://146[.]235[.]52[.]69/download/ hxxp://18[.]118[.]35[.]133/fwlink hxxps://134[.]122[.]75[.]115:444/visit[.]js |
Cobalt Strike |
| URL | hxxps://sybrstrmteknopark[.]net/OWUyYzIyNzhjMjk4/ hxxps://sybrstrmteknokalak[.]net/OWUyYzIyNzhjMjk4/ hxxps://sybrstrmtdiyari[.]com/OWUyYzIyNzhjMjk4/ hxxps://hk-49847[.]com/NzBkMWE2ZDM0MWE2/ hxxps://jolaxodanser[.]xyz/YWFiM2VkMmFmNWFh/ hxxps://jolaxodanserxyz[.]net/YWFiM2VkMmFmNWFh/ hxxps://hk-49847[.]net/NzBkMWE2ZDM0MWE2/ hxxps://hk-49847[.]info/NzBkMWE2ZDM0MWE2/ hxxps://hk-49847[.]org/NzBkMWE2ZDM0MWE2/ hxxps://hk-49847[.]xyz/NzBkMWE2ZDM0MWE2/ |
Coper |
| URL | hxxp://91[.]92[.]241[.]172/oorig/new_inte[.]exe hxxp://91[.]92[.]241[.]172/batushka/twointe hxxp://94[.]156[.]66[.]186/oorig/new_inte[.]exe hxxp://94[.]156[.]66[.]186/batushka/twointe |
GCleaner |
| URL | hxxp://54[.]88[.]122[.]159/bins/arm4 hxxp://54[.]88[.]122[.]159/skid[.]mpsl hxxp://54[.]88[.]122[.]159/bins/mpsl hxxp://54[.]88[.]122[.]159/bins/arm5 hxxp://54[.]88[.]122[.]159/skid[.]arm5 hxxp://54[.]88[.]122[.]159/bins/mips hxxp://54[.]88[.]122[.]159/bins/i586 hxxp://54[.]88[.]122[.]159/bins/sh4 hxxp://54[.]88[.]122[.]159/bins/m68k hxxp://54[.]88[.]122[.]159/skid[.]x86 hxxp://54[.]88[.]122[.]159/bins/arm6 hxxp://54[.]88[.]122[.]159/bins/x86 hxxp://54[.]88[.]122[.]159/skid[.]mips hxxp://54[.]88[.]122[.]159/skid[.]ppc hxxp://54[.]88[.]122[.]159/bins/powerpc hxxp://54[.]88[.]122[.]159/bins/spc hxxp://54[.]88[.]122[.]159/skid[.]sparc hxxp://54[.]88[.]122[.]159/bins/i686 |
Bashlite |
| URL | hxxps://77trips[.]com/H6384625474[.]zip | XWorm |
| URL | hxxps://cdn[.]discordapp[.]com/attachments/1063897668436381750/1204934196338892830/4_npp[.]8[.]6[.]portable[.]x64[.]zip?ex=65d6896b&is=65c4146b&hm=0c5477a7e2da8f772ecf6ee29 | WikiLoader |
| URL | hxxp://siteseoguide[.]com/ponyb/gate[.]php hxxp://6[.]magicalomaha[.]co/ponyd/gate[.]php hxxp://116[.]122[.]158[.]195:8080/ponyb/gate[.]php hxxp://siteseoguide[.]com:8080/ponyb/gate[.]php hxxp://uksonlinedating[.]com:8080/ponyb/gate[.]php hxxp://199[.]59[.]56[.]105:8080/ponyb/gate[.]php hxxp://br1[.]irontrial[.]com:8080/ponyd/gate[.]php hxxp://br1[.]pineapplesdonthavesleeves[.]com:8080/ponyd/gate[.]php hxxp://89[.]166[.]50[.]40:8080/ponyd/gate[.]php |
Pony |
| URL | hxxp://192[.]3[.]179[.]145/T0802F/wininit[.]exe | OriginLogger |
| URL | hxxps://mscreusois[.]fr/2d3fu/ hxxps://orangebrands[.]co[.]tz/pgdfga/ hxxps://ilovelittletree[.]com/6n7l/ hxxps://servitecaartigues[.]cl/v3rg/ hxxps://dreamkarts[.]com/pmesuv/ hxxps://eguru[.]my[.]id/f9z/ hxxps://stjosephacademy[.]co[.]in/idbl/ hxxps://buahati[.]com/aov/ hxxps://everclear[.]net[.]au/yem/ hxxps://ritafreshfood[.]com/0ufm/ hxxps://allinsectkiller[.]com/no2yly/ hxxps://meetneathalal[.]com/mrifeo/ hxxps://montefeltrodiesel[.]com[.]br/why/ hxxps://csromania[.]ro/g9y/ hxxps://sivassayacoku[.]com[.]tr/9nsmwq/ hxxps://iswimacademy[.]com/0hqwup/ hxxps://iradio[.]co[.]in/al83z/ hxxps://sihatmagazine[.]com/nw1r1/ hxxps://visualescariz[.]com/zurs/ hxxps://cigarette-electronique-luxe[.]com/dbuh/ hxxps://entrevientos[.]com[.]ar/ccq/ hxxps://ob[.]ae/oyk/ hxxps://digitizeforme[.]com/vmtl/ hxxps://shiatsutours37[.]fr/1bimmg/ hxxps://a-hayah[.]com/xqycs/ hxxps://mascabane[.]fr/84ju/ hxxps://davidgrandspa[.]com/o2qoj/ hxxps://graceandyoung[.]com/ev1fyt/ hxxps://savoiecommerces[.]fr/1m1sin/ hxxps://gloverstech[.]com/tJWz9/ |
Pikabot |
| URL | hxxp://couriercare[.]in/9/gate[.]php | Arkei Stealer |
| URL | hxxp://flex[.]sunaviat[.]com/data/pdf/june[.]exe | Socks5 Systemz |
