不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様0社 -
2024/03/18
※2024/03/18 更新
マルウェア感染させると考えられるURLを検知(2024/03/18)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxp://392065cm[.]n9shteam2[.]top/nyashsupport[.]php hxxps://pastebin[.]com/raw/qivZa09c hxxps://pastebin[.]com/raw/uH7fe8HK hxxp://27925375[.]whiteproducts[.]ru/L1nc0In[.]php hxxp://89[.]23[.]96[.]177/FlowerPublicpacket/db8test5/Wordpress02Flower/ProcessorLongpolllow/Defaultprotect/_Temp/bigloaddatalife7Mariadb/_vmbetterimage/DumpPipeJavascriptpython/8default/1/TrafficProvider/wp/wpApi/Vmlongpoll1/6wordpressPacket/0MultiupdateAuth/4/pipeAuthtest[.]php hxxp://89[.]23[.]97[.]121/Flowerprocessorjavascriptvideo/eternalbigload/test/4/Test/16Datalife8/HttpWpUploads/JsSqlSqlLine/UploadsCpuproton/Dbprotect/Local/Update/JsTemp/videolinepythonSql/flower/apiwordpressTest_/javascriptuniversal/ImageapiTemp[.]php |
DCRat |
| URL | hxxp://107[.]174[.]228[.]79:4444/dot[.]gif hxxp://111[.]229[.]19[.]199/en_US/all[.]js hxxp://1[.]94[.]52[.]236:88/visit[.]js hxxp://service-bvvdi136-1317500845[.]gz[.]tencentapigw[.]com/pixel hxxps://xunleicloud[.]com:8443/ga[.]js hxxps://198[.]251[.]88[.]196/ga[.]js hxxps://192[.]227[.]155[.]201/dpixel hxxp://123[.]20[.]56[.]214:7777/en_US/all[.]js hxxps://120[.]222[.]152[.]234/en-us/silentauth hxxps://120[.]222[.]152[.]206/en-us/silentauth hxxps://60[.]204[.]133[.]143/j[.]ad hxxp://8[.]219[.]54[.]123/IE9CompatViewList[.]xml hxxps://156[.]251[.]162[.]29/updates[.]rss hxxps://77[.]232[.]143[.]206/j[.]ad hxxps://service-mx77zdhn-1303081427[.]sh[.]tencentapigw[.]com/jquery-3[.]3[.]1[.]min[.]js hxxps://cdn-lnk-075[.]epsonupdate[.]uk/load hxxps://apps[.]nbcnews[.]site/bm[.]css hxxp://199[.]195[.]252[.]200:4433/Content hxxps://139[.]155[.]97[.]79:46638/define/cookies/J7Y8XV07BJQ hxxp://120[.]46[.]207[.]190/push hxxps://103[.]253[.]146[.]79/jquery-3[.]3[.]1[.]min[.]js hxxps://185[.]91[.]127[.]221/en_US/all[.]js hxxp://101[.]35[.]19[.]133/visit[.]js hxxp://175[.]178[.]47[.]86:6666/g[.]pixel hxxps://43[.]153[.]222[.]28/ga[.]js hxxps://111[.]51[.]156[.]207/ga[.]js hxxps://61[.]170[.]44[.]209/en_US/all[.]js hxxps://36[.]131[.]222[.]214/dot[.]gif hxxps://59[.]80[.]47[.]124/dpixel hxxps://106[.]225[.]221[.]115/activity hxxps://119[.]167[.]249[.]113/__utm[.]gif hxxps://43[.]141[.]11[.]229/dpixel hxxps://cdn-014[.]epsonupdate[.]uk:8443/match hxxp://www[.]baidu12366[.]xyz:8080/image/ hxxps://update[.]mozilia-tm[.]org/load hxxps://z886888[.]top/ca hxxps://86[.]106[.]20[.]179/ab[.]html hxxps://onlinetraveler[.]net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books hxxps://121[.]36[.]198[.]85/dot[.]gif hxxp://47[.]96[.]229[.]84:9999/dpixel hxxp://121[.]36[.]33[.]53/load hxxp://139[.]9[.]190[.]31:8080/ptj hxxps://121[.]40[.]119[.]94:8443/en_US/all[.]js hxxp://123[.]207[.]45[.]112/dpixel hxxps://1[.]94[.]110[.]130/en_US/all[.]js hxxp://service-89u0y7ij-1305550121[.]sh[.]tencentapigw[.]com/__utm[.]gif hxxp://www[.]10086cn[.]xyz:8080/jquery-3[.]3[.]1[.]min[.]js hxxps://1[.]94[.]110[.]130/ga[.]js hxxp://37[.]120[.]239[.]32/link[.]css hxxp://cdn[.]3qweraa[.]beauty:8080/jquery-3[.]3[.]1[.]min[.]js hxxps://146[.]70[.]44[.]156:8443/cm hxxp://47[.]120[.]63[.]211/activity hxxps://47[.]92[.]155[.]195:8443/activity hxxps://www[.]10086cn[.]xyz:8443/jquery-3[.]3[.]1[.]min[.]js hxxp://8[.]134[.]126[.]121:6666/load hxxp://service-d1ssjklq-1306655841[.]gz[.]tencentapigw[.]com[.]cn/api/x hxxps://124[.]222[.]147[.]8:9443/c/msdownload/update/others/2016/12/29136388_ hxxp://80[.]87[.]206[.]160:8090/cm hxxp://8[.]222[.]147[.]15/activity hxxp://8[.]222[.]147[.]15/updates[.]rss |
Cobalt Strike |
| URL | hxxp://110[.]165[.]19[.]109:8090/js/45[.]64[.]rar hxxp://110[.]165[.]19[.]109:8090/js/45[.]6472[.]txt hxxp://185[.]216[.]70[.]138/download/redtail[.]sh hxxp://45[.]150[.]108[.]247/Z4LuP1s_2281488[.]exe hxxps://nacionalveiculos[.]com/Soft[.]exe hxxp://205[.]185[.]121[.]68/x86_64 hxxp://185[.]82[.]202[.]126/x86_64 |
Coinminer |
| URL | hxxp://51[.]222[.]186[.]95/dn12[.]zip | Grandoreiro |
| URL | hxxps://sbaratao[.]com[.]br/controler/ARQUIVO[.]rar | Ousaban |
| URL | hxxp://147[.]185[.]243[.]107/xampp/klr/kla/myworldialwaysurlovertohearuaremyworldbecauseitrulyloveyoualotbecause_____youaremybabyandalwaysloverhersoomuchtruly[.]doc | Remcos |
| URL | hxxp://23[.]95[.]60[.]74/myconfidentisshelovedmetrulyfromtheheartforneverknowbeforehowitswillbethegreatlove____understandhowmuchwelovedhertrulyfromthehearttobegreatmeansgreat[.]doc hxxp://23[.]95[.]60[.]74/ilovemywifemorethananyoneitsnevernobodyknowbecauseiloveheralotsheismyheart____ilovemywifemorethananyonethankyousoomuch[.]doc hxxps://api[.]telegram[.]org/bot6444185583:AAGERH8MMd1waxkmHCgwy8-Tr7bkj6jpwl8/ hxxps://discord[.]com/api/webhooks/1217315513764679760/qp0dpgsN2rfNijoHbj92f7XdY-npVNaa0ZG5zrWuOAdp7LGYuJpjsU1F0vo_iasZWumw hxxps://drive[.]google[.]com/uc?export=download&id=1nJBs0n5ZHXEVBJYUte8t2Bug3-apHHr9 hxxps://vauxhall[.]top/error/prinsozx[.]scr hxxps://discord[.]com/api/webhooks/1216669121006014576/iBTDeqqrD332QaH17eCwpoxhZOjUfymFQDYfr5vYOj1f1BKo0NiAb3CqgyvLz18BR0Ra |
Agent Tesla |
| URL | hxxps://bitbucket[.]org/testing-pen/test_repo/raw/ac103c974462f67d0c883aeb3848c2a9275328af/pok0o0[.]exe hxxps://bitbucket[.]org/testers12/test_repo/raw/e67f0c9700b3c8904829c0908a61b2d946d1d324/xxsw[.]exe hxxps://fajus[.]net/987123[.]exe hxxps://inventerscorp[.]org/dozk2[.]exe hxxp://unidasg[.]top/outh[.]php hxxp://193[.]233[.]132[.]167/cost/lenin[.]exe hxxp://185[.]215[.]113[.]45/cost/random[.]exe |
Stealc |
| URL | hxxps://noithaticon[.]vn/DRIVEapplet[.]exe | Rhadamanthys |
| URL | hxxps://zamesblack[.]fun/api hxxps://medalappearancerackw[.]shop/api hxxps://modernizepledgeoi[.]shop/api hxxps://sofahuntingslidedine[.]shop/api hxxps://townsfolkhiwoeko[.]fun/api hxxps://favourlegislatureduei[.]shop/api hxxps://vatleaflettrusteeooj[.]shop/api hxxps://questbehavixoporpo[.]shop/api hxxps://mutterunlikelyoo[.]shop/api hxxps://drilmoralwandreowpops[.]shop/api hxxps://decorousnumerousieo[.]shop/api hxxps://lightsecretatylattew[.]shop/api hxxps://forknegotationaow[.]shop/api hxxps://inviteaccessiblesaltw[.]shop/api hxxps://peasanthovecapspll[.]shop/api hxxps://likelysoarastonishiow[.]shop/api hxxps://improvisersmissionjuw[.]fun/api hxxps://fikkeropendorwiw[.]pw/api hxxps://explodesaildecksatt[.]shop/api hxxps://donorwifeconfusionstronko[.]site/api hxxps://stamprollabbeymemberw[.]site/api hxxps://sermonundressolcow[.]shop/api hxxps://thinrecordsunrjisow[.]pw/api hxxps://audiencegafferokkow[.]shop/api hxxps://breakdecisiveexpandw[.]fun/api hxxps://diamondarrivallyowju[.]shop/api hxxps://regardvelvettynerverf[.]site/api hxxps://additionmarriagefoewsv[.]shop/api hxxps://auctiondecadecontaii[.]shop/api hxxps://syncarpiajanapiom[.]fun/api hxxps://modestessayevenmilwek[.]shop/api hxxps://superiorhardwaerw[.]pw/api hxxps://culturesketchfinanciall[.]shop/api hxxps://televisionstudiowmmj[.]shop/api hxxps://assumptionflattyou[.]shop/api hxxps://legatorypluralishrtw[.]shop/api hxxps://clientgirlfrienddyjw[.]shop/api hxxps://samplepoisonbarryntj[.]shop/api hxxps://theatergenerationju[.]shop/api hxxps://deadpanstupiddyjjuwk[.]shop/api |
Lumma Stealer |
| URL | hxxps://valeriamygirlinstripcalloc[.]com/YWZiMzRmNzA4Nzk0/ hxxps://45[.]9[.]74[.]60/MDQ4Yzc4NTJkYTg4/ hxxps://45[.]9[.]74[.]136/MDQ4Yzc4NTJkYTg4/ hxxps://acizac12141[.]xyz/MDQ4Yzc4NTJkYTg4/ hxxps://45[.]9[.]74[.]166/MDQ4Yzc4NTJkYTg4/ hxxps://83[.]97[.]73[.]125/NzFlZWIzNmYwZDI5/ |
Coper |
| URL | hxxp://206[.]188[.]196[.]222/ex[.]zip | DarkGate |
| URL | hxxp://g-eurasia-ru[.]com/fan/ZfUdfOc32[.]bin hxxp://83[.]137[.]157[.]60/eGqOzduGXV36[.]bin hxxp://83[.]137[.]157[.]60/IlQzHrLnWML16[.]bin hxxp://103[.]131[.]130[.]178/Betvingelser[.]exe hxxp://103[.]131[.]130[.]178/LSLRcHsksL225[.]bin hxxp://103[.]131[.]130[.]178/jLRxglBetogdlDb231[.]bin |
CloudEyE |
| URL | hxxp://193[.]233[.]252[.]242/hidakibest[.]arm7 hxxp://193[.]233[.]252[.]242/hidakibest[.]x86 hxxp://103[.]119[.]1[.]73/nginx[.]mips hxxp://103[.]119[.]1[.]73/nginx[.]sparc hxxp://103[.]119[.]1[.]73/nginx[.]mpsl hxxp://103[.]119[.]1[.]73/nginx[.]arm4 hxxp://103[.]119[.]1[.]73/nginx[.]arm5 hxxp://103[.]119[.]1[.]73/nginx[.]ppc hxxp://78[.]40[.]117[.]218/apache2 hxxp://141[.]98[.]7[.]233/mipsel hxxp://141[.]98[.]7[.]233/i686 hxxp://141[.]98[.]7[.]233/ppc hxxp://141[.]98[.]7[.]233/m68k hxxp://141[.]98[.]7[.]233/sh4 hxxp://103[.]119[.]1[.]73/nginx[.]arm7 hxxp://103[.]119[.]1[.]73//nginx[.]arm4 hxxp://103[.]119[.]1[.]73//nginx[.]sparc hxxp://103[.]119[.]1[.]73//nginx[.]arm7 hxxp://103[.]119[.]1[.]73//nginx[.]mips hxxp://103[.]119[.]1[.]73//nginx[.]mpsl hxxp://103[.]119[.]1[.]73//nginx[.]arm5 hxxp://103[.]119[.]1[.]73//nginx[.]ppc hxxp://103[.]119[.]1[.]73//nginx[.]x86 hxxp://78[.]40[.]117[.]218/ftp hxxp://78[.]40[.]117[.]218/bash hxxp://78[.]40[.]117[.]218/tftp hxxp://141[.]98[.]7[.]233/x86 hxxp://141[.]98[.]7[.]233/mips hxxp://176[.]123[.]1[.]226/powerpc hxxp://176[.]123[.]1[.]226/armv4l hxxp://176[.]123[.]1[.]226/armv5l hxxp://176[.]123[.]1[.]226/armv6l hxxp://217[.]18[.]63[.]132/m-6[.]8-k[.]Sakura hxxp://217[.]18[.]63[.]132/p-p[.]c-[.]Sakura hxxp://217[.]18[.]63[.]132/i-5[.]8-6[.]Sakura hxxp://217[.]18[.]63[.]132/m-p[.]s-l[.]Sakura hxxp://217[.]18[.]63[.]132/x-8[.]6-[.]Sakura hxxp://217[.]18[.]63[.]132/s-h[.]4-[.]Sakura hxxp://217[.]18[.]63[.]132/a-r[.]m-4[.]Sakura hxxp://217[.]18[.]63[.]132/a-r[.]m-5[.]Sakura hxxp://217[.]18[.]63[.]132/a-r[.]m-6[.]Sakura hxxp://217[.]18[.]63[.]132/x-3[.]2-[.]Sakura hxxp://223[.]252[.]60[.]99/assailant[.]x86 hxxp://103[.]172[.]79[.]74/condi/x86_64 hxxp://217[.]18[.]63[.]132/m-i[.]p-s[.]Sakura hxxp://217[.]18[.]63[.]132/a-r[.]m-7[.]Sakura hxxp://94[.]156[.]8[.]116/rebirth[.]x86 |
Bashlite |
| URL | hxxps://sempersim[.]su/c8/fre[.]php | LokiBot |
| URL | hxxp://192[.]151[.]244[.]144:4574/DB[.]exe | Quasar RAT |
| URL | hxxps://tafrihafashion[.]com/boondle[.]txt hxxp://fatttjapan[.]com/xjadlcqfulrmbgzmnncyaldkmqglyjbkix[.]txt |
NetSupportManager RAT |
| URL | hxxps://ged[.]round[.]fishingreelinvestment[.]com/editContent hxxps://worldofmantas[.]com/cdn-vs/cache[.]php hxxps://worldofmantas[.]com/help/zewmrgqnw[.]php hxxps://huia[.]round[.]fishingreelinvestment[.]com/editContent hxxps://lkdj[.]round[.]fishingreelinvestment[.]com/editContent hxxps://jdol[.]round[.]fishingreelinvestment[.]com/editContent hxxps://qbo[.]round[.]fishingreelinvestment[.]com/editContent hxxps://pkfkd[.]round[.]fishingreelinvestment[.]com/editContent hxxps://aij[.]round[.]fishingreelinvestment[.]com/editContent hxxps://afc[.]round[.]fishingreelinvestment[.]com/editContent hxxps://efzfo[.]round[.]fishingreelinvestment[.]com/editContent |
FAKEUPDATES |
| URL | hxxp://45[.]154[.]98[.]24:222/Rar[.]exe hxxp://45[.]154[.]98[.]24:222/load[.]rar |
AsyncRAT |
| URL | hxxp://213[.]248[.]43[.]34/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms hxxp://213[.]248[.]43[.]34/task/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms |
RedLine Stealer |
| URL | hxxp://136[.]244[.]98[.]226/ruggy[.]exe | Parallax RAT |
| URL | hxxp://91[.]92[.]254[.]93/ghfhhminfudk[.]exe | zgRAT |
| URL | hxxp://topgamecheats[.]dev/asdas9asdfnew[.]exe | Venom RAT |
| URL | hxxp://182[.]126[.]66[.]68:49945/Mozi[.]m | Mozi |
| URL | hxxp://205[.]185[.]126[.]140/i586 hxxp://103[.]172[.]79[.]74/condi/arm hxxp://205[.]185[.]126[.]140/mips hxxp://205[.]185[.]126[.]140/arm7 hxxp://205[.]185[.]126[.]140/sh4 |
MooBot |
| URL | hxxp://14[.]224[.]174[.]212/Ransomware[.]WannaCry_Plus[.]zip | WannaCryptor |
| URL | hxxp://75[.]119[.]134[.]80/x86_64 | XOR DDoS |
