不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様14社 -
2024/07/04
※2024/07/04 更新
マルウェア感染させると考えられるURLを検知(2024/07/04)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxp://51[.]81[.]135[.]251//linux_mips64 hxxp://51[.]81[.]135[.]251//linux_mips hxxp://51[.]81[.]135[.]251//linux_mips64el hxxp://51[.]81[.]135[.]251//linux_arm7 hxxp://51[.]81[.]135[.]251//linux_amd64 hxxp://51[.]81[.]135[.]251//linux_arm6 hxxp://51[.]81[.]135[.]251//linux_aarch64 hxxp://51[.]81[.]135[.]251//linux_arm5 hxxp://51[.]81[.]135[.]251//linux_mipsel hxxp://51[.]81[.]135[.]251//linux_386 |
Kaiji |
| URL | hxxp://avastcsw[.]com/Avastavv[.]apk hxxps://avastga[.]com/Avastavv[.]apk hxxp://avastsf[.]com/Avastavv[.]apk |
SpyNote |
| URL | hxxp://185[.]208[.]158[.]176/OPERATIONAL_MOAT[.]exe hxxp://185[.]208[.]158[.]176/EERIE_EAVE[.]exe hxxp://185[.]208[.]158[.]176/ok[.]exe |
Sliver |
| URL | hxxp://77[.]221[.]149[.]185/clients/mig[.]exe hxxp://77[.]105[.]133[.]27/download/123p[.]exe hxxp://193[.]233[.]80[.]23/loader[.]exe |
Coinminer |
| URL | hxxps://45[.]141[.]26[.]232/Build[.]exe hxxp://45[.]141[.]26[.]232/Build[.]exe |
neshta |
| URL | hxxps://45[.]141[.]26[.]232/F[.]exe hxxp://45[.]141[.]26[.]232/F[.]exe |
XWorm |
| URL | hxxp://altaskifer[.]sbs/PWS2/fre[.]php hxxp://198[.]46[.]178[.]137/22033/igccu[.]exe hxxp://198[.]46[.]178[.]137/xampp/po/IEnetCache[.]hta hxxp://104[.]248[.]205[.]66/index[.]php/modify[.]php?edit=1 hxxp://104[.]248[.]205[.]66/index[.]php/modify[.]php |
LokiBot |
| URL | hxxp://comingoutcovenant[.]com/wp-includes/pomo/update[.]php hxxp://jswebcloud[.]net/ui_static[.]js hxxps://awod[.]fans[.]smalladventureguide[.]com/orderReview hxxps://yzvg[.]fans[.]smalladventureguide[.]com/orderReview hxxps://axfve[.]fans[.]smalladventureguide[.]com/orderReview hxxps://yiajz[.]location[.]oysterfloats[.]us/editContent hxxps://adobefallshomes[.]com/cdn-vs/original[.]js hxxps://adobefallshomes[.]com/cdn-vs/cache[.]php hxxp://adobefallshomes[.]com/cdn-vs/33per[.]php hxxp://adobefallshomes[.]com/cdn-vs/original[.]js hxxp://adobefallshomes[.]com/cdn-vs/cache[.]php |
FAKEUPDATES |
| URL | hxxp://89[.]117[.]146[.]230:1002/bin/watchdog hxxp://89[.]117[.]146[.]230:1002/x86_64 hxxp://89[.]117[.]146[.]230:1002/spc hxxp://89[.]117[.]146[.]230:1002/skra[.]sparc hxxp://89[.]117[.]146[.]230:1002/ppc hxxp://89[.]117[.]146[.]230:1002/mpsl hxxp://89[.]117[.]146[.]230:1002/mips hxxp://89[.]117[.]146[.]230:1002/arm6 hxxp://89[.]117[.]146[.]230:1002/arm5 hxxp://89[.]117[.]146[.]230:1002/arm hxxp://194[.]233[.]78[.]47/hidakibest[.]arm4 hxxp://194[.]233[.]78[.]47/hidakibest[.]arm5 hxxp://194[.]233[.]78[.]47/hidakibest[.]mips hxxp://194[.]233[.]78[.]47/hidakibest[.]mpsl hxxp://194[.]233[.]78[.]47/hidakibest[.]ppc hxxp://194[.]233[.]78[.]47/hidakibest[.]sh hxxp://194[.]233[.]78[.]47/hidakibest[.]sparc hxxp://194[.]233[.]78[.]47/hidakibest[.]x86 |
Mirai |
| URL | hxxps://udfa[.]techeva[.]co[.]in/agreement-to-terms-and-conditions-wording/ hxxps://www[.]facebook[.]ygdiw[.]com/article[.]php hxxps://www[.]fantasticomundodesunca[.]org/article[.]php hxxp://trustadvisorygroup[.]com/2022/11/26/pls-00208-identifier-is-not-a-legal-cursor-attribute hxxps://www[.]future-plast[.]com/article[.]php |
GootLoader |
| URL | hxxps://larryfrank[.]cpa/xdKCjAMEQDWiUiQMPQ170[.]bin hxxps://larryfrank[.]cpa/Negus85[.]csv hxxp://23[.]95[.]235[.]16/33011/ee/uho[.]uouo[.]uououo[.]doc hxxp://91[.]92[.]254[.]14/Users_API/syscore/file_ahstznsa[.]ob0[.]txt hxxp://23[.]95[.]235[.]16/33011/goodfollowersgreatflowers[.]gif hxxps://45[.]148[.]122[.]66/ajai/wave[.]txt hxxp://45[.]148[.]122[.]66/ajai/wave[.]txt |
Formbook |
| URL | hxxp://103[.]237[.]86[.]247/Nonpurchaser[.]psm hxxp://103[.]237[.]86[.]247/Friskpillet109[.]dwp hxxp://103[.]237[.]86[.]247/theomagy[.]psm hxxp://103[.]237[.]86[.]247/pfoGTCLnx4[.]bin hxxp://103[.]237[.]86[.]247/xcjLjSb128[.]bin hxxp://103[.]237[.]86[.]247/EkmwapeHusBKtnzhrLsgW0[.]bin hxxp://103[.]195[.]237[.]43/Magnetiseringerne[.]sea hxxp://skf-mx[.]com/place/Hhymcmfkh[.]vdf hxxp://skf-mx[.]com/epic/Mrrhepor[.]wav hxxp://skf-mx[.]com/contact/Vszzbk[.]dat hxxp://skf-mx[.]com/contact/Uvemqrtnws[.]vdf hxxp://skf-mx[.]com/contact/Jqlvvbh[.]dat hxxp://skf-mx[.]com/contact/Delcikyeh[.]dat hxxp://skf-mx[.]com/future/Kjoxk[.]wav hxxp://skf-mx[.]com/ball/Laofp[.]pdf hxxp://skf-mx[.]com/contact/Lcoawryn[.]vdf hxxp://skf-mx[.]com/future/Pnphdbzksq[.]wav hxxp://skf-mx[.]com/contact/Ykczwqohp[.]mp4 |
CloudEyE |
| URL | hxxp://sylhetvoice[.]com/tmp/1[.]exe | SmokeLoader |
| URL | hxxp://thewavesoftech[.]com/bot[.]ppc hxxp://461digital[.]com/bot[.]arm7 hxxp://wcuuxhjlak[.]com/bot[.]arm7 hxxp://thewavesoftech[.]com/bot[.]arm7 hxxp://www[.]wcuuxhjlak[.]com/bot[.]arm7 hxxp://wcuuxhjlak[.]com/bot[.]ppc hxxp://www[.]gogreenholidays[.]com/bot[.]ppc hxxp://gogreenholidays[.]com/bot[.]ppc hxxp://www[.]thewavesoftech[.]com/bot[.]arm7 hxxp://gogreenholidays[.]com/bot[.]arm7 hxxp://www[.]wcuuxhjlak[.]com/bot[.]ppc hxxp://www[.]thewavesoftech[.]com/bot[.]ppc hxxp://461digital[.]com/bot[.]ppc hxxp://www[.]461digital[.]com/bot[.]arm7 hxxp://www[.]gogreenholidays[.]com/bot[.]arm7 hxxp://www[.]461digital[.]com/bot[.]ppc hxxp://185[.]208[.]158[.]128/bot[.]arm7 hxxp://185[.]208[.]158[.]128/bot[.]ppc hxxp://www[.]attackzm[.]ru/hidakibest[.]mpsl hxxp://www[.]attackzm[.]ru/hidakibest[.]arm4 hxxp://attackzm[.]ru/hidakibest[.]arm5 hxxp://attackzm[.]ru/hidakibest[.]arm6 hxxp://www[.]attackzm[.]ru/hidakibest[.]arm5 hxxp://attackzm[.]ru/hidakibest[.]x86 hxxp://attackzm[.]ru/hidakibest[.]sparc hxxp://attackzm[.]ru/hidakibest[.]mips hxxp://www[.]attackzm[.]ru/hidakibest[.]x86 hxxp://www[.]attackzm[.]ru/hidakibest[.]sparc hxxp://attackzm[.]ru/hidakibest[.]arm4 hxxp://www[.]attackzm[.]ru/hidakibest[.]arm6 hxxp://attackzm[.]ru/hidakibest[.]ppc hxxp://www[.]attackzm[.]ru/hidakibest[.]mips hxxp://attackzm[.]ru/hidakibest[.]mpsl hxxp://www[.]attackzm[.]ru/hidakibest[.]ppc |
Bashlite |
| URL | hxxp://185[.]208[.]158[.]176/toi[.]txt | Havoc |
| URL | hxxps://worldofprocure[.]com/worldofprocure[.]rar | AsyncRAT |
| URL | hxxp://185[.]96[.]166[.]113/Project1[.]exe hxxp://45[.]148[.]122[.]66/aji/moon[.]txt hxxps://van[.]swpushroller[.]eu/aji/moon[.]txt hxxp://van[.]swpushroller[.]eu/aji/moon[.]txt hxxps://45[.]148[.]122[.]66/aji/moon[.]txt hxxp://172[.]245[.]135[.]155/T0207W/csrss[.]exe hxxp://172[.]245[.]135[.]155/xampp/eg/IEnetCache[.]hta hxxp://hop[.]fyi/uW4Kj hxxp://103[.]186[.]67[.]211/22011/erf/unn[.]unn[.]unnunn[.]doc hxxp://103[.]186[.]67[.]211/22011/createdfollowerswithflowers[.]gif hxxp://103[.]186[.]67[.]211/99011/WSR[.]txt hxxp://103[.]186[.]67[.]211/22011/SWSS[.]txt |
Remcos |
| URL | hxxp://107[.]189[.]29[.]100/wmi[.]jpg | YoungLotus |
| URL | hxxp://107[.]189[.]29[.]100/TQ[.]jpg | Ghost RAT |
| URL | hxxps://abc[.]nbch1na[.]com:2087/jquery-3[.]3[.]1[.]min[.]js hxxp://79[.]124[.]40[.]106:82/pixel[.]gif hxxp://103[.]207[.]68[.]65/j[.]ad hxxp://213[.]109[.]147[.]69/d/msdownload/update/2021/11/33002773_x86_b78cd82ceba723[.]cab hxxps://51ape[.]cc/aaaaaaaaa hxxps://wnaz[.]shop/dpixel hxxp://47[.]109[.]186[.]179/dpixel hxxp://123[.]57[.]85[.]206:50000/cm hxxp://47[.]109[.]51[.]223/IE9CompatViewList[.]xml hxxp://103[.]116[.]245[.]79:808/cm hxxp://106[.]53[.]213[.]253:8081/g[.]pixel hxxp://156[.]238[.]235[.]164:8080/push hxxp://43[.]153[.]222[.]28:433/ga[.]js hxxp://185[.]117[.]0[.]43:8887/pixel hxxp://124[.]223[.]166[.]66:8081/fwlink hxxp://1[.]92[.]89[.]193:9999/__utm[.]gif hxxps://49[.]235[.]118[.]195/dpixel hxxp://49[.]235[.]118[.]195/visit[.]js hxxp://101[.]126[.]16[.]222:3333/cx hxxps://121[.]43[.]230[.]160:8443/vendorReact[.]dc6a29[.]chunk[.]js hxxps://116[.]196[.]82[.]90/themes/index[.]php hxxp://8[.]134[.]139[.]130:9999/load hxxps://23[.]95[.]65[.]198/__utm[.]gif hxxp://101[.]35[.]42[.]157/g[.]pixel |
Cobalt Strike |
| URL | hxxp://77[.]91[.]77[.]80/chupa/leva[.]exe hxxp://162[.]55[.]130[.]242/b13597c85f807692/softokn3[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/nss3[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/freebl3[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/mozglue[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/vcruntime140[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/sqlite3[.]dll hxxp://162[.]55[.]130[.]242/b13597c85f807692/msvcp140[.]dll |
Stealc |
| URL | hxxp://103[.]42[.]55[.]251:9999/adrtest[.]apk | Metasploit |
| URL | hxxp://192[.]3[.]64[.]135/okeydookietrational[.]txt hxxp://198[.]46[.]178[.]144/madamwebbbbbbbas6444[.]txt hxxp://198[.]46[.]178[.]144/EvengIEcache[.]hta hxxp://192[.]3[.]64[.]135/htaxlsxfoldrs[.]txt |
Agent Tesla |
| URL | hxxp://helpcenter[.]cyou/help[.]php?8560 | NetSupportManager RAT |
| URL | hxxp://193[.]233[.]80[.]23/injector[.]exe hxxp://77[.]91[.]77[.]81/lend/newlogs[.]exe |
RedLine Stealer |
| URL | hxxp://118621cm[.]n9shteam2[.]top/protecttrackDatalifePrivateCentral[.]php hxxp://podval[.]top/LineToPythonJsLowupdateLongpollWindowsFlower[.]php |
DCRat |
| URL | hxxps://prettilikeopwp[.]shop/api hxxp://77[.]91[.]77[.]81/lend/newbuild[.]exe |
Lumma Stealer |
| URL | hxxp://185[.]172[.]128[.]116/Freshbuild[.]exe | Amadey |
| URL | hxxp://77[.]91[.]77[.]182/Bitwarden-Installer-2024[.]6[.]3[.]exe | Vidar |
| URL | hxxps://www[.]zestyahhdog[.]com/Arc12645413[.]dmg hxxp://www[.]zestyahhdog[.]com/Arc12645413[.]dmg hxxp://zestyahhdog[.]com/Arc12645413[.]dmg hxxps://zestyahhdog[.]com/Arc12645413[.]dmg hxxps://37[.]27[.]82[.]196/Arc12645413[.]dmg hxxp://37[.]27[.]82[.]196/Arc12645413[.]dmg hxxps://hd[.]hdweb2[.]pw/AGOV-Access[.]dmg hxxps://tv[.]yayins[.]com/AGOV-Access[.]dmg hxxps://www[.]agov-ch[.]net/AGOV-Access[.]dmg hxxps://tv[.]surebettr[.]com/AGOV-Access[.]dmg hxxps://www[.]agov-access[.]net/AGOV-Access[.]dmg hxxps://186[.]2[.]171[.]60/AGOV-Access[.]dmg hxxps://www[.]agov-access[.]com/AGOV-Access[.]dmg hxxps://www[.]agov-ch[.]com/AGOV-Access[.]dmg hxxps://www[.]register-agov[.]com/AGOV-Access[.]dmg hxxps://agov-access[.]com/AGOV-Access[.]dmg hxxps://agov-ch[.]net/AGOV-Access[.]dmg hxxps://agov-access[.]net/AGOV-Access[.]dmg hxxps://agov-ch[.]com/AGOV-Access[.]dmg hxxps://register-agov[.]com/AGOV-Access[.]dmg |
Poseidon Stealer |
