不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様2社 -
2024/10/18
※2024/10/18 更新
マルウェア感染させると考えられるURLを検知(2024/10/18)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxp://3[.]94[.]86[.]69/files/AppReseter[.]exe hxxp://3[.]94[.]86[.]69/files/AppReseter_forOutlooker[.]exe hxxp://87[.]120[.]127[.]223/RLPR_DL[.]exe hxxp://87[.]120[.]127[.]223/panel/uploads/Afocvkc[.]dat |
RedLine Stealer |
| URL | hxxp://www[.]ramanujan[.]edu[.]in/downloads/svchost[.]exe hxxp://152[.]89[.]239[.]119/222[.]jpg hxxp://3[.]94[.]86[.]69/files/crmdashboard[.]exe hxxp://loopback[.]axelvasquez[.]com/Client-built[.]exe |
Quasar RAT |
| URL | hxxp://ser[.]nrovn[.]xyz/langla[.]exe | AsyncRAT |
| URL | hxxp://212[.]64[.]10[.]223:90/ax[.]exe | Nitol |
| URL | hxxp://188[.]212[.]158[.]75/5556[.]rar hxxp://nunta[.]8z[.]ro/Google%20Chrome[.]exe |
NjRAT |
| URL | hxxps://10086623[.]top/font/original[.]js hxxps://10086623[.]top/font/index[.]php hxxps://10086623[.]top/font/fix[.]php hxxps://tqshoes[.]shop/font/original[.]js hxxps://tqshoes[.]shop/font/index[.]php hxxps://tqshoes[.]shop/font/fix[.]php hxxps://thisispriority[.]com/ChromeUpdate_130[.]0[.]6723[.]js hxxps://chxr[.]rooms[.]fierceatfifty[.]com/orderReview |
FAKEUPDATES |
| URL | hxxp://192[.]153[.]57[.]57:8000/chisel[.]exe | Chisel |
| URL | hxxp://91[.]225[.]219[.]174/net[.]msi | Brute Ratel C4 |
| URL | hxxp://87[.]120[.]117[.]231/XnydCC10[.]bin hxxp://87[.]120[.]117[.]231/FSJlDMZHwcI175[.]bin hxxps://kambud[.]biz/LabaPzMEkhwRRrP197[.]bin hxxps://kambud[.]biz/TrKbMEENHWGFu198[.]bin hxxp://107[.]175[.]113[.]209/xampp/ws/ecforyoutomakemegood[.]hta hxxp://103[.]72[.]57[.]120/diddyishere/YyHolEVWoHsYmSFIbeB57[.]bin hxxp://103[.]72[.]57[.]120/TGIF/Jodozocw[.]dat hxxp://103[.]72[.]57[.]120/TGIF/Jhkqva[.]wav hxxps://invictaindia[.]com/sty1/Kajanlggenes[.]u32 hxxp://invictaindia[.]com/sty1/Kajanlggenes[.]u32 hxxp://72[.]11[.]142[.]133/ZlZtGuzfYZYiGTfAyRYdGi172[.]bin hxxp://185[.]29[.]11[.]116/vSPnyPVuaNFV253[.]bin hxxp://204[.]10[.]160[.]169/lRQTrcQpiAVNHHUQ130[.]bin hxxp://204[.]10[.]160[.]169/GNxpwIba234[.]bin hxxp://185[.]29[.]11[.]116/rCuCtO209[.]bin hxxp://185[.]29[.]11[.]116/uQpBZEE29[.]bin hxxp://101[.]99[.]94[.]195/XkUeFchig33[.]bin hxxp://101[.]99[.]94[.]195/mZlaoZbpEVWPJcG210[.]bin hxxp://whimar[.]com/wp-admin/maint/Verificerbarheden[.]mso hxxp://whimar[.]com/wp-admin/maint/XjoPqhzc228[.]bin hxxps://whimar[.]com/wp-admin/maint/XjoPqhzc228[.]bin hxxps://whimar[.]com/wp-admin/maint/Verificerbarheden[.]mso |
CloudEyE |
| URL | hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/freebl3[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/softokn3[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/vcruntime140[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/sqlite3[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/nss3[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/mozglue[.]dll hxxp://147[.]45[.]41[.]134/5e0fc67937c1156b/sqlite3[.]dll hxxp://147[.]45[.]41[.]134/b65e93b2e3fe9102/msvcp140[.]dll hxxp://91[.]211[.]248[.]209/e8cb7c74cdbebdf9[.]php |
Stealc |
| URL | hxxp://87[.]120[.]125[.]34/psdrive1[.]txt hxxp://87[.]120[.]125[.]34/smbs[.]txt hxxp://87[.]120[.]125[.]34/test[.]exe hxxp://87[.]120[.]125[.]34/lsa1[.]txt hxxp://87[.]120[.]125[.]34/range[.]txt hxxp://87[.]120[.]125[.]34/1[.]txt hxxp://87[.]120[.]125[.]34/dpapi1[.]txt hxxp://87[.]120[.]125[.]34/lsassy1[.]txt |
RansomHub |
| URL | hxxp://45[.]230[.]66[.]19:11751/Mozi[.]m | Mozi |
| URL | hxxp://liverds[.]at/tmp/index[.]php hxxp://livbev[.]online/tmp/index[.]php hxxp://volisc[.]biz/tmp/index[.]php hxxp://tnc-corp[.]ru/tmp/index[.]php |
SmokeLoader |
| URL | hxxp://104[.]168[.]7[.]23/888/ec/niceworkfornicepeopleswhoknowmewell[.]hta hxxp://104[.]168[.]7[.]23/777/cee/seethebstthingstogetwithentirethingstobegret[.]hta hxxp://172[.]245[.]123[.]88/550/ea/icreatedbeatufiuldayswithniceworkingskillhere[.]hta hxxp://172[.]245[.]123[.]88/550/WERRFG[.]txt hxxp://172[.]245[.]123[.]88/550/seethebestpciturewithentireworldwiththisnew[.]tIF |
Formbook |
| URL | hxxp://87[.]120[.]84[.]38/txt/RKbqmU7pcsLQXbJ[.]exe hxxp://87[.]120[.]84[.]38/txt/EGwnUqNrVeLFNPw[.]exe hxxp://87[.]120[.]84[.]38/txt/dtgLBRsUB45qnMm[.]exe |
MASS Logger |
| URL | hxxp://img[.]bilibili[.]buzz:2096/jquery-3[.]3[.]1[.]min[.]js | Cobalt Strike |
| URL | hxxps://api[.]telegram[.]org/bot7662274889:AAGmLpUAq41adIZH12LVtlSBknhfnx9iQ2g/sendMessage?chat_id=2052461776 hxxp://172[.]245[.]123[.]25/302/taskhostws[.]exe hxxp://172[.]245[.]123[.]25/xampp/une/wethinkaboutthegreatsolutionforgreat[.]hta |
Snake Keylogger |
| URL | hxxp://101[.]99[.]94[.]195/Flyselskabets[.]smi hxxp://101[.]99[.]94[.]195/fyhgEIZEzqeinLclHj169[.]bin hxxp://invictaindia[.]com/sty/iTSqHIazA174[.]bin hxxps://invictaindia[.]com/sty/iTSqHIazA174[.]bin |
Agent Tesla |
| URL | hxxp://te1[.]tunnelin[.]com:59518/Vre | Vjw0rm |
| URL | hxxp://91[.]103[.]140[.]200:9078/3936a074a2f65761a5eb8/6fmfpmi7[.]fwf4p | Rhadamanthys |
| URL | hxxps://adisback[.]com/NTFkNjVmNTMyODdh/ hxxps://usomusikiyorumlaan[.]com/NTFkNjVmNTMyODdh/ hxxps://cocacolaiciyorumm[.]com/NTFkNjVmNTMyODdh/ hxxps://hastagapkamdanuzakdur[.]com/NTFkNjVmNTMyODdh/ hxxps://apkmiacmayinlen[.]com/NTFkNjVmNTMyODdh/ hxxps://apkmikimseellemesinn2[.]com/NTFkNjVmNTMyODdh/ hxxps://colaicmutluol34[.]com/NTFkNjVmNTMyODdh/ |
Coper |
| URL | hxxp://107[.]175[.]229[.]138/550/nc/nicetokissthebestthingsiwantotgetmebackwith[.]hta | Remcos |
| URL | hxxp://94[.]159[.]113[.]48/server[.]php hxxp://apitestlabs[.]com:8888/15287772319514[.]dll hxxp://endpointexperiment[.]com:8888/225761669829717[.]dll hxxp://apitestlabs[.]com:8888/225761669829717[.]dll hxxp://endpointexperiment[.]com:8888/15287772319514[.]dll hxxp://apitestlabs[.]com:8888/113681416431447[.]dll hxxp://endpointexperiment[.]com:8888/113681416431447[.]dll hxxp://dailywebstats[.]com:8888/225761669829717[.]dll hxxp://cloudslimit[.]com:8888/15287772319514[.]dll hxxp://cloudslimit[.]com:8888/113681416431447[.]dll hxxp://cloudslimit[.]com:8888/225761669829717[.]dll hxxp://dailywebstats[.]com:8888/15287772319514[.]dll hxxp://dailywebstats[.]com:8888/113681416431447[.]dll hxxp://94[.]159[.]113[.]48:8888/113681416431447[.]dll hxxp://94[.]159[.]113[.]48:8888/225761669829717[.]dll hxxp://94[.]159[.]113[.]48:8888/15287772319514[.]dll |
StrelaStealer |
| URL | hxxp://87[.]120[.]112[.]102/roze[.]x86 hxxp://205[.]185[.]122[.]67/m68k hxxp://205[.]185[.]122[.]67/mipsel hxxp://87[.]120[.]112[.]102/roze[.]i586 hxxp://87[.]120[.]112[.]102/roze[.]sh4 hxxp://87[.]120[.]112[.]102/roze[.]m68k hxxp://87[.]120[.]112[.]102/roze[.]armv4 hxxp://87[.]120[.]112[.]102/roze[.]mips hxxp://87[.]120[.]112[.]102/roze[.]armv6 hxxp://87[.]120[.]112[.]102/roze[.]i686 hxxp://87[.]120[.]112[.]102/roze[.]mipsel hxxp://205[.]185[.]122[.]67/mips hxxp://205[.]185[.]122[.]67/arm61 hxxp://205[.]185[.]122[.]67/dss hxxp://205[.]185[.]122[.]67/586 hxxp://205[.]185[.]122[.]67/i686 hxxp://205[.]185[.]122[.]67/ppc hxxp://87[.]120[.]112[.]102/roze[.]ppc hxxp://87[.]120[.]112[.]102/roze[.]armv5 hxxp://205[.]185[.]122[.]67/sh4 hxxp://185[.]121[.]233[.]82/tt/armv4l hxxp://185[.]121[.]233[.]82/tt/powerpc hxxp://185[.]121[.]233[.]82/tt/armv6l hxxp://205[.]185[.]122[.]67/x86 hxxp://87[.]120[.]112[.]102/roze[.]sparc hxxp://205[.]185[.]122[.]67/co hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]i586 hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]mips hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]arm7 hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]sh4 hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]x32 hxxp://31[.]172[.]80[.]237/qkdjdjj22[.]ppc |
Bashlite |
| URL | hxxp://185[.]215[.]113[.]66/tdrp[.]exe | Phorpiex |
| URL | hxxp://bradescu[.]com/chrome-upgrade[.]zip hxxp://bradescu[.]com/ChromeUpgrade[.]ps1 hxxp://k2ygoods[.]top/m2[.]dat hxxp://k2ygoods[.]top/power2[.]txt hxxp://k2ygoods[.]top/download2[.]txt |
Coinminer |
| URL | hxxp://protonbusinessvpn[.]world/ProtonVPN[.]exe hxxp://merlion[.]top/PythongameTrafficDatalifepublic[.]php |
DCRat |
| URL | hxxp://169[.]1[.]16[.]29/swift-nobypass[.]exe hxxp://169[.]1[.]16[.]29/swift-bypass-breakpoints[.]exe hxxp://8[.]138[.]96[.]41:10050/demon[.]x64[.]bin hxxp://nurekleindesign[.]com/toronto[.]bin hxxp://169[.]1[.]16[.]29/Swift-Sleep-bypass[.]exe hxxp://169[.]1[.]16[.]29/Swift-sleep10-jitter-50-amsiPatch-Breakpoints[.]dll hxxp://169[.]1[.]16[.]29/demon[.]x64[.]exe hxxp://169[.]1[.]16[.]29/demon[.]x641[.]exe hxxp://169[.]1[.]16[.]29/Swift-service-encrypted-obuscated[.]exe |
Havoc |
| URL | hxxp://176[.]111[.]174[.]140/api/bot64[.]bin hxxp://176[.]111[.]174[.]140/ywx[.]exe hxxp://176[.]111[.]174[.]140/s[.]exe hxxp://176[.]111[.]174[.]140/t9bdjZsL2/index[.]php |
Amadey |
| URL | hxxp://47[.]236[.]122[.]191/Geek[.]exe | Meterpreter |
| URL | hxxp://readytostartsomething[.]com/o/8[.]png hxxp://readytostartsomething[.]com/o/3[.]png hxxp://readytostartsomething[.]com/o/5[.]png hxxp://readytostartsomething[.]com/o/6[.]png hxxp://readytostartsomething[.]com/o/7[.]png hxxp://readytostartsomething[.]com/o/9[.]png hxxp://readytostartsomething[.]com/o/10[.]png hxxp://readytostartsomething[.]com/o/11[.]png hxxp://readytostartsomething[.]com/o/12[.]png hxxp://readytostartsomething[.]com/o/4[.]png hxxp://readytostartsomething[.]com/o/1[.]png hxxp://readytostartsomething[.]com/o/2[.]png hxxp://readytostartsomething[.]com/o/o[.]png |
NetSupportManager RAT |
| URL | hxxp://lum-fun[.]fun/login hxxps://lum-fun[.]fun/login hxxp://lummc2[.]fun/login hxxps://lummc2[.]fun/login |
Lumma Stealer |
| URL | hxxp://169[.]1[.]16[.]29/Swift-Stage1-Obfuscated[.]exe | Sliver |
