不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様2社 -
2025/04/16
※2025/04/16 更新
マルウェア感染させると考えられるURLを検知(2025/04/16)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxps://u1[.]unbentoverwrite[.]shop/brxa57v0zv[.]aac hxxps://check[.]pilod[.]icu/gkcxv[.]google hxxps://u1[.]unbentoverwrite[.]shop/s2kfktsk7l[.]aac hxxps://u1[.]unbentoverwrite[.]shop/1oeb45d5nl[.]aac hxxps://u1[.]unbentoverwrite[.]shop/1xi3ir650y[.]aac hxxps://check[.]tumyr[.]icu/gkcxv[.]google hxxps://u1[.]unbentoverwrite[.]shop/w5rv9mu2tz[.]aac hxxps://u1[.]unbentoverwrite[.]shop/kxo0qc9ran[.]aac hxxps://check[.]sinyx[.]icu/gkcxv[.]google hxxps://u1[.]unbentoverwrite[.]shop/uj8q1g00j8[.]aac hxxps://u1[.]unbentoverwrite[.]shop/6aig8y9zel[.]aac hxxps://u1[.]curtainfrown[.]shop/zjjbmjxhow[.]aac hxxps://u1[.]bufferfacelift[.]shop/y42j8sod67[.]aac hxxps://check[.]zezar[.]icu/gkcxv[.]google hxxps://u1[.]bufferfacelift[.]shop/qepp7itswo[.]aac hxxps://u1[.]bufferfacelift[.]shop/dd8fdfcsdk[.]aac hxxps://check[.]babuc[.]icu/gkcxv[.]google hxxps://u1[.]bufferfacelift[.]shop/2fmbejdmp1[.]aac hxxps://u1[.]bufferfacelift[.]shop/ztodrpj8pa[.]aac hxxps://u1[.]bufferfacelift[.]shop/lswsvz7xfe[.]aac hxxps://u1[.]bufferfacelift[.]shop/itsd9sm6cp[.]aac hxxps://u1[.]bufferfacelift[.]shop/a5dlckltem[.]aac hxxps://check[.]lukus[.]icu/gkcxv[.]google hxxps://u1[.]bufferfacelift[.]shop/2b18xb95w1[.]aac hxxps://check[.]vegyt[.]icu/gkcxv[.]google hxxps://u1[.]bufferfacelift[.]shop/z596r0eju4[.]aac hxxps://u1[.]bufferfacelift[.]shop/8ae8blkvjb[.]aac hxxps://u1[.]bufferfacelift[.]shop/iawbt6riyo[.]aac hxxps://u1[.]bufferfacelift[.]shop/o73zsxy37i[.]aac hxxps://check[.]nejyd[.]icu/gkcxv[.]google hxxps://u1[.]bufferfacelift[.]shop/gk7f5w7xm4[.]aac hxxps://u1[.]bufferfacelift[.]shop/69z526trc5[.]aac |
ClearFake |
| URL | hxxp://45[.]207[.]215[.]32:8000/mimikatz[.]exe | MimiKatz |
| URL | hxxps://humisnee[.]com/sb[.]php hxxps://humisnee[.]com/sbmstart[.]php hxxps://fotamene[.]com/app/app[.]exe |
Glupteba |
| URL | hxxp://192[.]3[.]26[.]143/460/csrss[.]exe | MASS Logger |
| URL | hxxp://192[.]3[.]26[.]143/440/hkcmd[.]exe hxxps://doc-sharepoint[.]nbcoiling[.]com/index[.]php/s/iRa8xZKGecLG8mZ/download/output[.]dat |
DBatLoader |
| URL | hxxp://192[.]3[.]26[.]143/470/csrss[.]exe hxxps://greenfarmsel[.]ro/Snuffers[.]hhk hxxps://enriquehurtadomuebles[.]com[.]bo/dist/done1[.]ps1 |
Formbook |
| URL | hxxps://gillilandlandscape[.]com/winston[.]zip hxxps://glona[.]net/wezp/fweb[.]zip hxxps://tribunrtp[.]com/bytest/bytest[.]zip |
NetSupportManager RAT |
| URL | hxxp://www[.]dvir[.]de/wp-content/themes/Dummy/assets/js/main[.]min[.]js?ver=1[.]0 hxxps://analytiwave[.]com/api/getUrl hxxps://security[.]flargyard[.]com/D5a1B2f6A8c7E9d3F0b4C2f1E7A6 hxxps://security[.]flargyard[.]com/wordpress?domain=d3d3LmR2aXIuZGU%3D hxxps://security[.]flargyard[.]com/B6c4D1a9F8g3H7e5N6b5A9dE4f?wsid=www[.]dvir[.]de&domain=d3d3LmR2aXIuZGU= hxxps://goclouder[.]com/0a1F2b3C4d5E6f7A8b9C0d1E2f3A4b5/?wsid=www[.]dvir[.]de&domain=d3d3LmR2aXIuZGU= hxxps://westrosei[.]live/agoz hxxps://b[.]surfaceconsoling[.]makeup/d6d0c07fe5ee8c61f23e1cf95c5035fc hxxp://185[.]39[.]17[.]162/files/fate/random[.]exe hxxps://1zestmodp[.]top/zeda hxxps://ochangeaie[.]top/geps hxxps://r1qesccapewz[.]run/ANSbwqy hxxps://fsighbtseeing[.]shop/ASJnzh hxxps://1travewlio[.]shop/ZNxbHi hxxp://185[.]39[.]17[.]162/luma/random[.]exe hxxps://tclarmodq[.]top/qoxo hxxps://proenhann[.]digital/thnb |
Lumma Stealer |
| URL | hxxps://www[.]khavar[.]com/GHDsdCBN124[.]bin hxxp://192[.]210[.]150[.]28/3/001[.]exe hxxps://vidrioyaluminio[.]mx/Tibia[.]pfm hxxps://www[.]klapalevanda[.]com/rf/HzywB210[.]bin hxxps://www[.]klapalevanda[.]com/rf/Mandsmod[.]afm hxxps://sf4l[.]shop/DBlOpFGV/KOoycrfPXijeK140[.]bin |
CloudEyE |
| URL | hxxp://107[.]150[.]0[.]103/sh | Coinminer |
| URL | hxxp://kbcximoaqhffxnm[.]top/1[.]php?s=527 | MintsLoader |
| URL | hxxps://uochut[.]shop/help/loop[.]js hxxps://uochut[.]shop/help/index[.]php hxxps://uochut[.]shop/help/ops[.]php hxxps://xnhe[.]accounting[.]bridgemastersllc[.]com/gotoCheckout hxxps://shared[.]roofnrack[.]com/profileLayout |
FAKEUPDATES |
| URL | hxxps://amssh[.]co/spotify hxxps://amssh[.]co/windows hxxps://ins[.]sg/office hxxps://getli[.]cc/capcut |
powershell_web_backdoor |
| URL | hxxps://www[.]klapalevanda[.]com/sd/cdbMMDaCnqc244[.]bin hxxps://www[.]klapalevanda[.]com/sd/Perosomus[.]pfb hxxp://176[.]65[.]134[.]79/hosting/maCRO[.]ps1 hxxp://176[.]65[.]134[.]79/hosting/bag[.]ps1 hxxp://176[.]65[.]134[.]79/hosting/devil[.]ps1 |
Agent Tesla |
| URL | hxxps://files[.]goldenharvetsltd[.]com/fkAfbSi[.]txt hxxps://bitbucket[.]org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2[.]jpg |
Snake Keylogger |
| URL | hxxps://mrtqw[.]shop/fwgwng[.]bat hxxps://ballotlinllc[.]top/Ratslrs141[.]smi hxxps://downloadthecorrectversion[.]space/vickk/r[.]txt |
Remcos |
| URL | hxxp://172[.]245[.]208[.]13/wex/ggh[.]js | WSHRAT |
| URL | hxxps://redbluezone[.]com/diagnostics[.]php | Satacom |
| URL | hxxp://www[.]ik-wolrdwide[.]com/Downloads/Presentation hxxp://webdisk[.]shrdihan[.]com/Downloads/Presentation hxxp://www[.]dgmori[.]com/Downloads/Presentation hxxp://cpanel[.]accessdnsl[.]com/Downloads/Presentation hxxp://webmail[.]accessdnsl[.]com/Downloads/Presentation hxxp://cpcalendars[.]shrdihan[.]com/Downloads/Presentation hxxp://webmail[.]nvdcsadmin[.]org/Downloads/Presentation hxxp://mail[.]ik-wolrdwide[.]com/Downloads/Presentation hxxp://mail[.]viewsharedonlinefiles[.]com/Downloads/Presentation hxxp://cpcontacts[.]edocusign[.]ru/Downloads/Presentation hxxp://www[.]shrdihan[.]com/Downloads/Presentation hxxp://www[.]solardetech[.]info/Downloads/Presentation hxxp://webdisk[.]sinoceancn[.]com/Downloads/Presentation hxxp://djv[.]gdocudrive[.]com/Downloads/Presentation hxxp://1yqv[.]projectzdocu[.]co/Downloads/Presentation hxxp://www[.]emriateslogistics[.]com/Downloads/Presentation hxxp://www[.]edocusign[.]ru/Downloads/Presentation hxxp://mail[.]ketnplc[.]com/Downloads/Presentation hxxp://cpcontacts[.]enfamxb[.]com/Downloads/Presentation hxxp://mail[.]greenmountain-no[.]com/Downloads/Presentation hxxp://www[.]file42shp[.]com/Downloads/Presentation hxxp://cpcalendars[.]taelimsystem[.]vip/Downloads/Presentation hxxp://cpcontacts[.]qualityglobal[.]wiki/Downloads/Presentation hxxp://mail[.]oplus-ae[.]com/Downloads/Presentation hxxp://webmail[.]singlelights[.]com/Downloads/Presentation |
Emmenhtal |
| URL | hxxp://webdisk[.]sinoceancn[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://1yqv[.]projectzdocu[.]co/Downloads/Cbqjobosim-Signed[.]exe hxxp://mail[.]ik-wolrdwide[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]ik-wolrdwide[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://djv[.]gdocudrive[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]dgmori[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://mail[.]viewsharedonlinefiles[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]shrdihan[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpcontacts[.]edocusign[.]ru/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpanel[.]accessdnsl[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://webmail[.]nvdcsadmin[.]org/Downloads/Cbqjobosim-Signed[.]exe hxxp://webdisk[.]shrdihan[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://webmail[.]accessdnsl[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpcalendars[.]shrdihan[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]solardetech[.]info/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpcontacts[.]enfamxb[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://mail[.]greenmountain-no[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]edocusign[.]ru/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]file42shp[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpcalendars[.]taelimsystem[.]vip/Downloads/Cbqjobosim-Signed[.]exe hxxp://mail[.]oplus-ae[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://www[.]emriateslogistics[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://cpcontacts[.]qualityglobal[.]wiki/Downloads/Cbqjobosim-Signed[.]exe hxxp://mail[.]ketnplc[.]com/Downloads/Cbqjobosim-Signed[.]exe hxxp://webmail[.]singlelights[.]com/Downloads/Cbqjobosim-Signed[.]exe |
Ghost RAT |
