不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様11社 -
2023/10/20
※2023/10/20 更新
マルウェア感染させると考えられるURLを検知(2023/10/20)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxps://sebvasring[.]hair/vvip12/web[.]txt hxxps://sebvasring[.]hair/vvip12/log[.]php hxxps://sebvasring[.]hair/vvip12/phone[.]txt hxxps://sebvasring[.]hair/vvip12 hxxps://cyerosishere[.]site/api/-1001228456341 hxxps://cyerosishere[.]site/config/-1001958964908 hxxps://cyerosishere[.]site/api/-1001958964908 hxxps://serveroneil[.]lol/arsLan hxxps://serveroneil[.]lol/arsLan/log[.]php hxxps://serveroneil[.]lol/arsLan/phone[.]txt hxxps://serveroneil[.]lol/vvip12/web[.]txt hxxps://serveroneil[.]lol/vvip12 hxxps://serveroneil[.]lol/vvip12/log[.]php hxxps://serveroneil[.]lol/vvip12/phone[.]txt hxxps://auto-service[.]store/[.]S hxxps://auto-service[.]store/[.]S/ hxxps://auto-service[.]store/[.]S/Bot/ hxxps://auto-service[.]store/[.]S/Bot/Panels hxxps://auto-service[.]store/[.]S/Bot/Panels/DarkDemon hxxps://auto-service[.]store/[.]S/Bot/Panels/DarkDemon/panel[.]php hxxps://auto-service[.]store/[.]S/Bot/Panels/DarkDemon/panel[.]php?link=true |
IRATA |
| URL | hxxp://china[.]dhabigroup[.]top/_errorpages/plugmanzx[.]exe hxxp://185[.]254[.]37[.]80/sevenththththththth[.]vbs hxxp://94[.]156[.]253[.]236/westartagain[.]vbs hxxp://185[.]254[.]37[.]80/HTMLcache8[.]dOC hxxp://185[.]254[.]37[.]80/gfhdsggssdgfsFile[.]vbs hxxp://fresh1[.]ironoreprod[.]top/_errorpages/plugmanzx[.]exe hxxps://api[.]telegram[.]org/bot1841252439:AAFeBNk12wAgfxXFXtqpw50JT4iCgTc-FsM/sendDocument hxxp://94[.]156[.]253[.]236/lllllillilililiil[.]vbs hxxp://94[.]156[.]253[.]236/HTMLincache[.]doc |
Agent Tesla |
| URL | hxxps://solutionsinengineering[.]com/Source[.]hta hxxps://solutionsinengineering[.]com/HAND[.]exe hxxps://solutionsinengineering[.]com/XBL[.]exe hxxps://solutionsinengineering[.]com/Data[.]hta hxxps://arm-cc[.]com/docs[.]txt |
AsyncRAT |
| URL | hxxp://mail[.]treeoflifeadventures[.]com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/sukonted2[.]1[.]exe hxxp://mail[.]treeoflifeadventures[.]com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/macringa2[.]1[.]exe |
Formbook |
| URL | hxxp://ebalkayiu[.]fun/api hxxp://boldaus[.]fun/api hxxp://tfestv[.]fun/api |
Lumma Stealer |
| URL | hxxp://kevinrobinson[.]top/e9c345fc99a4e67e[.]php | Stealc |
| URL | hxxp://185[.]254[.]37[.]229/rebirth[.]mips hxxp://185[.]254[.]37[.]229/rebirth[.]x86 hxxp://185[.]254[.]37[.]229/rebirth[.]arm5 hxxp://185[.]254[.]37[.]229/rebirth[.]arm6 hxxp://185[.]254[.]37[.]229/rebirth[.]ppc hxxp://185[.]254[.]37[.]229/rebirth[.]sh4 hxxp://185[.]254[.]37[.]229/rebirth[.]arm7 hxxp://185[.]254[.]37[.]229/rebirth[.]mpsl hxxp://185[.]254[.]37[.]229/rebirth[.]spc hxxp://185[.]254[.]37[.]229/rebirth[.]arm4t hxxp://185[.]254[.]37[.]229/rebirth[.]arm4 hxxp://185[.]254[.]37[.]229/rebirth[.]i686 hxxp://185[.]254[.]37[.]229/rebirth[.]m68 |
Bashlite |
| URL | hxxp://ify[.]ironoreprod[.]top/_errorpages/ify/five/fre[.]php hxxp://uche[.]blueyonderllc[.]top/_errorpages/uche/five/fre[.]php |
LokiBot |
| URL | hxxps://119[.]3[.]93[.]61:2443/Complete/echannel/W72NUBH3N hxxp://1[.]13[.]158[.]52:8099/cm hxxp://124[.]70[.]179[.]54:8888/cx hxxp://119[.]29[.]145[.]4:8888/en_US/all[.]js hxxp://121[.]40[.]66[.]171:85/fwlink hxxps://47[.]100[.]180[.]123:3004/wp08/wp-includes/dtcla[.]php hxxp://47[.]100[.]180[.]123:3003/wp08/wp-includes/dtcla[.]php hxxp://124[.]221[.]156[.]245/dot[.]gif hxxp://8[.]134[.]71[.]235/dot[.]gif hxxps://47[.]115[.]218[.]187:7373/IE9CompatViewList[.]xml hxxp://92[.]63[.]196[.]45:81/cm hxxp://8[.]134[.]109[.]120:2323/IE9CompatViewList[.]xml hxxps://115[.]159[.]115[.]41/pixel[.]gif hxxps://113[.]207[.]105[.]147/match hxxps://185[.]174[.]136[.]202:1433/jquery-3[.]3[.]1[.]min[.]js hxxps://82[.]157[.]30[.]43/ptj hxxps://101[.]43[.]108[.]117/fwlink hxxp://119[.]29[.]145[.]4:8080/pixel hxxps://165[.]227[.]141[.]64:4433/activity hxxp://165[.]227[.]141[.]64/push hxxp://124[.]71[.]212[.]123:9999/visit[.]js hxxp://47[.]120[.]9[.]35/ga[.]js hxxps://121[.]40[.]66[.]171/ptj hxxp://123[.]207[.]5[.]159:89/ga[.]js hxxps://111[.]231[.]22[.]61/en_US/all[.]js hxxp://mociyijame[.]us:8080/boxes hxxp://113[.]207[.]105[.]147:8080/load hxxps://a[.]dbapps[.]top:8443/jquery-3[.]3[.]1[.]min[.]js hxxps://85[.]175[.]101[.]203/dpixel hxxp://78[.]85[.]17[.]88/IE9CompatViewList[.]xml hxxp://121[.]40[.]66[.]171:85/cm hxxp://123[.]56[.]82[.]231/wp06/wp-includes/po[.]php hxxp://123[.]207[.]213[.]191/pixel[.]gif hxxp://165[.]227[.]141[.]64/IE9CompatViewList[.]xml hxxps://121[.]40[.]66[.]171/fwlink hxxp://124[.]223[.]91[.]53:443/en_US/all[.]js hxxp://8[.]219[.]207[.]66:6666/async/ddljson hxxp://139[.]224[.]188[.]139/visit[.]js hxxps://anservusa[.]com/mobile-ipad-home hxxp://wordst7512[.]net:8080/promote/v10[.]26/GMLZ7S5R7Z3 hxxps://111[.]230[.]198[.]118/api/v3/GetServerInfo[.]aspx hxxp://appsoftwareupdate[.]com:8080/Admin/images/EFDXAVXRRW |
Cobalt Strike |
| URL | hxxp://dbxo[.]shop/DBL341/index[.]php | Azorult |
| URL | hxxp://zoptex375[.]xyz/777/mtxwrwa[.]exe | Phobos |
| URL | hxxp://172[.]245[.]244[.]118:7070/Vre | Vjw0rm |
| URL | hxxps://02w65ijjohr1frm[.]com/vvmd54/ hxxps://02w65ijjohr1frm[.]com/ZgbN19Mx hxxps://02w65ijjohr1frm[.]com/lander/chrome_1695206714/_index[.]php hxxps://xro[.]result[.]garrettcountygranfondo[.]org/editContent hxxps://pagz[.]result[.]garrettcountygranfondo[.]org/editContent hxxp://217[.]196[.]96[.]217/xmrig[.]exe hxxp://178[.]236[.]246[.]213/engine[.]exe hxxp://217[.]196[.]96[.]217/WinRing0x64[.]sys hxxp://217[.]196[.]96[.]217/WatchDog[.]exe hxxp://178[.]236[.]246[.]213/enginum[.]bat hxxps://lollyjayconcepts[.]com/wp-content/plugins/chromium/ChromiumEngine[.]zip |
FAKEUPDATES |
| URL | hxxp://165[.]227[.]154[.]84:7480/woo hxxp://165[.]227[.]154[.]84:7480/yes[.]exe hxxp://165[.]227[.]154[.]84:7480/ldr[.]sh |
XMRig |
| URL | hxxp://23[.]88[.]37[.]159/c1t/Outsu hxxp://88[.]99[.]82[.]67/uctf/volip hxxp://128[.]140[.]120[.]227/8qe/Autol hxxps://swasthbachpan[.]com/ime/ hxxps://mediaroutes[.]com/ius/ hxxps://scientificatiles[.]com/uq/ hxxps://mspconstructions[.]com/oitf/ hxxps://bhatetravels[.]com/oi/ hxxps://pollodacsa[.]com/itt/ hxxps://massagespasaigon[.]com/iqi/ hxxps://learnxeducation[.]com/aur/ hxxps://healthpot[.]co/ll/ hxxps://rtm-sa[.]co/mad/ hxxps://khaithaclothien[.]edu[.]vn/qas/ hxxps://leaderfortrans[.]com/cc/ hxxps://promenade[.]com[.]my/iit/ hxxps://econintech[.]org/udli/ hxxps://jometr[.]com/is/ hxxps://cuc[.]edu[.]eg/un/ hxxps://americansweepstakes[.]net/ue/ hxxps://sevastuglobal[.]com/pis/ hxxps://gxisautoindia[.]com/mr/ hxxps://cohenlegalteam[.]com/ucsi/ hxxps://ispamazozo[.]com/tio/ hxxps://eliteeducationalinstitute[.]org/dso/ hxxps://stellenboschdstvinstallation[.]com/eaae/ hxxps://aiqonsb[.]com/rbio/ hxxps://pteacademic79plus[.]com/dobb/ hxxps://egyfarm[.]com/lo/ hxxps://homedecortag[.]com/rmer/ hxxps://advat[.]com[.]ng/esa/ hxxps://footballeague[.]co[.]uk/ia/ hxxps://bubbles[.]com[.]br/ut/ hxxps://grossiste[.]tn/tae/ hxxps://nueffectsolutions[.]com/reef/ hxxps://vihaninternational[.]com/tu/ hxxps://smartpencentral[.]ca/un/ hxxps://naturaltaste-eg[.]com/uim/ hxxps://palmareal[.]com[.]mx/uatu/ hxxps://diamondclub-jewelry[.]com/mf/ hxxps://eniacit[.]com/lua/ hxxps://j108srijan[.]com/utta/ hxxps://reviewofbooks[.]in/en/ hxxps://hrsphr[.]com/esi/ hxxps://haventowel[.]com/vo/ hxxps://foladmarkazi[.]com/nha/ hxxps://minidoctor[.]org/ee/ hxxps://etanb[.]com/eo/ hxxps://sealsandsealings[.]com/omua/ hxxps://tipsonbd[.]com/ree/ hxxps://totaltaxi[.]org[.]br/lu/ hxxps://pharmajobs[.]co[.]ke/us/ hxxps://subdomain[.]btn[.]com[.]pk/tht/ hxxps://kitesimmigration[.]com/uqa/ hxxps://lapigua[.]mx/dloo/ hxxps://dastkarfoundation[.]com/tcu/ hxxps://paulstephen[.]org/tqe/ hxxps://beaconsfieldmortgages[.]ca/uqnt/ hxxps://e-theral[.]com/uea/ hxxps://auseal[.]com[.]au/vle/ hxxps://pusattryout[.]com/tnae/ hxxps://icbi[.]co[.]in/opec/ hxxps://grupvcwindows[.]com/nsd/ hxxps://asianet-tours[.]com/oi/ hxxps://smarttravelsolutions[.]in/psa/ hxxps://holyangelskhandala[.]com/an/ hxxps://ashishinfracon[.]com/dim/ hxxps://360clients[.]in/dtl/ hxxps://shardaengineering[.]in/do/ hxxps://bookmytravelz[.]com/tl/ hxxps://tramaartetextil[.]com[.]mx/issu/ hxxps://stratagem[.]co[.]nz/ilil/ hxxps://smisconsulting[.]com/sui/ hxxps://odreports[.]com/di/ hxxps://gba-angola[.]com/iosu/ hxxps://5bchem[.]ae/tuat/ hxxps://accountsmall[.]in/eeom/ hxxps://elenaprem[.]com/ud/ hxxps://perfectspaceinteriors[.]com/lui/ hxxps://romalimited[.]co[.]ke/od/ hxxps://boula[.]pe/ero/ hxxps://saluteindia[.]in/rosl/ hxxps://gunjancabindia[.]com/iseo/ hxxps://blackjackcables[.]in/iv/ hxxps://travelinghouse[.]pk/orid/ hxxps://mamabakery[.]ca/at/ hxxps://fmclog[.]co[.]uk/mvp/ hxxps://petinstruct[.]com/redl/ hxxps://classicgamer[.]com[.]mx/met/ hxxps://chennaimetco[.]co[.]in/utee/ hxxps://istaffrecruits[.]com/ie/ hxxps://giwayshans[.]lk/dmga/ hxxps://adfilms[.]lk/mr/ hxxps://paul-kenny[.]com/tov/ hxxps://fivenca[.]com/uid/ hxxps://grupocisbra[.]com[.]br/nssu/ hxxps://you2mentor[.]com/iaru/ hxxps://akestech[.]com/eimd/ hxxps://alldayallinone[.]com/mtqr/ hxxps://ahagroup[.]in/oa/ hxxps://usmanahmad[.]com/ap/ hxxps://lackeys[.]in/tuo/ hxxps://hypotheques514[.]ca/ee/ hxxps://smartsofalondon[.]uk/siit/ hxxps://alasrindustries[.]com/et/ hxxps://isquaretechnologies[.]com/te/ hxxps://superdreadi[.]com/ua/ hxxps://megapower-mea[.]com/mdoi/ hxxps://stjohnacroc[.]org/sa/ hxxps://3plecom[.]com/diex/ hxxps://deaventura4vientos[.]com/eev/ hxxps://accesorioswc[.]com/udm/ hxxps://newshutlive[.]in/ldgf/ hxxps://fattafat[.]com[.]pk/efn/ hxxps://essayspanel[.]org/tuet/ hxxps://thatnextstepafrica[.]org/ems/ hxxps://vi-05[.]com/aut/ hxxps://navarro[.]am/ni/ hxxps://rejareja[.]store/co/ hxxps://editmontage[.]com/ntu/ hxxps://rabyte[.]com[.]ng/enb/ hxxps://hightronix[.]net/sust/ hxxps://evoobio[.]it/ooe/ hxxps://voodeparapenteemnatal[.]store/tsar/ hxxps://techwave[.]pk/ri/ hxxps://premierfl[.]mx/ia/ hxxps://myfootball247[.]com/tuup/ hxxps://gonow[.]cl/ud/ hxxps://decorhire-johannesburg[.]com/melu/ hxxps://thehealthquest[.]co[.]in/nu/ hxxps://entertainmentstation[.]biz/qso/ hxxps://uaesportscarrental[.]com/eai/ hxxps://3dprintingkenya[.]com/pei/ hxxps://bigbenintegraciones[.]com/sun/ hxxps://rubiomoveis[.]com[.]br/ape/ hxxps://techavela[.]com/qusi/ hxxps://satsacademy[.]in/rops/ hxxps://coupleofmisfits[.]com/xpsi/ hxxps://bakertilly[.]co[.]bw/iuce/ hxxps://haris[.]in/dsr/ hxxps://mortgage-tech[.]ca/qu/ hxxps://arccus[.]in/coo/ hxxps://sunlightprimary[.]com/lr/ hxxps://clientscape[.]co[.]in/atn/ hxxps://mcenter[.]info/hn/ hxxps://neonrundubai[.]com/uo/ hxxps://phn[.]com[.]ng/on/ hxxps://zpguru[.]in/sue/ hxxps://thebeerdc[.]com/tmu/ hxxps://saintmarymissiontrustwahegaon[.]com/gian/ hxxps://derryhealthwellness[.]com/eubt/ hxxps://iatte[.]org/cet/ hxxps://dramitmaheshwari[.]com/tuim/ |
IcedID |
| URL | hxxp://193[.]42[.]33[.]7/newumma[.]exe | Glupteba |
