不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様1社 -
2023/10/30
※2023/10/30 更新
マルウェア感染させると考えられるURLを検知(2023/10/30)
■IoC(※1)
| Type: | IOC: | Signature: |
|---|---|---|
| URL | hxxp://185[.]254[.]37[.]174/xlammexpoittt[.]vbs hxxp://185[.]254[.]37[.]174/HTMLXLAMieBrowser[.]dOC hxxp://192[.]3[.]64[.]154/9080/GSW[.]txt hxxps://api[.]telegram[.]org/bot6610764322:AAF5bGm2U5ozUDOcoNEjsvK_0eX8f49Puzo/ hxxp://172[.]245[.]208[.]6/2201/audiodgse[.]exe hxxp://141[.]98[.]6[.]91/38/html/HTMLDesginBrowserInternet[.]dOC hxxp://141[.]98[.]6[.]91/38/HTMLDesginbrowser[.]vbs hxxp://141[.]98[.]6[.]91/39/KLV[.]txt hxxp://141[.]98[.]6[.]91/39/www/HTMLIEbrowserHistoryClean[.]doc hxxp://141[.]98[.]6[.]91/39/HTMLIEbrowserHistory[.]vbs hxxp://141[.]98[.]6[.]91/htms/HTMLIEBrowserChatHistory[.]dOC hxxp://193[.]42[.]33[.]51/Yqmx[.]vbs hxxp://103[.]183[.]114[.]5/5010/HCR[.]txt hxxp://103[.]183[.]114[.]5/5010/HTMLIEBrowserHistory[.]vbs hxxp://103[.]183[.]114[.]5/5010/whc/HTMLIEBrowserHistorycleaner[.]dOC hxxp://185[.]254[.]37[.]174/mohammeddroidupdatedfilebase64[.]txt hxxp://141[.]98[.]6[.]91/38/HDV[.]txt hxxps://api[.]telegram[.]org/bot6521350036:AAF8zqjGXosIepevfWbMGHPi1J4X2bCZ94g/ hxxps://api[.]telegram[.]org/bot6950818166:AAGEBpo3MFF3lkfI4C4iazv-HBoQWXpFREE/ hxxps://api[.]telegram[.]org/bot6274305207:AAH5YPuidA8Ry1ixmINxRICUhFKpXUvENJg/ hxxp://141[.]98[.]10[.]13/2300/autolog[.]exe hxxp://193[.]42[.]33[.]51/ngfor[.]vbs hxxp://193[.]42[.]33[.]51/qasx[.]js hxxp://94[.]156[.]253[.]236/cincocicnnc[.]vbs hxxps://api[.]telegram[.]org/bot5870878058:AAEtYpDY1LBnBQGwZvkWktoa3wzKq0kSk78/ |
Agent Tesla |
| URL | hxxps://novostiua[.]media/bin/ror[.]exe hxxps://novostiua[.]media/ror[.]exe |
RedLine Stealer |
| URL | hxxps://moodelstore[.]tel/group/five/fre[.]php hxxp://moodelstore[.]tel/group/five/fre[.]php hxxp://79[.]110[.]62[.]42/mes/fre[.]php |
LokiBot |
| URL | hxxp://89[.]208[.]104[.]64/cleanupdate[.]exe hxxp://185[.]196[.]8[.]176/7jshasdS/Plugins/cred64[.]dll hxxp://185[.]196[.]8[.]176/7jshasdS/Plugins/clip64[.]dll |
Amadey |
| URL | hxxp://mail[.]treeoflifeadventures[.]com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/marikolock2[.]1[.]exe hxxp://ked-ind[.]com/bPZGcTDMucL59[.]bin |
Formbook |
| URL | hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/nss3[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/vcruntime140[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/softokn3[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/sqlite3[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/msvcp140[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/mozglue[.]dll hxxp://91[.]103[.]253[.]170/0700a36cc9bf8101/freebl3[.]dll hxxp://albertwashington[.]icu/timeSync[.]exe hxxp://bidbur[.]com/b5c586aec2e1004c[.]php |
Stealc |
| URL | hxxp://124[.]221[.]206[.]123:8099/ptj hxxp://124[.]70[.]62[.]48:9999/fwlink hxxp://165[.]227[.]141[.]64/activity hxxp://117[.]50[.]187[.]39:4431/activity hxxp://101[.]42[.]22[.]120:8000/g[.]pixel hxxp://92[.]63[.]196[.]45:82/__utm[.]gif hxxps://219[.]151[.]137[.]59/en-us/silentauth hxxp://31[.]44[.]184[.]73/cx hxxp://114[.]116[.]49[.]242/ptj hxxps://47[.]108[.]145[.]29/search/ hxxp://121[.]196[.]202[.]174/recite/v9[.]52/6FCQ3UVD9 hxxp://113[.]250[.]188[.]15:8454/en_US/all[.]js hxxps://175[.]24[.]176[.]154/api/js hxxp://179[.]60[.]150[.]57/preload hxxp://122[.]51[.]116[.]186/activity hxxp://85[.]209[.]11[.]162/match hxxp://45[.]136[.]14[.]103/functionalStatus hxxp://121[.]40[.]66[.]171:85/activity hxxp://45[.]136[.]14[.]51/cm hxxp://165[.]227[.]141[.]64/pixel[.]gif hxxp://8[.]134[.]71[.]235/ca hxxp://101[.]43[.]170[.]225:7777/dot[.]gif hxxp://31[.]44[.]184[.]73/updates[.]rss hxxp://43[.]132[.]152[.]51:3389/jquery-3[.]3[.]1[.]min[.]js hxxp://175[.]24[.]176[.]154/api/settings hxxp://39[.]108[.]189[.]188:1111/j[.]ad hxxps://175[.]24[.]176[.]154:8443/api/settings hxxp://103[.]61[.]0[.]241:8080/en_US/all[.]js hxxp://47[.]242[.]51[.]201/activity hxxp://103[.]234[.]72[.]74/dot[.]gif hxxp://103[.]61[.]0[.]241/load hxxp://89[.]23[.]103[.]35/cx hxxp://124[.]70[.]45[.]102:8090/j[.]ad hxxp://185[.]225[.]74[.]128:8080/compare/v1[.]44/VXK7P0GBE8 hxxp://20[.]51[.]226[.]216/_/scs/mail-static/_/js/ hxxp://85[.]175[.]101[.]203/activity hxxp://121[.]40[.]66[.]171:85/push hxxps://165[.]22[.]234[.]230/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books hxxps://121[.]40[.]66[.]171/__utm[.]gif hxxps://47[.]115[.]215[.]203/activity hxxp://119[.]96[.]176[.]28:8888/push hxxp://92[.]63[.]196[.]46:8092/pixel[.]gif hxxp://8[.]130[.]128[.]97:8081/pixel hxxp://8[.]140[.]122[.]248:8088/IE9CompatViewList[.]xml hxxp://114[.]132[.]197[.]186:8099/j[.]ad hxxp://101[.]34[.]83[.]16:30002/match hxxp://156[.]225[.]2[.]119/cm hxxp://165[.]227[.]141[.]64/ca hxxp://123[.]60[.]151[.]249:6666/fwlink hxxp://147[.]78[.]47[.]231:7777/load hxxp://150[.]158[.]50[.]177:7779/visit[.]js hxxp://47[.]100[.]190[.]135:6789/cx hxxp://188[.]121[.]110[.]191/__utm[.]gif hxxp://47[.]108[.]183[.]77:7333/push hxxps://104[.]243[.]47[.]82/activity hxxps://54[.]201[.]226[.]116/fwlink hxxp://120[.]46[.]63[.]196:443/1nJt |
Cobalt Strike |
| URL | hxxps://safe[.]fogreir[.]fun/hamid/ hxxps://safe[.]fogreir[.]fun/hamid/web[.]txt hxxps://safe[.]fogreir[.]fun/hamid/log[.]php hxxps://ap[.]ronappig[.]xyz/kihan/web[.]txt hxxps://ap[.]ronappig[.]xyz/kihan hxxps://ap[.]ronappig[.]xyz/kihan/log[.]php hxxps://ap[.]ronappig[.]xyz/kihan/phone[.]txt hxxps://hfastt[.]com/Master/wa/ hxxps://hfastt[.]com/Master/wa/id[.]txt hxxps://hfastt[.]com/Master/wa/sms[.]php?result=ok&action=upload&androidid= hxxps://hfastt[.]com/Master/wa/requests[.]php hxxps://hfastt[.]com/Master/wa/contact[.]php?result=ok&action=upload&androidid= hxxps://ap[.]ronappig[.]xyz/Sezar/log[.]php hxxps://ap[.]ronappig[.]xyz/Sezar/web[.]txt hxxps://ap[.]ronappig[.]xyz/Sezar/phone[.]txt hxxps://ap[.]ronappig[.]xyz/Sezar hxxps://mekerishere[.]site/config/-1001830809790 hxxps://mekerishere[.]site/api/-1001830809790 hxxps://stableconn[.]online/end/strawberry[.]php hxxps://stableconn[.]online/end/info[.]php hxxps://stableconn[.]online/end/ hxxps://xdpanel[.]cloud/tools/end[.]json hxxps://hfastt[.]com/drugrim/wa/id[.]txt hxxps://hfastt[.]com/drugrim/wa/sms[.]php? hxxps://hfastt[.]com/drugrim/wa/sms[.]php hxxps://hfastt[.]com/drugrim/wa/requests[.]php hxxps://rahaishere[.]site/api/-1001921881932 hxxps://rahaishere[.]site/config/-1001921881932 hxxps://apuyhh[.]xyz/sxo/log[.]php hxxps://apuyhh[.]xyz/sxo/web[.]txt hxxps://ehduhehudhedhu[.]site/[.]S hxxps://ehduhehudhedhu[.]site/[.]S/Bot/ hxxps://ehduhehudhedhu[.]site/[.]S/Bot/Panels hxxps://ehduhehudhedhu[.]site/[.]S/Bot/Panels/DarkDemon hxxps://ehduhehudhedhu[.]site/[.]S/Bot/Panels/DarkDemon/panel[.]php? hxxps://ehduhehudhedhu[.]site/[.]S/Bot/Panels/DarkDemon/panel[.]php hxxps://ehduhehudhedhu[.]site/[.]S/Bot/Panels/DarkDemon/panel[.]php?link=true hxxps://hfastt[.]com/King2/ hxxps://hfastt[.]com/King2/wa/ hxxps://hfastt[.]com/King2/wa/contact[.]php hxxps://hfastt[.]com/King2/wa/requests[.]php hxxps://hfastt[.]com/King2/wa/id[.]txt hxxps://hfastt[.]com/King2/wa/sms[.]php hxxps://mrcomishere[.]site/config/-1001848854474 hxxps://mrcomishere[.]site/api/-1001848854474 |
IRATA |
| URL | hxxp://onlyblack[.]fun/api hxxp://momalua[.]fun/api hxxp://kusmanin[.]fun/api hxxp://mouseoiet[.]fun/api hxxp://boddyshow[.]fun/api hxxp://elizgerls[.]pw/api hxxp://alosevera[.]fun/api hxxp://jomanboy[.]fun/api |
Lumma Stealer |
| URL | hxxp://355212cm[.]nyashnyash[.]top/nyashsupport[.]php | DCRat |
| URL | hxxps://ulpyx[.]result[.]garrettcountygranfondo[.]org/editContent hxxps://nked[.]result[.]garrettcountygranfondo[.]org/editContent |
FAKEUPDATES |
| URL | hxxp://193[.]42[.]33[.]51/dyke[.]vbs hxxp://185[.]254[.]37[.]174/snkVbsFile[.]vbs |
zgRAT |
| URL | hxxp://84[.]54[.]50[.]57/0xc2s[.]arm7 hxxp://62[.]192[.]173[.]7/86 |
Bashlite |
| URL | hxxp://171[.]22[.]28[.]221/files/123[.]exe | Glupteba |
| URL | hxxp://gudanidevelopment[.]ge/IogvoayYhe139[.]bin hxxp://89[.]105[.]219[.]43/ndsNw141[.]bin hxxp://89[.]105[.]219[.]43/OAJaJhWYO65[.]bin |
CloudEyE |
| URL | hxxp://193[.]42[.]32[.]118/api/firegate[.]php | PrivateLoader |
| URL | hxxp://23[.]88[.]45[.]254/upload[.]zip hxxp://5[.]75[.]188[.]83:3306/upload[.]zip |
Vidar |
