不正URLへのアクセス、不正メールの受信
-
メール受信した
弊社お客様0社 URLアクセスした
弊社お客様2社 -
2024/01/15
※2024/01/15 更新
マルウェア感染させると考えられるURLを検知(2024/01/15)
■IoC(※1)
Type: | IOC: | Signature: |
---|---|---|
URL | hxxp://62[.]109[.]28[.]71/Process4local/javascriptExternalTrack/GeoPipe4/provider/Mariadb2Downloads/7public7private/temp/Universaltemporary/0Api6/Update_/5/4Processor/3Testgeo/traffic/providerImagepipeto_apiprivate[.]php hxxp://95[.]163[.]228[.]74/ExternalLineToMultiasyncwp[.]php hxxp://45[.]87[.]246[.]118/ProviderimageRequestWindowswpprivate[.]php hxxp://898082lm[.]nyashmyash[.]top/linerequestPacketlowGeoProcessorlongpolldbdlePrivate[.]php hxxp://147[.]45[.]196[.]103/ImageupdateprotectasyncTrafficdatalifecentral[.]php hxxp://89[.]23[.]115[.]8/7LinuxLinux/Basedle/geoJavascript7/8ProcessSql/LineimageVideouniversal/testdump/cdn0/To1eternal/3UploadsAsync/LocalBigloadLinux/PhpbaseProcess/ProcessPython/5/processExternalGenerator/_eternalProvider/Authlongpoll/vmlinepipeSecurecpuprotectwindows[.]php hxxp://837565cm[.]nyashtech[.]top/LineCpubigloadMultiDbLinuxAsyncUniversaldatalifedownloads[.]php hxxp://188[.]120[.]226[.]211/PrivateTrack/6VoiddbPrivate/877image/polllinuxWp[.]php hxxp://82[.]97[.]243[.]114/dumpEternal/videoSecureProcessProcessorWindowsasyncDlelocal[.]php |
DCRat |
URL | hxxp://94[.]103[.]124[.]162/snype[.]arm4 hxxp://94[.]103[.]124[.]162/snype[.]ppc hxxp://94[.]103[.]124[.]162/snype[.]x86 hxxp://94[.]103[.]124[.]162/snype[.]arm6 hxxp://94[.]103[.]124[.]162/snype[.]arm5 hxxp://94[.]103[.]124[.]162/snype[.]mips hxxp://94[.]103[.]124[.]162/snype[.]mpsl hxxp://94[.]103[.]124[.]162/snype[.]sparc hxxp://89[.]190[.]156[.]211/arm7 hxxp://45[.]157[.]11[.]10/lol[.]arm7 hxxp://94[.]103[.]124[.]162/WeHackFbi[.]i586 hxxp://94[.]103[.]124[.]162/WeHackFbi[.]mpsel hxxp://94[.]103[.]124[.]162/WeHackFbi[.]Armv61 hxxp://94[.]103[.]124[.]162/WeHackFbi[.]armv4l hxxp://94[.]103[.]124[.]162/WeHackFbi[.]armv6l hxxp://94[.]103[.]124[.]162/WeHackFbi[.]i686 hxxp://94[.]103[.]124[.]162/WeHackFbi[.]mips hxxp://94[.]103[.]124[.]162/WeHackFbi[.]armv5l hxxp://94[.]103[.]124[.]162/WeHackFbi[.]sh4 |
Bashlite |
URL | hxxps://varik[.]gr/one[.]exe hxxps://raymisluxtravel[.]gr/twoo[.]exe |
NjRAT |
URL | hxxps://learndash[.]825testsites[.]com/b/abc[.]exe | LockBit |
URL | hxxp://ji[.]alie3ksgbb[.]com/ef/rty31[.]exe hxxp://ji[.]alie3ksgdd[.]com/ef/rty45[.]exe hxxp://ji[.]alie3ksgdd[.]com/ef/rty47[.]exe |
Fabookie |
URL | hxxp://107[.]175[.]113[.]207/277/HSC[.]txt hxxps://api[.]telegram[.]org/bot6584345543:AAE8FmBkikiPXAV7DG0amRkE6HkrwudzXtc/ hxxp://107[.]175[.]113[.]207/277/BrowserUpdate[.]vbs hxxp://45[.]62[.]170[.]92/exploittttt[.]exe hxxp://45[.]62[.]170[.]92/microsoftdesignednewtechnologyforupdateentireofficeversionstokeepavoidbugsonthepcforsecure[.]Doc hxxp://zsin2[.]ebnsina[.]top/_errorpages/plugmanzx[.]exe hxxps://prime[.]topendpower[.]top/_errorpages/plugmanzx[.]exe hxxp://prime[.]topendpower[.]top/_errorpages/plugmanzx[.]exe hxxps://api[.]telegram[.]org/bot6868219551:AAErVq7MNJwva0m0_CLs0oSDQRugvTicj50/ hxxps://api[.]telegram[.]org/bot6671257273:AAFoEbzHE1dx4YkJDAmvJpQ-9M4Ez0ipv1I/ hxxps://zsin2[.]ebnsina[.]top/_errorpages/plugmanzx[.]exe hxxp://107[.]175[.]113[.]207/7800/LCC[.]txt hxxp://107[.]175[.]113[.]207/lcc/browserupdationrecentlydonebymicrosfottheyacceptedallupdationisgoodandworkingfine[.]Doc hxxp://107[.]175[.]113[.]207/7800/browserUpdate[.]vbs hxxps://api[.]telegram[.]org/bot6862942065:AAEadam86Y0ZyoV6fVsjs0iihqvhzl8ryHQ/ hxxps://api[.]telegram[.]org/bot6708836842:AAEOj4CFUrj7jFG71fhzDaJLgRXgsIceQ5A/ hxxps://api[.]telegram[.]org/bot5677573243:AAFBbq7Lxrb6ay_HsQHghriOyOpLqZx6WrU/ |
Agent Tesla |
URL | hxxps://ecoproducts[.]com[.]my/system/library/teamviewer[.]exe hxxps://analysisswellenterw[.]fun/api hxxps://fashionlazynavyresewg[.]site/api |
Lumma Stealer |
URL | hxxp://209[.]146[.]124[.]195:8080/ptj hxxps://66[.]119[.]15[.]241/activity hxxps://www[.]xss[.]mba:10328/ca hxxp://124[.]71[.]222[.]33:8088/activity hxxp://66[.]119[.]15[.]241/en_US/all[.]js hxxp://49[.]65[.]96[.]139:8087/en_US/all[.]js hxxp://39[.]104[.]20[.]145/cx hxxps://39[.]98[.]157[.]4:8089/visit[.]js hxxps://209[.]146[.]124[.]195/fwlink hxxp://47[.]90[.]247[.]182/match hxxp://163[.]5[.]169[.]2/s/ref=nb_sb_noss_1/637-08770317-9137754/field-keywords=woman hxxps://182[.]23[.]67[.]109/ca hxxps://wcs[.]microsoftwindows[.]cloud/dot[.]gif hxxps://182[.]23[.]67[.]109/dot[.]gif hxxp://47[.]252[.]17[.]61:8080/w4hJ hxxp://146[.]190[.]120[.]217:8001/kW3h hxxp://54[.]186[.]231[.]5:8000/h5Oq hxxps://192[.]3[.]80[.]202/cx hxxp://1[.]94[.]97[.]134:85/J6yd hxxp://1[.]94[.]97[.]137:8000/cobalt_strike_4[.]7_www[.]ddosi[.]org/cobaltstrike[.]jar hxxp://1[.]94[.]97[.]137:8000/cobalt_strike_4[.]7_www[.]ddosi[.]org/cobaltstrike-client[.]jar hxxps://167[.]99[.]75[.]81/updates[.]rss hxxp://8[.]218[.]123[.]22:7654/updates[.]rss hxxp://ns1[.]cbhhb[.]com[.]cn:7654/cx hxxp://ns1[.]cbhhb[.]com[.]cn:7654/updates[.]rss hxxp://101[.]34[.]28[.]19/image/ hxxp://8[.]218[.]123[.]22:7654/cx hxxps://106[.]54[.]209[.]36/ga[.]js hxxps://43[.]153[.]222[.]28/push hxxp://139[.]9[.]196[.]215/cx hxxps://139[.]9[.]196[.]215/push hxxp://154[.]197[.]99[.]65/en_US/all[.]js hxxp://101[.]43[.]30[.]194:3389/updates[.]rss hxxp://120[.]24[.]179[.]84/en_US/all[.]js hxxp://1[.]14[.]92[.]24:10001/updates[.]rss hxxp://47[.]108[.]175[.]149:7777/en_US/all[.]js hxxp://154[.]204[.]60[.]179:83/j[.]ad hxxp://47[.]236[.]244[.]14:60001/pixel[.]gif hxxp://8[.]136[.]241[.]0/ga[.]js hxxp://39[.]106[.]74[.]90/pixel hxxp://39[.]106[.]74[.]90/visit[.]js hxxps://101[.]201[.]46[.]105:888/wp-admin |
Cobalt Strike |
URL | hxxp://link[.]blueyonderllc[.]top/_errorpages/linczx[.]exe | Nanocore RAT |
URL | hxxp://172[.]245[.]208[.]28/exl/entiersystemneedsuchagoodupdationforsecuretheofficefilesformthepeopleswhocatchsystem[.]doc hxxp://172[.]245[.]208[.]28/250/conhost[.]exe hxxps://infinitymetalcoating[.]com/wp-includes/securityhealths[.]exe |
Formbook |
URL | hxxp://91[.]92[.]255[.]187/red[.]exe hxxp://91[.]92[.]255[.]187/venom[.]exe |
Venom RAT |
URL | hxxp://185[.]172[.]128[.]19/newrock2[.]exe | Glupteba |
URL | hxxp://91[.]92[.]251[.]205/autorun[.]exe hxxp://213[.]248[.]43[.]48/task/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms hxxp://213[.]248[.]43[.]48/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms hxxp://213[.]248[.]43[.]127/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms hxxp://213[.]248[.]43[.]127/task/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms |
RedLine Stealer |
URL | hxxps://api[.]telegram[.]org/bot6923682581:AAFwzssZK9YLzEpsTQfaL55LeBIoZ33b630/sendMessage?chat_id=6499200163 hxxps://api[.]telegram[.]org/bot6385771902:AAFzEpqHXketXwfW52woBHFnqZy6kfI91A0/sendMessage?chat_id=6517488336 hxxp://85[.]239[.]241[.]136/Lera[.]exe hxxp://85[.]239[.]241[.]136/a[.]vbs |
AsyncRAT |
URL | hxxp://77[.]91[.]124[.]172:3350/rise[.]exe | RisePro |
URL | hxxp://109[.]107[.]181[.]33/de4846fc29f26952[.]php hxxps://erp[.]wesmarines[.]com/getme[.]txt hxxp://109[.]107[.]181[.]33/742d3278227bff91/msvcp140[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/vcruntime140[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/freebl3[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/nss3[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/mozglue[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/softokn3[.]dll hxxp://109[.]107[.]181[.]33/742d3278227bff91/sqlite3[.]dll hxxp://5[.]42[.]64[.]35/InstallSetup4[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup1[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup2[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup7[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup10[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup6[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup5[.]exe hxxp://5[.]42[.]64[.]35/InstallSetup8[.]exe hxxp://5[.]42[.]66[.]0/288cccc47bbc1871b439df19ff4df68f076[.]exe |
Stealc |
URL | hxxp://fishery[.]co[.]in/virgin/leo/gate[.]php | Pony |
URL | hxxps://places[.]creeksidehuntingpreserve[.]com/editContent hxxps://lazittarl[.]com/cache/ewmrgqnaww[.]php hxxps://lazittarl[.]com/cdn-vs/cache[.]php hxxps://sgvw[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://fatgq[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://webcachedata[.]com/app[.]min[.]js hxxps://vby[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://futu[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://hflll[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://ibaft[.]places[.]creeksidehuntingpreserve[.]com/editContent hxxps://xwhb[.]places[.]creeksidehuntingpreserve[.]com/editContent |
FAKEUPDATES |
URL | hxxp://47[.]252[.]17[.]61:8080/GMOy hxxp://146[.]190[.]120[.]217:8001/bU9l hxxp://54[.]186[.]231[.]5:8000/iRm4 hxxp://5[.]148[.]32[.]222:6789/she[.]exe hxxp://121[.]37[.]198[.]25:8287/sc/winserver[.]exe |
Metasploit |
URL | hxxp://blbl1[.]shop/BL341/index[.]php | Azorult |
URL | hxxp://185[.]172[.]128[.]32/cp[.]exe hxxp://varik[.]gr/one[.]exe hxxp://147[.]45[.]196[.]103/skinswapper[.]exe |
zgRAT |
URL | hxxp://121[.]37[.]198[.]25:8287/tools/mimikatz2[.]2[.]exe hxxp://121[.]37[.]198[.]25:8287/tools/mimikatz[.]exe hxxp://121[.]37[.]198[.]25:8287/mimi/mimikatz[.]js hxxp://121[.]37[.]198[.]25:8287/mimi/mimikatz-vmp[.]exe hxxp://5[.]148[.]32[.]222:6789/shell[.]dll hxxp://121[.]37[.]198[.]25:8287/mimi/Invoke-Mimidogz[.]ps1 |
MimiKatz |
URL | hxxp://www[.]mountveederwines[.]com/a1/bin_encrypted_C58FF9F[.]bin | CloudEyE |
URL | hxxp://185[.]172[.]128[.]19/costa[.]exe hxxp://91[.]92[.]241[.]168/download[.]php?pub=twointe hxxp://91[.]92[.]241[.]168/oorig/new_inte[.]exe |
GCleaner |
URL | hxxp://45[.]200[.]51[.]142/mm[.]txt | Ghost RAT |
URL | hxxps://rwcmm[.]com/i/edalat_irani[.]apk | IRATA |
URL | hxxp://185[.]172[.]128[.]63/v8sjh3hs8/index[.]php | Amadey |
URL | hxxp://176[.]113[.]115[.]84:8080/4[.]php/987123[.]exe | Tofsee |
URL | hxxp://91[.]92[.]244[.]44/apatesrd[.]exe | MASS Logger |
URL | hxxps://31[.]41[.]244[.]41/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamisto[.]net/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamist1[.]com/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamist2[.]xyz/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamist3[.]net/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamist4[.]com/YTI2NzRkODRkZmM5/ hxxps://cinconistanplaskamist5[.]xyz/YTI2NzRkODRkZmM5/ hxxps://4ht227ce29z6[.]xyz/MTU2OWE0NzJjNGY5/ hxxps://r85d4kbe5729[.]vip/MTU2OWE0NzJjNGY5/ hxxps://6kd020yb568x[.]top/MTU2OWE0NzJjNGY5/ hxxps://99ol9f44xvgo[.]cn/MTU2OWE0NzJjNGY5/ |
Coper |