外部公開用_ウイルス付メール(ばらまきメール)まとめ/External disclosure _ virus mail summary
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLM
1
日付/date件名/subject送信元メールアドレス
/Source mail address
メール記載
不審なリンク先URL
/In-mail link or Attachment
不審なリンク先URLからDLされるファイル or メールに添付されているファイル
/Files downloaded from in-mail link or Files attached to mail
マルウェア/malware備考・参考情報/Remarks · Reference
2
ファイル名/file nameVirustotal結果&Hybrid-analysis結果
/Virustotal Result & Hybrid-analysis Result
Hash値(MD5)Hash値(SHA-256)
マルウェアDL先URL/Malware download destination URL
※ファイルDL後、マルウェアをDLする際の通信先
マルウェアDL先IPアドレス
/Malware download destination IP
Hash値(SHA-256)
Virustotal結果&Hybrid-analysis結果
//Virustotal Result & Hybrid-analysis Result
3
2019/04/18Fw:
Fax
Jin'in sakugen
添付document.zip / document.js
newdoocument.doc.zip / newdoocument.doc.js
doc.doc.zip /doc.doc.js
https://www.virustotal.com/#/file/21a11540298e4213077395cc5c8c4c52f52daea34760e088da8ef3fe0349341c/detection
https://www.virustotal.com/#/file/c5b6298fe7b111ff8da613091289b550a5773048491dfb914410b7e800767b8a/detection
https://www.virustotal.com/#/file/eb252e984ea45f9143d1c2b74fc5c503b5e29f8c13687a34927901788ccd7e24/detection
https://www.hybrid-analysis.com/sample/eb252e984ea45f9143d1c2b74fc5c503b5e29f8c13687a34927901788ccd7e24?environmentId=100
https://www.hybrid-analysis.com/sample/21a11540298e4213077395cc5c8c4c52f52daea34760e088da8ef3fe0349341c/5cb7d7e20288389b40780b3a
f722903db64e18425d8b7798e9691307
4b7e316815b22642ba212ba9dd5bb810
4514e41f436c1f2ed68202eaea2a7c74
21a11540298e4213077395cc5c8c4c52f52daea34760e088da8ef3fe0349341c
c5b6298fe7b111ff8da613091289b550a5773048491dfb914410b7e800767b8a
eb252e984ea45f9143d1c2b74fc5c503b5e29f8c13687a34927901788ccd7e24
hxxp://news-medias[.]ru/report.exe複数
2a453d8932de56f19f64053c55d441046df197dadad6b328875c85adbaf42fcc
https://www.virustotal.com/#/file/2a453d8932de56f19f64053c55d441046df197dadad6b328875c85adbaf42fcc/detection
https://www.hybrid-analysis.com/sample/2a453d8932de56f19f64053c55d441046df197dadad6b328875c85adbaf42fcc?environmentId=100
https://www.cc.uec.ac.jp/blogs/news/2019/04/20190418malwaremail.html

▼参考Tweet
https://twitter.com/bomccss/status/1118703609066078208
https://twitter.com/abel1ma/status/1118704539199102979
4
2019/04/174月分
発注のお願い
請求書送付
・ご契約金計算書
【添付書類】
【返信回答分】:
FW: 【4月17日付】
FW: 【重要】
Fw: 納品書の修正の件
RE: お見積りの件
備品発注依頼書の送付
注依頼書の送付
不明添付(※)株式会社(※).xls
新規 ドキュメントMicrosoft Excel(※).xls
(※):任意の数字列

(※)(*).xls
(※):任意の数字列
(*):任意のアルファベット
https://www.virustotal.com/#/file/d903c93164561ee4135920fba5d81f8b43d4586bfeef120aea8d87e6bcb17906/detection
https://www.hybrid-analysis.com/sample/d903c93164561ee4135920fba5d81f8b43d4586bfeef120aea8d87e6bcb17906?environmentId=100
https://www.virustotal.com/#/file/17c7c60f81e7fec52fde305710670af7e7712834da3343e83ca45d82c8f63c78/detection
https://www.virustotal.com/#/file/e12690fcab618fdec5f0337b8d1cf5cc9e72516ab1fa134ea7bf4b46f3a9c43c/detection
https://www.hybrid-analysis.com/sample/e12690fcab618fdec5f0337b8d1cf5cc9e72516ab1fa134ea7bf4b46f3a9c43c?environmentId=120
63b5238b6889b5e665588dc4a8be43a6
fe01f55a59470fe9b56e6441eaaba2a2
05a1f73307956f4c50e11938e4ebe58d
d903c93164561ee4135920fba5d81f8b43d4586bfeef120aea8d87e6bcb17906
17c7c60f81e7fec52fde305710670af7e7712834da3343e83ca45d82c8f63c78
e12690fcab618fdec5f0337b8d1cf5cc9e72516ab1fa134ea7bf4b46f3a9c43c
■bebloh
pidobrake[.]com

▼ステガノグラフィの通信先
hxxps://i.imgur[.]com/Vyjnb0D.png
hxxps://images2.imgbox[.]com/35/1c/s6iNsHg3_o.png


hxxp:///ipunedtos[.]com/uploads/copies.rar
5.188.231[.]189
08c73257797658dc869ff08f7287d415637fd8da13ba992b09f15faf904cc49a
https://www.virustotal.com/#/file/08c73257797658dc869ff08f7287d415637fd8da13ba992b09f15faf904cc49a/detection
https://www.cc.uec.ac.jp/blogs/news/2019/04/201904171650malwaremail.html
https://www.jc3.or.jp/topics/v_log/201904.html#d20190417c
https://www.jc3.or.jp/topics/v_log/201904.html#d20190417b
https://www.jc3.or.jp/topics/v_log/201904.html#d20190418a
https://www.jc3.or.jp/topics/v_log/201904.html#d20190418b

▼参考Tweet
https://twitter.com/abel1ma/status/1118410956109836288
https://twitter.com/58_158_177_102/status/1118416496886071297
https://twitter.com/bomccss/status/1118417703125938176
https://twitter.com/SugitaMuchi/status/1118427820160454656

https://app.any.run/tasks/3344bc60-be30-47ed-80db-8b0a656b0135
https://app.any.run/tasks/2888f349-e52a-4982-8b75-ae1a1e913fe1

▼ステガノグラフィの画像
https://urlscan.io/result/f78b9e47-4b1f-48d9-9680-61dd2a9efd3b/
https://urlscan.io/result/deb9bc5e-fb4f-4972-bcb1-fdabe5aa7bc7
5
2019/04/17Fw:
Fw: staff reduction
不明添付document.zip / document.js
newdoocument.doc.zip / newdoocument.doc.js
doc.doc.zip /doc.doc.js
https://www.virustotal.com/#/file/dc751dfa7a9e79b054edacbaaeddd7b925a17bae2f46078ae647dd70eefd693b/detection
https://www.virustotal.com/#/file/473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643/detection
https://www.hybrid-analysis.com/sample/473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643?environmentId=100
777a51ad40994b2776b0a97848158ed2
ded511e29369f7acb6eda285b028aca9
dc751dfa7a9e79b054edacbaaeddd7b925a17bae2f46078ae647dd70eefd693b
473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643
hxxp://guebipk-mvd[.]ru/readx.exe複数
55488ce01710e4cd927b52f4a91c82dc6eba2325da70cb745599bbc864adae30
https://www.virustotal.com/#/file/55488ce01710e4cd927b52f4a91c82dc6eba2325da70cb745599bbc864adae30/detection
▼参考Tweet
https://twitter.com/bomccss/status/1118312447050313728
https://twitter.com/abel1ma/status/1118328986331779072

https://app.any.run/tasks/23029dac-c9fa-42ee-9ee3-f0661276d506
https://app.any.run/tasks/0facf15f-0f12-4d93-866a-21a2caed97c2
6
2019/04/16からの延滞請求書
サービス請求書
期限切れ請求書
請求書ステータスの更新
請求書
請求書の請求
不明添付(※)_(※).doc
(※):任意の数字列

https://www.virustotal.com/#/file/94c595759b6415cf2b425f32194236b8d02e5d1f4a2399870b63f016480df6e7/detection
https://www.virustotal.com/#/file/61c966fe80e7c16131ffb8c9fc58abad0e89705d575ec1016c4db578c3434a05/detection
https://www.virustotal.com/#/file/57e601ceb23ca1be8b2a1dd44fb719c6a43885e3035c14265b8770dc009820db/detection
https://www.virustotal.com/#/file/10103295f238be0472b32937b389e4bfdfb8e4b86359d1723672d58b8248de12/detection
https://www.hybrid-analysis.com/sample/57e601ceb23ca1be8b2a1dd44fb719c6a43885e3035c14265b8770dc009820db?environmentId=100
https://www.hybrid-analysis.com/sample/94c595759b6415cf2b425f32194236b8d02e5d1f4a2399870b63f016480df6e7?environmentId=100
f1ca1c12be7c2c2a7b1f5eb58be9bfae
a41d35e0bee7e403e803363c40cc69cc
d325943e4276fdcb75e378a81aba53e7
61466c73ec19fa8a684936603f06b75e
94c595759b6415cf2b425f32194236b8d02e5d1f4a2399870b63f016480df6e7
61c966fe80e7c16131ffb8c9fc58abad0e89705d575ec1016c4db578c3434a05
57e601ceb23ca1be8b2a1dd44fb719c6a43885e3035c14265b8770dc009820db
10103295f238be0472b32937b389e4bfdfb8e4b86359d1723672d58b8248de12
benitezcatering[.]com/wp-includes/oOOiL5/
dingesgang[.]com/wp-admin/rdZ/
easyneti[.]com/wp-content/4zI/
www.myhair4her[.]com/g9twdbi/AxU/
www.oscarolivas[.]com/wp-includes/w47
複数
ddc1b2c1d484e30556ca560114a123d1e550f7a6e035cbcec5c8a06fcae65935
https://www.virustotal.com/#/file/ddc1b2c1d484e30556ca560114a123d1e550f7a6e035cbcec5c8a06fcae65935/detection
▼参考Tweet
https://twitter.com/58_158_177_102/status/1118065938899668992
7
2019/04/16Fw:不明添付document.zip / document.js
newdoocument.doc.zip / newdoocument.doc.js
doc.doc.zip /doc.doc.js
https://www.virustotal.com/#/file/da955c3aa8d7c4173f3a4b41260c132ebd50ecd24c40f340f0ad0a8e0d9bde3b/detection
https://www.virustotal.com/#/file/473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643/detection
https://www.hybrid-analysis.com/sample/473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643/5cb53e8d038838ff0240c289
6d24d402bbe4ccff38ef4ea86955c605
ded511e29369f7acb6eda285b028aca9
da955c3aa8d7c4173f3a4b41260c132ebd50ecd24c40f340f0ad0a8e0d9bde3b
473c5c266e29c45fb602abc3170b2f7a7ad8f4ab37c5aad689156c09f6546643
11totalzaelooop11[.]club/jd/t32.bin
hxxp://guebipk-mvd[.]ru/readx.exe
複数
79906eb8822c57340c9dd53059352a24c327b5bea44019623f2847d26abe4d5a
cab3cc3cef5ab8dd40dfb83d25422bcbf9e3a7d424b0824ed6c756aebeaaf787
https://www.virustotal.com/#/file/79906eb8822c57340c9dd53059352a24c327b5bea44019623f2847d26abe4d5a/detection
https://www.hybrid-analysis.com/sample/79906eb8822c57340c9dd53059352a24c327b5bea44019623f2847d26abe4d5a?environmentId=100
https://www.virustotal.com/#/file/cab3cc3cef5ab8dd40dfb83d25422bcbf9e3a7d424b0824ed6c756aebeaaf787/detection
▼参考Tweet
https://twitter.com/abel1ma/status/1117961836375056384


https://app.any.run/tasks/f3bd5599-3699-4459-85d6-1e49784586a5
https://app.any.run/tasks/f4e43255-81ea-4eb9-9d53-25d44625f62b
https://app.any.run/tasks/0543c458-936c-4777-a09c-620edcd34dfa
8
2019/04/15読んでください
特別請求書
確認して承認してください。
[英字氏名]請求書を添付してください
請求書
の請求書
請求書の請求
注意事項:請求書
不明添付(※)_(※).doc
(※):任意の数字列
https://www.virustotal.com/#/file/80a836c861b6a5d045d85aa9d3091035691b769ebdcd3b4de781f47c257049e7/detection
https://www.hybrid-analysis.com/sample/80a836c861b6a5d045d85aa9d3091035691b769ebdcd3b4de781f47c257049e7?environmentId=100
https://www.virustotal.com/#/file/b9efa337bb020490860db5da805c1070416c28c3471cfc15cf10dad6e374baac/detection
https://www.hybrid-analysis.com/sample/b9efa337bb020490860db5da805c1070416c28c3471cfc15cf10dad6e374baac?environmentId=100
https://www.virustotal.com/#/file/697892e7d72df8da7fe245e5a82fb5cc53f5a34deba8b4f794eafb62cdcdc4b4/detection
https://www.hybrid-analysis.com/sample/697892e7d72df8da7fe245e5a82fb5cc53f5a34deba8b4f794eafb62cdcdc4b4?environmentId=100
https://www.virustotal.com/#/file/5a91b573157525fd97eb1adde4653a28f91c3b97fa28b30a3ddf45945c536b89/detection
https://www.hybrid-analysis.com/sample/5a91b573157525fd97eb1adde4653a28f91c3b97fa28b30a3ddf45945c536b89?environmentId=100
929116540242d88367af42f66e1a0336
27605401f9d2948e6a86c98457485dd7
6F96482F2D2A78B02686EFBCFAE8138B
3AD0040B48E62E9CA22D52A68DE0966E
80a836c861b6a5d045d85aa9d3091035691b769ebdcd3b4de781f47c257049e7
b9efa337bb020490860db5da805c1070416c28c3471cfc15cf10dad6e374baac
697892e7d72df8da7fe245e5a82fb5cc53f5a34deba8b4f794eafb62cdcdc4b4
5a91b573157525fd97eb1adde4653a28f91c3b97fa28b30a3ddf45945c536b89
garammatka[.]com/cgi-bin/o569U/
hadrianjonathan[.]com/floorplans/vOec/
gamvrellis[.]com/MEDIA/heuMx/
warwickvalleyliving[.]com/images/wmGN/
rinconadarolandovera[.]com/calendar/5n5WY/

▼通信先 ( C2 )
hxxp://88.215.2[.]29/
hxxp://187.137.162[.]145:443/
hxxp://65.49.60[.]163:443/
hxxp://45.33.35[.]103:8080
複数
9df200e21db8e6641818a865a3e492387e64d7b5050ae8710d5ab7ef7a897a91
https://www.virustotal.com/#/file/9df200e21db8e6641818a865a3e492387e64d7b5050ae8710d5ab7ef7a897a91/detection
▼参考Tweet
https://twitter.com/58_158_177_102/status/1117697267194929154
https://twitter.com/bomccss/status/1117699624691650565
https://twitter.com/papa_anniekey/status/1117701864915517440
https://twitter.com/papa_anniekey/status/1117701864915517440

https://app.any.run/tasks/620abd44-7403-4c1c-880c-d811b133ce41
https://app.any.run/tasks/432bf798-b795-4f14-bb3e-a268f8798481
https://app.any.run/tasks/bd97488f-b5a7-494d-853d-5af1ac5ad84b
https://app.any.run/tasks/eeaa4085-89cd-4de7-a5b5-e5673cd0a55d
9
2019/04/15Fw:
Fw:HR
Fw:list of employees to reduce
不明添付document.zip / document.js
newdoocument.doc.zip / newdoocument.doc.js
doc.doc.zip /doc.doc.js
https://www.virustotal.com/#/file/ae2502987bcd9ef5fd0a69c74eb229f10fa75f0c5ef9667b5086022c3dd8b0e4/detection
https://www.virustotal.com/#/file/a903d07d638956c281699f6b461de14dc97198d8bfd25356eaaafb0eae663115/detection
https://www.hybrid-analysis.com/sample/a8618b73af6706331e6e47d655bee5b0d08f3349ed7df70714c66296d000c1fc?environmentId=100
26060657c003eaee143e69ee5c32380c
e29423faabc8cbe81c2485d4df3b8c91
bb1f6ba7497c8b8ebf96780e89589d52
ae2502987bcd9ef5fd0a69c74eb229f10fa75f0c5ef9667b5086022c3dd8b0e4
a903d07d638956c281699f6b461de14dc97198d8bfd25356eaaafb0eae663115
a8618b73af6706331e6e47d655bee5b0d08f3349ed7df70714c66296d000c1fc
hxxp://instant-payments[.]ru/read.exe複数
f5a5e7d86c3131b3f0a479fa55f35f8fa7c0ea7615b244752f96071156982071
https://www.virustotal.com/#/file/f5a5e7d86c3131b3f0a479fa55f35f8fa7c0ea7615b244752f96071156982071/detection
https://www.hybrid-analysis.com/sample/f5a5e7d86c3131b3f0a479fa55f35f8fa7c0ea7615b244752f96071156982071?environmentId=100
https://bankingmalware.hatenablog.com/entry/2019/04/15/165434

▼参考Tweet
https://twitter.com/catnap707/status/1117631073574199298
https://twitter.com/abel1ma/status/1117631481419948033
https://twitter.com/58_158_177_102/status/1117632083688443904
https://twitter.com/bomccss/status/1117632578368884738
https://twitter.com/tmmalanalyst/status/1117637873165987842

https://app.any.run/tasks/195bee6a-f6b0-4edf-a3f4-41ec7040747b
https://app.any.run/tasks/b254c863-1acd-41ac-bb40-65c8ed860ad6
10
2019/04/12請求書を添付してください
あなたの請求書
サービス請求書
支払明細通知書
支払請求書
未請求書
毎月の請求書
注意事項:請求書
読んでください
特別請求書
期限切れ請求書
表示用の[英字氏名]アカウントの請求書
請求書[英字氏名]
請求書の請求
不明添付(※)_(※).doc
(※).doc
(※)_2019_04_12.doc
(※):任意の数字列
https://www.virustotal.com/#/file/af77939a3206c6beeb32606423daeb8236413630ddd3846ac300d741d8809108/detection
https://www.hybrid-analysis.com/sample/af77939a3206c6beeb32606423daeb8236413630ddd3846ac300d741d8809108?environmentId=100
https://www.virustotal.com/#/file/636c93930f056e403a2bdb2298f18c0b14542c0224fd0ba6ba3056d1367f9c75/detection
https://www.hybrid-analysis.com/sample/636c93930f056e403a2bdb2298f18c0b14542c0224fd0ba6ba3056d1367f9c75?environmentId=100
https://www.virustotal.com/#/file/9bb3d3a40c0a57ee9a52bab10b2ec0efbf7d665238c421a68c266d356b81a671/detection
https://www.hybrid-analysis.com/sample/9bb3d3a40c0a57ee9a52bab10b2ec0efbf7d665238c421a68c266d356b81a671?environmentId=100
https://www.virustotal.com/#/file/1eb3cc2781765f1c81bdef0390ba79fc2066fd1bd8ff5571baa64f4b0ca3441f/detection
https://www.hybrid-analysis.com/sample/1eb3cc2781765f1c81bdef0390ba79fc2066fd1bd8ff5571baa64f4b0ca3441f?environmentId=100
https://www.virustotal.com/#/file/112278e446cc3c7f538089cae3eaf962b06218cae4bcd8fb9a0b493bc380507f/detection
https://www.hybrid-analysis.com/sample/3044f43b040d476ac859f7f55a35f0e2332c86b60ae6703054b811e28ac61ed6?environmentId=100
https://www.virustotal.com/#/file/ef6ada5793d43fde8fe35d2228e7e4efaeec972120592708d53b7b4e040798cc/detection
https://www.hybrid-analysis.com/sample/ef6ada5793d43fde8fe35d2228e7e4efaeec972120592708d53b7b4e040798cc?environmentId=100
https://www.virustotal.com/#/file/3044f43b040d476ac859f7f55a35f0e2332c86b60ae6703054b811e28ac61ed6/detection
https://www.hybrid-analysis.com/sample/3044f43b040d476ac859f7f55a35f0e2332c86b60ae6703054b811e28ac61ed6?environmentId=100
48e6b0c0b0707045ff76094c64908532
6df1cef0a3ceeefe0045d48a1145a940
c8905bee9bf8c51132989d7ab0e2d445
ccd80c342a5ad41a1481cdfa79797075
b0b28e995ed8153abcd8bda599349623
049d89c4d62e5352a27f0682e6fa9cb3
60edd2ae9195b36042f4d156735ed161
af77939a3206c6beeb32606423daeb8236413630ddd3846ac300d741d8809108
636c93930f056e403a2bdb2298f18c0b14542c0224fd0ba6ba3056d1367f9c75
9bb3d3a40c0a57ee9a52bab10b2ec0efbf7d665238c421a68c266d356b81a671
1eb3cc2781765f1c81bdef0390ba79fc2066fd1bd8ff5571baa64f4b0ca3441f
112278e446cc3c7f538089cae3eaf962b06218cae4bcd8fb9a0b493bc380507f
ef6ada5793d43fde8fe35d2228e7e4efaeec972120592708d53b7b4e040798cc
3044f43b040d476ac859f7f55a35f0e2332c86b60ae6703054b811e28ac61ed6
fumicolcali[.]com/wblev-6pox5-vpckk/4ih2
aussiescanners[.]com/forum/1IXQRH/
aussiescanners[.]com/cgi-sys/suspendedpage.cgi
aussiescanners[.]com/forum/1IXQRH/
aussiescanners[.]com/26192RX/qW/
aupa[.]xyz/hJPug-2q3uyQ3NsqIgkO_tdeRPHsz-fF/dwvK/
aupa[.]xyz/forum/1IXQRH/
azedizayn[.]com/26192RX/qW/
sundarbonit[.]com/cgi-bin/mlEH/
187.188.166[.]192/results/scripts/ringin/
31.172.86[.]183:8080
216.98.148[.]157:8080
187.188.166[.]192
25eb451e5c0208a7086ac6e89c0d22ac1d622d93cea5e1a37881f0eda2ced49e
https://www.virustotal.com/#/file/25eb451e5c0208a7086ac6e89c0d22ac1d622d93cea5e1a37881f0eda2ced49e/details
https://bomccss.hatenablog.jp/entry/2019/04/13/033005
https://bankingmalware.hatenablog.com/entry/2019/04/12/193744
https://bankingmalware.hatenablog.com/entry/2019/04/14/222814

▼参考Tweet
https://twitter.com/bomccss/status/1116592009265815553
https://twitter.com/58_158_177_102/status/1116608642621403136
https://twitter.com/gorimpthon/status/1116594132854566912

https://app.any.run/tasks/f06af0db-2dab-4b60-8b2b-5306f2f0608c
https://app.any.run/tasks/5ca756d6-c7fa-4c4c-956b-5ef02fbd4ed2
https://app.any.run/tasks/e7702c62-99c3-4510-ba23-1f686276c7ba
https://app.any.run/tasks/4e5bf1bf-060e-43f1-b02c-c365784cfb3d

https://app.any.run/tasks/67d29087-f5d3-4f00-96ee-69e7aca2d832
11
2019/04/104月分請求データ送付の件
6月度発注書送付
ご請求書を添付致しておりますので
メールに添付された請求書デー
添付ファイルをご確認下さい。
不明添付「原本」・_(※).xls
(※).「原本」・_(※).xls
(※):任意の数字列
https://www.virustotal.com/#/file/9dc6974b2e288fbeff404c6883cd1cf9ab4418b9f2bf43887f0ca5915d791a3d/detection
https://www.hybrid-analysis.com/sample/9dc6974b2e288fbeff404c6883cd1cf9ab4418b9f2bf43887f0ca5915d791a3d?environmentId=100
https://www.virustotal.com/#/file/9de470efde8b4bea45fd849e80118fc3f68d1754910066442d7ffc0ad64e7e68/details
https://www.hybrid-analysis.com/sample/9de470efde8b4bea45fd849e80118fc3f68d1754910066442d7ffc0ad64e7e68?environmentId=100
123ef5bc8d73a0e5747b4bb60c31d266
53824eb704a161a9e6bc437db64fd9d8
9dc6974b2e288fbeff404c6883cd1cf9ab4418b9f2bf43887f0ca5915d791a3d
9de470efde8b4bea45fd849e80118fc3f68d1754910066442d7ffc0ad64e7e68
▼C2アクセス先
■bebloh
omnifoxt[.]com


▼ステガノグラフィの通信先
hxxps://i.imgur[.]com/fC5Pcd2.png
hxxps://images2.imgbox[.]com/b0/81/gHAGqQjt_o.png
5.188.60[.]87
6a1d7d3ca8db53318373705a988967d3a46bd2656aab4a0e035374a38525594a
https://www.virustotal.com/#/file/6a1d7d3ca8db53318373705a988967d3a46bd2656aab4a0e035374a38525594a/detection
https://www.jc3.or.jp/topics/v_log/201904.html#d20190410
https://www.cc.uec.ac.jp/blogs/news/2019/04/201904101630malwaremail.html
https://bomccss.hatenablog.jp/entry/2019/04/11/053014
https://bankingmalware.hatenablog.com/entry/2019/04/11/185324

▼参考Tweet
https://twitter.com/bomccss/status/1115886857475305474
https://twitter.com/abel1ma/status/1115889832704790529
https://twitter.com/58_158_177_102/status/1115890075236229120
https://twitter.com/harugasumi/status/1115898810834857984
https://twitter.com/SugitaMuchi/status/1115903308139565056

▼ステガノグラフィの画像
https://urlscan.io/result/276c6eb7-712b-462e-be71-93822984efdc
https://urlscan.io/result/0e4dbe0f-2c09-43b8-84ef-f5707b4292ca

https://app.any.run/tasks/1f694df8-8770-465f-b736-4f94941a82d5
https://app.any.run/tasks/8c357b53-5a70-4c7b-870a-d954f7fe05b1
12
2019/04/034月1日ご契約の件・初期費用のご請求書のご送付
RE: 【メール確認済】1/1
Re: 【再送】し依頼
【ご提出】
【連絡】2019.4.1
受注連絡
不明添付文書名 -scan-(※).xls
(※):任意の数字列
https://www.virustotal.com/#/file/a5294a62b4cd9eae6d53816f8335d4e4aa9e48e3947621383658ca595bea4da6/detection
https://www.hybrid-analysis.com/sample/a5294a62b4cd9eae6d53816f8335d4e4aa9e48e3947621383658ca595bea4da6?environmentId=100
4e7768c1f32cf5da49f21bd81c2939f2a5294a62b4cd9eae6d53816f8335d4e4aa9e48e3947621383658ca595bea4da6▼C2アクセス先
■bebloh
hxxps://gerdosan[.]com

■ursnif
hxxps://sumeriun[.]com

▼通信先
・stage1
hxxps://gerdosan[.]com/uploads/changed.pdf

・stage2
hxxps://images2.imgbox[.]com/c3/57/soU1A2HV_o.png
hxxps://i.imgur.com/CPHK1L5[.]png
5.8.88[.]205
b4711b3330d0c54ed70ad1987d029e39e189f1fc4b95ae3843a6750b8a939cc8
7200d267e37d25bf3badb0c9b81e3054505b318a6e89bc228a701341d42ee7b0
https://www.virustotal.com/#/file/b4711b3330d0c54ed70ad1987d029e39e189f1fc4b95ae3843a6750b8a939cc8/detection
https://www.virustotal.com/#/file/7200d267e37d25bf3badb0c9b81e3054505b318a6e89bc228a701341d42ee7b0/detection
https://www.jc3.or.jp/topics/v_log/201904.html#d20190403b
https://bomccss.hatenablog.jp/entry/2019/04/04/035229
https://bankingmalware.hatenablog.com/entry/2019/04/09/180239

https://app.any.run/tasks/b7b5f8b5-082d-48fa-8360-4b3763eb689a

▼参考Tweet
https://twitter.com/bomccss/status/1113307083015720960
https://twitter.com/abel1ma/status/1113307623623786496

▼通信先の画像
https://urlscan.io/result/3026d66d-c3d3-4e0d-8cbc-9bfe5cef69ce
https://urlscan.io/result/623b9741-36b5-4eae-b1be-7832b604cd01
13
2019/03/27▼件名①
3月→
3月の請求書を添付するので
【ご請求書】【ライフラインのご連絡先】
こちらの入金期日は3月15日の午後12時までと
請求書を添付いたします
郵送願います
Faxください

▼件名②
写真送付の件
写真添付
不明添付▼件名①の添付ファイル名
201903.①._送付__(※).xls
20190327(※) (※).xls

▼件名②の添付ファイル名
2019年3月27日(※).xls
(※)(*).xls

(※):任意の数字列
(*):任意のアルファベット
https://www.virustotal.com/#/file/07395f413e04245a8f6cab5fa888c0f08878f07bac6ccc479aa89469bb443bd4/detection
https://www.hybrid-analysis.com/sample/07395f413e04245a8f6cab5fa888c0f08878f07bac6ccc479aa89469bb443bd4?environmentId=120
https://www.virustotal.com/#/file/bdc6b56c659fefc41779bcd42064bc7ceae67a495407e786451747dea1539cc0/detection
https://www.hybrid-analysis.com/sample/bdc6b56c659fefc41779bcd42064bc7ceae67a495407e786451747dea1539cc0?environmentId=100
https://www.virustotal.com/#/file/48bb5bc1399e43b0c07527a69935f6b2254686dbcfa544af4019e2ac1592baff/detection
https://www.hybrid-analysis.com/sample/48bb5bc1399e43b0c07527a69935f6b2254686dbcfa544af4019e2ac1592baff?environmentId=100
https://www.virustotal.com/#/file/e2b647dc004532a5eaa72f29407fb06e4d3457596730814402602806fc8ab506/detection
https://www.hybrid-analysis.com/sample/e2b647dc004532a5eaa72f29407fb06e4d3457596730814402602806fc8ab506?environmentId=100
a47ca80dc480a9992e9a912e21668f72
1018500796dbc3dfac323f2510e598e7
faa225de2a679e0a28f2e5d384b1962c
4024b2481f4c6e80ed90de731ccf99ab
07395f413e04245a8f6cab5fa888c0f08878f07bac6ccc479aa89469bb443bd4
bdc6b56c659fefc41779bcd42064bc7ceae67a495407e786451747dea1539cc0
48bb5bc1399e43b0c07527a69935f6b2254686dbcfa544af4019e2ac1592baff
e2b647dc004532a5eaa72f29407fb06e4d3457596730814402602806fc8ab506
onbraker[.]com
podertan[.]com
47.74.250[.]194
5.188.60[.]40
a6fbfd13624dc34ff0dc1204d6eb7e9e1c12cbc2f3be37ca8dcb896ea7d9cef9
https://www.virustotal.com/#/file/a6fbfd13624dc34ff0dc1204d6eb7e9e1c12cbc2f3be37ca8dcb896ea7d9cef9/detection
https://www.cc.uec.ac.jp/blogs/news/2019/03/20190327malwaremail.html
https://www.jc3.or.jp/topics/v_log/201903.html#d20190328a
https://www.jc3.or.jp/topics/v_log/201903.html#d20190328b
https://bomccss.hatenablog.jp/entry/2019/03/28/032619

https://bomccss.hatenablog.jp/entry/2019/03/28/032619
https://app.any.run/tasks/6d5713b9-5cf9-4515-b4be-f2cb5d2970b8

▼参考Tweet
https://twitter.com/58_158_177_102/status/1110814560246587392
https://twitter.com/bomccss/status/1110823222591651841
https://twitter.com/abel1ma/status/1110830156770234369
https://twitter.com/harugasumi/status/1110835830732382208
https://twitter.com/SugitaMuchi/status/1110855600894672897
https://twitter.com/T2CERT/status/1111056321468497920
14
20196/03/062019ご請求の件
【仮版下送付】
【電話未確認】
FW: 【再送】2019/2
Re: 2019ご請求の件

(※)指定請求書
(※)注文書、請書及び請求書のご送付
(※){Re: ,Fwd: , ,Fw: ,RE: , -}のいずれか
不明添付(※)_資料_(※).xls
(※)_(※)_3.2019_3.xls
2019.(※)-(※).xls
(※):任意の数字列
https://www.virustotal.com/#/file/75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa/detection
https://www.hybrid-analysis.com/sample/75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa?environmentId=100
https://www.virustotal.com/#/file/23e85ee19a2f46f4f462e72995b6a91616ea2f315908c1566c36cd0afc3aa200/detection
https://www.hybrid-analysis.com/sample/23e85ee19a2f46f4f462e72995b6a91616ea2f315908c1566c36cd0afc3aa200?environmentId=100
https://www.virustotal.com/#/file/242e2204916bed88b609de716c73bbae757efb29dae863e66c5692682d47adc2/detection
https://www.virustotal.com/#/file/66242a82beff9eedc3d61d04e8dc90369660f4d541269f40fdd1dd336f3ebd35/detection
c909568a2dce7a3214a6f2e131a74f9c
0ff3ba2b54f5cae7507b9a34a427d982
7e4d79738ac8797eda7f723aedaea336
485088239e67f783764bc23ede6188c1
75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa
23e85ee19a2f46f4f462e72995b6a91616ea2f315908c1566c36cd0afc3aa200
242e2204916bed88b609de716c73bbae757efb29dae863e66c5692682d47adc2
66242a82beff9eedc3d61d04e8dc90369660f4d541269f40fdd1dd336f3ebd35
▼C2アクセス先
baderson[.]com
mopscat[.]com

▼ステガノグラフィの通信先
・stage1
hxxps://mger[.]co/img/bycYJ.png
hxxp://images2.imagebam[.]com/34/7d/0b/39d26e1152285004.png
hxxps://images2.imgbox[.]com/aa/36/95SxVQiA_o.png

・stage2
hxxps://i.postimg[.]cc/kn50Ph3h/6A.png
hxxps://i.imgur[.]com/wRli0qz.png

・stage3
hxxps://images2.imgbox[.]com/25/39/dMnX3Y3Q_o.png
hxxps://i.imgur[.]com/vwN9O7y.png
多数
6badf0748ca6cbd4a1f1175dbb8a6dbbee1656c7086378418e1397bce025aa60
https://www.virustotal.com/#/file/6badf0748ca6cbd4a1f1175dbb8a6dbbee1656c7086378418e1397bce025aa60/detection
https://www.hybrid-analysis.com/sample/6badf0748ca6cbd4a1f1175dbb8a6dbbee1656c7086378418e1397bce025aa60/5c7f92ec038838cb661f7314
https://www.jc3.or.jp/topics/v_log/201903.html#d20190306c
https://www.jc3.or.jp/topics/v_log/201903.html#d20190306b
https://www.cc.uec.ac.jp/blogs/news/2019/03/20190306malwaremail.html
https://bomccss.hatenablog.jp/entry/2019/03/07/030925


https://app.any.run/tasks/2aa82cd3-7c60-4ada-b999-3b3504cab7e0
https://app.any.run/tasks/a2a7d5b1-c3e1-427d-89ba-881eabc85c83

▼ステガノグラフィの画像
・stage1
https://urlscan.io/result/cbb38f0d-db71-4180-a91a-014e54b7713e
https://urlscan.io/result/6784ad45-c551-4928-b226-88485bb6a5c9
https://urlscan.io/result/9bec94c9-b5f0-4888-8a44-e4612e06535d
・stage2
https://urlscan.io/result/2a47932c-8f8e-4c14-bde3-876c97b8fc68
https://urlscan.io/result/28fe65e9-d806-488d-9f2f-3783ad7d423f
・stage3
https://urlscan.io/result/9536d6bb-f554-44d2-b2d8-fc8b07410269
https://urlscan.io/result/423767a8-67ad-4353-ba1b-a1608012b409

▼参考Tweet
https://twitter.com/58_158_177_102/status/1103203021758984194
https://twitter.com/abel1ma/status/1103197738710138882
https://twitter.com/bomccss/status/1103207249135075328
https://twitter.com/SugitaMuchi/status/1103225255575773185
https://twitter.com/catnap707/status/1103440462260559872
https://twitter.com/nao_sec/status/1103261384140177413
15
2019/02/28指定請求書
Fw:指定請求書
Fwd:指定請求書
RE:指定請求書
Re:指定請求書
-指定請求書
注文書、請書及び請求書のご送付
Fw:注文書、請書及び請求書のご送付
Fwd:注文書、請書及び請求書のご送付
RE:注文書、請書及び請求書のご送付

※件名の先頭に、Re:、-、Fw:、Fwdも付与されている
不明添付(※)_(※)_(2019.2).xls
(※):任意の数字列
https://www.virustotal.com/#/file/21cc174826ce5e69aa60445f547b94bb0b544c5d66a01063e37abbfdc91a715f/detection6a9eda3eb0bfc222ab46725829faaec721cc174826ce5e69aa60445f547b94bb0b544c5d66a01063e37abbfdc91a715fhxxps://benistora[.]com/uploads/audio.7z5.188.60[.]66A97787778AD5F369BEAFD12275B93F3919FAF4BDBD2CF7FC16D002D9AEE43E1D
0a374444049303e5d693bf3de4ec3735de2ab5aa6654229aaa2c95c4257a9508
https://www.virustotal.com/#/file/a97787778ad5f369beafd12275b93f3919faf4bdbd2cf7fc16d002d9aee43e1d/detection
https://www.virustotal.com/#/file/0a374444049303e5d693bf3de4ec3735de2ab5aa6654229aaa2c95c4257a9508/detection
https://www.jc3.or.jp/topics/v_log/201902.html#d20190228
https://www.cc.uec.ac.jp/blogs/news/2019/02/20190228malwaremail.html
https://bomccss.hatenablog.jp/entry/2019/03/01/043247

https://app.any.run/tasks/1ed3b74d-6c89-45f0-a64b-a13331845dac


▼参考Tweet
https://twitter.com/58_158_177_102/status/1101027107222650880
https://twitter.com/bomccss/status/1101029411229392897
16
2019/02/26▼件名①(14種類)
工程表
2/1 【追加】
クレームです。
確認事項とお願い
2月入金の残り
RE: 【依頼】
【お願い】
添付用納品書
RE: 【発注分】
2/26 フォロー申請
Re: 再送
御見積書
2/26送り状
送り状番号ご{nnnn}

※nnnnは数字4桁

▼件名②(2種類)
(※)指定請求書
(※)注文書、請書及び請求書のご送付
(※){Re: ,Fwd: , ,Fw: ,RE: , -}のいずれか
不明添付▼件名①の添付ファイル名
***_(※)_2019_2_3.xls
▼件名②の添付ファイル名
[2019.2.26]_(※)_(※).xls

(※):任意の数字列
***:任意の英数字
https://www.virustotal.com/#/file/2143421df567dc0d4c3c364cfc6be9cad3e529c29dd8e57b17d608bcd5246a4d/detection
https://www.hybrid-analysis.com/sample/2143421df567dc0d4c3c364cfc6be9cad3e529c29dd8e57b17d608bcd5246a4d/5c74ebdf038838bc34a50f33
https://www.virustotal.com/#/file/71e059ceecb85b737531bd1981f77c95fa10a70cd17ff916d4736ead2eeb94f0/detection
e4261e92a0271d94f3f935b5e14f89c4
5f3c5a1f95d27a4a75d67bb733d26909
2143421df567dc0d4c3c364cfc6be9cad3e529c29dd8e57b17d608bcd5246a4d
71e059ceecb85b737531bd1981f77c95fa10a70cd17ff916d4736ead2eeb94f0
hxxps://ipinfo.io/country
→日本環境か確認するためか

▼C2アクセス先
olkerona[.]com
mopscat[.]com


▼ステガノグラフィの通信先
・stage1
hxxps://i.imgur[.]com/96vV0YR.png
hxxp://oi65.tinypic[.]com/2z8thcz.jpg

・stage2
hxxps://i.postimg[.]cc/bv5dMcK6/J2.png
hxxps://images2.imgbox[.]com/ff/22/6NkpoT2I_o.png
多数
ebb3fca571b3611cf9232a9a0210f27ae53ca222a15897282e2c5b5c9b3c9970
https://www.virustotal.com/#/file/ebb3fca571b3611cf9232a9a0210f27ae53ca222a15897282e2c5b5c9b3c9970/detection
https://www.hybrid-analysis.com/sample/ebb3fca571b3611cf9232a9a0210f27ae53ca222a15897282e2c5b5c9b3c9970?environmentId=100
https://www.jc3.or.jp/topics/v_log/201902.html#d20190226c
https://www.jc3.or.jp/topics/v_log/201902.html#d20190226b
https://www.cc.uec.ac.jp/blogs/news/2019/02/20190226malwaremail.html
https://app.any.run/tasks/5031e30c-dcd4-46d9-bc07-07f9454b9426
https://www.joesandbox.com/analysis/112961/0/html#vba-code
https://bomccss.hatenablog.jp/entry/2019/02/27/043123

▼ステガノグラフィの画像
stage1
https://urlscan.io/result/945574ec-9e70-4f1a-9d00-68ac8eaf6e9f
https://urlscan.io/result/1cf48675-4459-408e-a212-0547169249b7

stage2
https://urlscan.io/result/9c808601-b28d-4ecf-be58-cb21a84b61d2
https://urlscan.io/result/67907b99-a5f6-49c7-9ae2-2a90874cfdcd

▼参考Tweet
https://twitter.com/58_158_177_102/status/1100300013458997248
https://twitter.com/bomccss/status/1100300406041698304
https://twitter.com/itc_uec/status/1100320876438999041
https://twitter.com/nao_sec/status/1100314158698917888
https://twitter.com/catnap707/status/1100335933033861120
17
2019/02/25
2019/02/26
2019/02/27
Satoshi Tsumabuki!
Takeru Sato!
Haruma Miura!
Miki Imai!
Emi Hinouchi!
Jin Akanishi!
Takeshi Kitano!

※(日本の有名人の名前)!
※件名は140種類
不明添付PIC(※)-jpg.ZIP
PIC(※)-jpg.js
(※)任意の数字列
https://www.virustotal.com/#/file/ace25dd23f7279d9d85104105299ee521e4b47a90bd02b03d87d1e8b243cf89e/detection
https://www.hybrid-analysis.com/sample/281abb96271ec6deb985352bb61d4e892dd0226330146fe200570f283ab19788?environmentId=120
b52f53f6f9e1566b0032cda886c0bdd2ace25dd23f7279d9d85104105299ee521e4b47a90bd02b03d87d1e8b243cf89e
6d430589f311abf2cb1c2a7a38e82f002ae16df03672bca9b7a3598e58db3464
hxxp://92.63.197[.]153/test.exe

▼2月28日設置
hxxp://92.63.197.153/2[.]exe
92.63.197[.]153eda25a1bf559550dfd0b36c8e22f43e910486199149258ff34a0ebbd7bf56b17
b8327b87c89f3a42d0f36b2a12a7957868efaca25af5b5f8af85b387c425787d
243e3a984dd9734172d317c949479a75d3e962fb608cd44adaddd2ad59c6a311
28c2e4b1b800f869e7264553cc2e3e5666f88dc23e32a196e6a2e81096303b0c


▼2月28日設置
2[.]exe
c225e260cda5f832cca97b6592c923cb65444213986fdac34451b1953c8bb872
https://www.virustotal.com/#/file/eda25a1bf559550dfd0b36c8e22f43e910486199149258ff34a0ebbd7bf56b17/detection
https://www.hybrid-analysis.com/sample/eda25a1bf559550dfd0b36c8e22f43e910486199149258ff34a0ebbd7bf56b17?environmentId=100
https://www.virustotal.com/#/file/b8327b87c89f3a42d0f36b2a12a7957868efaca25af5b5f8af85b387c425787d/detection
https://www.virustotal.com/#/file/28c2e4b1b800f869e7264553cc2e3e5666f88dc23e32a196e6a2e81096303b0c/detection
https://www.virustotal.com/#/file/243e3a984dd9734172d317c949479a75d3e962fb608cd44adaddd2ad59c6a311/detection

▼2月28日設置
2[.]exe
https://www.virustotal.com/#/file/c225e260cda5f832cca97b6592c923cb65444213986fdac34451b1953c8bb872/detection
※ランサムウェアGandCrab v5.2に感染させるようになっている
https://www.joesandbox.com/analysis/112473/0/html
https://app.any.run/tasks/caa2ad26-1a6a-4ff4-8d64-e2cfc8ffd6c5
https://app.any.run/tasks/d49ed4bf-2a87-4a33-9bcb-db757ff543a0
https://app.any.run/tasks/92bfde8d-f182-4375-80f7-2f9477a2c11a
https://bomccss.hatenablog.jp/entry/2019/02/27/042405

▼参考Tweet
https://twitter.com/nao_sec/status/1099834030277636096
https://twitter.com/PINKSAWTOOTH/status/1099903037944938498
https://twitter.com/bomccss/status/1099841150582546432
https://twitter.com/abel1ma/status/1099841823353200640
https://twitter.com/catnap707/status/1099856403164889090
https://twitter.com/harugasumi/status/1099917637117591552
18
2019/02/20Fw: Re:
添付ファイル
このメールにはファイルを1件、添付しています
添付がコストです
【追加②】
回答:
不明添付20190220(※)_(※)_書類.XLS
(※)-(※)-20190220送付.xls
Book(※).xls
(※)任意の数字列
https://www.virustotal.com/#/file/f143b542976786ffc045f3d8647bea4d0e480998d9a9f64452c5c839a0050a00/detection
https://www.hybrid-analysis.com/sample/f143b542976786ffc045f3d8647bea4d0e480998d9a9f64452c5c839a0050a00?environmentId=100
https://www.virustotal.com/#/file/12bb1efaf22b0ebe0e9a203d6486f52c67c27fd151bb6cc92edc778b362e50d1/details
https://www.hybrid-analysis.com/sample/12bb1efaf22b0ebe0e9a203d6486f52c67c27fd151bb6cc92edc778b362e50d1?environmentId=100
https://www.virustotal.com/#/file/7af5179363279d2907ebb4f08424985acb3fe7e52cc78291848dd0597f4aff65/detection
https://www.hybrid-analysis.com/sample/7af5179363279d2907ebb4f08424985acb3fe7e52cc78291848dd0597f4aff65?environmentId=100
af5972b35f87c7a458289f24dedd13c8
3808b2905a4f6abef12b7ce8a24e5c27
5993bab18e97b76ba5b3285c4124a87c
f143b542976786ffc045f3d8647bea4d0e480998d9a9f64452c5c839a0050a00
12bb1efaf22b0ebe0e9a203d6486f52c67c27fd151bb6cc92edc778b362e50d1
7af5179363279d2907ebb4f08424985acb3fe7e52cc78291848dd0597f4aff65
hxxps://gamidron[.]com/StreamGame.rar
hxxp://conesdarz[.]com/uploads/amadeus.zip
hxxp://vedrunaccff[.]org/img/sm/Save.rar
hxxps://papirson[.]com
多数4dc9adb9e4928db316f26238459d473d76a9914312eb2faff635da786015bc37https://www.virustotal.com/#/file/4dc9adb9e4928db316f26238459d473d76a9914312eb2faff635da786015bc37/detection
https://www.hybrid-analysis.com/sample/4dc9adb9e4928db316f26238459d473d76a9914312eb2faff635da786015bc37?environmentId=100
https://www.jc3.or.jp/topics/v_log/201902.html#d20190220
https://www.cc.uec.ac.jp/blogs/news/2019/02/20190220malwaremail.html
https://bomccss.hatenablog.jp/entry/2019/02/27/040618

https://www.joesandbox.com/analysis/84379
https://app.any.run/tasks/e7d00595-f3de-4548-ad6c-b90e741cce87

※マクロ内で、日本語環境かどうかをチェックしている

▼参考Tweet
https://twitter.com/catnap707/status/1098144767831990272
https://twitter.com/catnap707/status/1098146491586105344
https://twitter.com/bomccss/status/1098147141342511105
https://twitter.com/bomccss/status/1098153086533554176
https://twitter.com/nao_sec/status/1098200474627371008
19
2019/02/20紙看板送付の件不明添付(※)_(※)_20190219.XLS
(※)_(※)_20190219.doc
(※)任意の数字列
https://www.virustotal.com/#/file/6a7eb9a166510e72912e6b90a80f77b914a76aa9e2507d0e5472bcba036fc368/detection
https://www.hybrid-analysis.com/sample/6a7eb9a166510e72912e6b90a80f77b914a76aa9e2507d0e5472bcba036fc368?environmentId=100
https://www.virustotal.com/#/file/cdcf99a113bb8c8a911c6dc95bb478bae22776d28eb9fda3ed30ca547a8c5920/detection
https://www.hybrid-analysis.com/sample/cdcf99a113bb8c8a911c6dc95bb478bae22776d28eb9fda3ed30ca547a8c5920?environmentId=100
https://www.virustotal.com/#/file/f54cbb5ec9b44f825ece3c7e14f3591062228078346580bcea39fd5a04bcc40a/detection
https://www.hybrid-analysis.com/sample/f54cbb5ec9b44f825ece3c7e14f3591062228078346580bcea39fd5a04bcc40a?environmentId=100
d490573977cc6b42ba0b4325df953a7f
89d68b7c2ac984730dd8039c6ffc1b84
4CC5DE3D2BDDD7C89311FCCF3D1B51D9
6a7eb9a166510e72912e6b90a80f77b914a76aa9e2507d0e5472bcba036fc368
cdcf99a113bb8c8a911c6dc95bb478bae22776d28eb9fda3ed30ca547a8c5920
f54cbb5ec9b44f825ece3c7e14f3591062228078346580bcea39fd5a04bcc40a
hxxp://213.183.63[.]242/control
hxxp://195.123.209[.]169/control
213.183.63[.]242
195.123.209[.]169
84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6
6926aca37c180f7a0fd1c829ccb472ec2bad494f28b0c58d20e51b8c6630e2eb
https://www.virustotal.com/#/file/84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6/detection
https://www.hybrid-analysis.com/sample/84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6?environmentId=100
https://www.virustotal.com/#/file/6926aca37c180f7a0fd1c829ccb472ec2bad494f28b0c58d20e51b8c6630e2eb/detection
https://www.hybrid-analysis.com/sample/6926aca37c180f7a0fd1c829ccb472ec2bad494f28b0c58d20e51b8c6630e2eb/5c6cae257ca3e113f36a92a6
https://bomccss.hatenablog.jp/entry/2019/02/27/035938

※RATの『FlawedAmmyy』に感染させるばらまきメール

https://app.any.run/tasks/5ceab4a0-5621-4232-814a-af3a15558ba1
https://app.any.run/tasks/3088f233-146f-4ff1-b2cc-2df846d6bdf5
https://app.any.run/tasks/4b12aa2d-ff90-4ef1-aa78-58f73d79704e

▼参考Tweet
https://twitter.com/58_158_177_102/status/1098021344954920960
https://twitter.com/bomccss/status/1098026847399424005
https://twitter.com/James_inthe_box/status/1098027007772749824
https://twitter.com/James_inthe_box/status/1098034657998692352
20
2019/02/1820190218
2/18送り状No.
修正版
出荷明細添付
紙看板送付の件
券類発注書
(修正依頼)
2月分
発注分 追加
不明添付(※)_2019年2月18.xls
(※)_(※)_20190218.XLS
(※)任意の数字列
https://www.virustotal.com/#/file/75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa/detection
https://www.hybrid-analysis.com/sample/75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa?environmentId=100
https://www.virustotal.com/#/file/6602f118eea649f863e5662671686a3ae5e1067e1c1bcbed829d7ba8ab3390f6/detection
c909568a2dce7a3214a6f2e131a74f9c
a9dca658ba431a4123be8aa3f13284bc
75a46329eed0e0a2948f4c5e35a3fda1e0f3a23d059ba019de33c654ff0e84fa
6602f118eea649f863e5662671686a3ae5e1067e1c1bcbed829d7ba8ab3390f6
▼C2アクセス先
panisdar[.]com
papirson[.]com


▼ステガノグラフィの通信先
・stage 1
hxxp://imagehosting[.]biz/images/2019/02/14/in1.png
hxxp://images2.imagebam[.]com/f1/b1/50/dd7e561126561184.png
hxxps://mger[.]co/img/w84vm.png
hxxps://images2.imgbox[.]com/34/60/1Zc8BevK_o.png

・stage 2
hxxp://oi68.tinypic[.]com/2saxhrc.jpg
hxxps://thumbsnap[.]com/i/aqiAmg1b.png?0214
hxxps://i.postimg[.]cc/0jFwGVb3/l1.png
多数
▼bebloh
d58b12393ade4f51e6917af9dcd1a032e17adf5933fc886be314ef094717ce02
▼ursnif
c797fa74ffc33103b9b5db3d5010d7926231afc49beb5d1e61f8a29723a7d142
https://www.virustotal.com/#/file/d58b12393ade4f51e6917af9dcd1a032e17adf5933fc886be314ef094717ce02/detection
https://www.hybrid-analysis.com/sample/d58b12393ade4f51e6917af9dcd1a032e17adf5933fc886be314ef094717ce02?environmentId=100
https://www.virustotal.com/#/file/c797fa74ffc33103b9b5db3d5010d7926231afc49beb5d1e61f8a29723a7d142/detection
https://www.hybrid-analysis.com/sample/c797fa74ffc33103b9b5db3d5010d7926231afc49beb5d1e61f8a29723a7d142?environmentId=100
https://www.jc3.or.jp/topics/v_log/201902.html#d20190218b
https://www.jc3.or.jp/topics/v_log/201902.html#d20190219
https://www.cc.uec.ac.jp/blogs/news/2019/02/20190218malwaremail.html


▼ステガノグラフィの画像
stage1
https://urlscan.io/result/d13a477a-f629-4fe1-b3e0-61b255c61cfc/
https://urlscan.io/result/bffa0748-39ce-47dd-9542-9b6f0d0cbe60
https://urlscan.io/result/a5fa3c70-9edf-4811-ac01-d2e9132c1032
https://urlscan.io/result/c4950f58-e28d-4b5e-bd97-8f7197ddc341

stage2
https://urlscan.io/result/9741c9b2-10b7-49d7-8975-dc958a2703ef
https://urlscan.io/result/44d88fbb-74c5-4c98-a920-86d4cb74aaed
https://urlscan.io/result/91fc8153-67c2-49ae-bc9b-13b803084707


▼参考Tweet
https://twitter.com/bomccss/status/1097424433143111682
https://twitter.com/58_158_177_102/status/1097427635959824384
https://twitter.com/nao_sec/status/1097464661094522883

https://bomccss.hatenablog.jp/entry/2019/02/19/041553
21
2019/02/14 [宛先の社名 名前]様 Bill from [社名支店名 姓係長]殿不明添付▼ファイル名(一部)
eINVOICE_02142019(※).doc
eform_02_14_19(※).doc
eFILE_02142019(※).doc
eInvoice_02_14_(※).doc
eInvoice_02142019(※).doc
eFile_02_14_19(※).doc
eINVOICE_20190214(※).doc
(※)任意の数字列
https://www.virustotal.com/#/file/e6b79db99b399198a61b836acb552f49c58e491bebda5dc7125d2a3f8b798f1f/detection
https://www.virustotal.com/#/file/646a4bfb639145a8babab15ee88b8ff1744e68dbbc59f9085d4e2321171873de/detection
https://www.hybrid-analysis.com/sample/646a4bfb639145a8babab15ee88b8ff1744e68dbbc59f9085d4e2321171873de/5c64c69c7ca3e115683c8dc6
e1606adcd91f2aec847f92544baf796d
5f70799017049196c8cd2b759b1f7f70
e6b79db99b399198a61b836acb552f49c58e491bebda5dc7125d2a3f8b798f1f
646a4bfb639145a8babab15ee88b8ff1744e68dbbc59f9085d4e2321171873de
hxxp://gardenstrutturelegno[.]com/pafgY1kbyB
hxxp://mhoment[.]com/LM20Ymp
hxxp://extrashades[.]com/CfK0g0aQ4r
hxxp://gandharaminerals[.]com/4J2ko2vsYO
hxxp://baovevietnamtoancau[.]com/wp-admin/includes/uZ8bAUa52
多数
682b02b1f671242aef2744368015828cb0347f153c142e15da57ae01e3b4594a
61650df93fbe5a6b74b7abdf31fc96e3b7b30cdb70fccadf157af308233999ed
https://www.virustotal.com/#/file/682b02b1f671242aef2744368015828cb0347f153c142e15da57ae01e3b4594a/detection
https://www.virustotal.com/#/file/61650df93fbe5a6b74b7abdf31fc96e3b7b30cdb70fccadf157af308233999ed/detection
※emotetに感染させるばらまきメール(ばらまき範囲は限定されている模様)
https://app.any.run/tasks/cb88a0b0-fd60-4ee8-8015-e5d37321f016
https://pastebin.com/PCNs3acd

▼参考Tweet
https://twitter.com/58_158_177_102/status/1095912805574705152
https://twitter.com/papa_anniekey/status/1095920620469022721
22
2019/02/11営業
Re:
2月度 請求書 
御見積書
請求書送付
営業
Fwd: Re:
不明添付2019200(※).XLS
(※)任意の数字列
https://www.virustotal.com/#/file/964e9563a9cdcc8f99eb483f435fce2cfb97ac50cbd964cf6bc4ab93d42836fc/detection
https://www.hybrid-analysis.com/sample/964e9563a9cdcc8f99eb483f435fce2cfb97ac50cbd964cf6bc4ab93d42836fc?environmentId=100
f5b63206a07c8dd9b24c931ea5124212964e9563a9cdcc8f99eb483f435fce2cfb97ac50cbd964cf6bc4ab93d42836fc▼bebloh(DL先)
mimertonus[.]com

▼ursnif(DL先)
opratony[.]com
takerdown[.]com

▼ステガノグラフィの通信先
・stage 1
hxxps://images2.imgbox[.]com/4e/0f/W29InkAb_o.png
hxxps://i.imgur[.]com/55yIfKO.png

・stage 2
hxxps://images2.imgbox[.]com/b7/eb/6birmlgd_o.png
hxxps://i.imgur[.]com/oHDtTtY.png

・stage 3
hxxp://5.188.231[.]206/uploads/orbit.mp4
▼bebloh(DL先)
5.188.231[.]206

▼ursnif(DL先)
5.8.88[.]125
▼bebloh
f16d99ed7cb068d119c1c7cf2bf3219f4bfdf3d1ea84f444fbf54d1e231661fb
https://www.virustotal.com/#/file/f16d99ed7cb068d119c1c7cf2bf3219f4bfdf3d1ea84f444fbf54d1e231661fb/detection
https://www.hybrid-analysis.com/sample/f16d99ed7cb068d119c1c7cf2bf3219f4bfdf3d1ea84f444fbf54d1e231661fb?environmentId=100
https://www.jc3.or.jp/topics/v_log/201902.html#d20190212

▼ステガノグラフィの画像
・stage 1
https://urlscan.io/result/e872d5ad-ba60-47d4-889e-b8a896e52afd
https://urlscan.io/result/4f0e6e13-e27b-41ff-a19a-1dd057d00029
・stage 2
https://urlscan.io/result/c32db31b-b38e-46e8-95c4-6f1686787fa8
https://urlscan.io/result/91289ae7-9e2c-4126-af96-fa8951ae77b6

▼参考Tweet
https://twitter.com/harugasumi/status/1094928164776624129
https://twitter.com/SugitaMuchi/status/1094943906427355136
https://twitter.com/nao_sec/status/1094953523219812354
https://twitter.com/AES256bit/status/1094984951273934848
https://twitter.com/bomccss/status/1094992378451046407
23
2019/01/29、2019/01/31、2019/02/01:)
:-)
:*
:-*
;)
;-)
:D
;D
Aya Ueto ;)
Ayumi Hamasaki ;)
Erika Sawajiri ;)
Erika Toda ;)
Hikaru Utada ;)
Kyary Pamyu Pamyu ;)
Kyoko Fukada ;)
Maki Horikita ;)
Misia ;)
Namie Amuro ;)
Nozomi Sasaki ;)
Sheena Ringo ;)
Yui Aragaki ;)
Yuriko Yoshitaka ;)
Do you like it?
Do you like my photo?
I love you!
Just for you
Keep it private!
Love
My photo
My photo for you
Our photo
Photo of us
Seen this photo?
Take a look please
You are my love
Your opinion needed
不明添付PIC(※)2019-jpg.ZIP
PIC(※)2019-jpg.js
(※)任意の数字列
https://www.virustotal.com/#/file/14d46aa43b911d005c8a905c1522630705d3da8bcf31b499cf289f765aa26c8d/detection
https://www.hybrid-analysis.com/sample/9f076f33fa18ea7d27f0363652913ec84e2608a80a6af0842f67255409f4ae84?environmentId=100
4e078a8c2199250a98c8d81c185e8e0a14d46aa43b911d005c8a905c1522630705d3da8bcf31b499cf289f765aa26c8d▼ステータスコード:200
hxxp://92.63.197[.]153/krabler[.]exe
hxxp://92.63.197[.]153/m/1[.]exe

▼ステータスコード:404
hxxp://92.63.197[.]153/m/2[.]exe
hxxp://92.63.197[.]153/m/3[.]exe
hxxp://92.63.197[.]153/m/4[.]exe
hxxp://92.63.197[.]153/m/5[.]exe
92.63.197[.]153▼krabler.exe
743ff0555abe373292ad934ca945ecd46c9ae51071ecf161398c6403050221cd

▼1.exe
67054a687c4536a0f2a67c8a811923fb6dec67380876d6e8024b1c2dd640af0c
▼krabler.exe
https://www.virustotal.com/#/file/743ff0555abe373292ad934ca945ecd46c9ae51071ecf161398c6403050221cd/detection

▼1.exe
https://www.virustotal.com/#/file/67054a687c4536a0f2a67c8a811923fb6dec67380876d6e8024b1c2dd640af0c/detection
※ランサムウェアGandCrab v5.1に感染させるようになっている

https://app.any.run/tasks/2aa27516-67f5-4198-880f-6460cb2be4e3
https://app.any.run/tasks/a9276d4f-0417-44c0-8a20-805a9ebea950

▼参考Tweet
https://twitter.com/abel1ma/status/1090041465575632896
24
2019/01/28:)
:*
:-)
:-*
:D
;)
;*
;-)
;D
Aya Ueto ;)
Ayumi Hamasaki ;)
Erika Sawajiri ;)
Erika Toda ;)
Hikaru Utada ;)
Kyary Pamyu Pamyu ;)
Kyoko Fukada ;)
Maki Horikita ;)
Misia ;)
Namie Amuro ;)
Nozomi Sasaki ;)
Sheena Ringo ;)
Yui Aragaki ;)
Yuriko Yoshitaka ;)
不明添付PIC(※)2019-jpg.ZIP
PIC(※)2019-jpg.js
(※)任意の数字列
https://www.virustotal.com/#/file/c347268dc766613ac50c191098ea4a3c8779524f809c6253c77a94556922a6e7/detection
https://www.virustotal.com/#/file/1d279dcce0be6f05181902a59ede5af299d763cbb20d366cdbaaded918ae5cb1/detection
https://www.hybrid-analysis.com/sample/1d279dcce0be6f05181902a59ede5af299d763cbb20d366cdbaaded918ae5cb1?environmentId=100
58f77ea1df6f2a45ff63c26b44fada84
d8e86ebf16014abd8bc39a87c80d7ae4
c347268dc766613ac50c191098ea4a3c8779524f809c6253c77a94556922a6e7
1d279dcce0be6f05181902a59ede5af299d763cbb20d366cdbaaded918ae5cb1
▼ステータスコード:200
hxxp://92.63.197[.]153/blowjob[.]exe
hxxp://92.63.197[.]153/krabler[.]exe
hxxp://92.63.197[.]153/m/1[.]exe

▼ステータスコード:404
hxxp://92.63.197[.]153/m/2[.]exe
hxxp://92.63.197[.]153/m/3[.]exe
hxxp://92.63.197[.]153/m/4[.]exe
hxxp://92.63.197[.]153/m/5[.]exe
92.63.197[.]153▼krabler.exe or blowjob.exe
743ff0555abe373292ad934ca945ecd46c9ae51071ecf161398c6403050221cd

▼1.exe
67054a687c4536a0f2a67c8a811923fb6dec67380876d6e8024b1c2dd640af0c
▼krabler.exe or blowjob.exe
https://www.virustotal.com/#/file/743ff0555abe373292ad934ca945ecd46c9ae51071ecf161398c6403050221cd/detection

▼1.exe
https://www.virustotal.com/#/file/67054a687c4536a0f2a67c8a811923fb6dec67380876d6e8024b1c2dd640af0c/detection
※ランサムウェアGandCrab v5.1に感染させるようになっている

https://app.any.run/tasks/5d1d3f37-4341-40ef-b039-f1b6aa155cfe
https://app.any.run/tasks/d017550a-9212-422a-bcfe-2860fa470f62

▼参考Tweet
https://twitter.com/harugasumi/status/1089793484632911872
https://twitter.com/58_158_177_102/status/1089804375147466753
https://twitter.com/abel1ma/status/1089809468005777408
25
2019/01/27
2019/01/28
:-*
:*
;*
;)
:)
:-)
;-)
:D
;D
不明添付PIC(※)2019-jpg.ZIP
PIC(※)2019-jpg.js
(※)任意の数字列
https://www.virustotal.com/#/file/9f7bf148b50068d4ff6b92a99c843faa9716909c1d36a7cd537c30e82b115e96/detection
https://www.virustotal.com/#/file/4cebbe7197d8846ede810af1cc2fb4d705be2e1a5cd9f5a761900994043d2394/detection
https://www.virustotal.com/#/file/58477292be73eb6b785b24f80ad4c5f9d183f55db0cbd5b34c38b53480e2b627/detection
https://www.hybrid-analysis.com/sample/810fb8ef49fb30fb38db39d81a0ee7ca1620ee3980ae7b7bb1673654731391ca?environmentId=100
https://www.virustotal.com/#/file/bdd0825fd6d04778ec393895d0feea426ccfa5f96ad2a0fbf1025d178911eac5/detection
https://www.virustotal.com/#/file/621a79f25c3a5be64511b97c9a84fb10cfaa6d20a5eb9eddb1e8b76f2a9aec7d/detection
https://www.hybrid-analysis.com/sample/24a686e6bda50706d7e010c8ecd4a5af006bc2b8a74095ccd0ca3925dd879b1b?environmentId=100
https://www.virustotal.com/#/file/c85f7db7fc2249be0e6e7fa4da0eca1269363a35d20fdc40f55ef06c74ac0e1b/detection
a302ac9d7b59b4a30d10d3f62fb0c12d
43344cce6500eb1f666bfe83ca7f3876
2bd578e9c6d10ec1f3930e0cfe290771
4cf96419578e1c538ccbc72aa1489382
185f1c9c309e3c9cd2e45e5cf4a32b79
9f7bf148b50068d4ff6b92a99c843faa9716909c1d36a7cd537c30e82b115e96
4cebbe7197d8846ede810af1cc2fb4d705be2e1a5cd9f5a761900994043d2394
58477292be73eb6b785b24f80ad4c5f9d183f55db0cbd5b34c38b53480e2b627
bdd0825fd6d04778ec393895d0feea426ccfa5f96ad2a0fbf1025d178911eac5
621a79f25c3a5be64511b97c9a84fb10cfaa6d20a5eb9eddb1e8b76f2a9aec7d
24a686e6bda50706d7e010c8ecd4a5af006bc2b8a74095ccd0ca3925dd879b1b
c85f7db7fc2249be0e6e7fa4da0eca1269363a35d20fdc40f55ef06c74ac0e1b
▼ステータスコード:200
hxxp://92.63.197[.]153/blowjob[.]exe
hxxp://92.63.197[.]153/m/1[.]exe

▼ステータスコード:404
hxxp://92.63.197[.]153/m/2[.]exe
hxxp://92.63.197[.]153/m/3[.]exe
hxxp://92.63.197[.]153/m/4[.]exe
hxxp://92.63.197[.]153/m/5[.]exe
92.63.197[.]153▼blowjob[.]exe

711a691cb3dbc151c34dfb05c72670ce724f97aeb28375777430cc16e784b72a

dffc26736e57470e4c56e4adf3f0425080c43a136d0dd72c22075fde3efd2239

▼1.exe

3ea16fdf81960c5bd56902d4ea7dd448fd07d6a6a56dd8ad8a234bad6209439c

be0c8cdc1937d05242c672e3e61097dd1b48466839ac0a64e883d159a8df7343

▼2.exe
9e3dad9d075c73dc68d76bdfee5a2400bb8da07094c1059544b434177a8789f0

▼blowjob[.]exe

https://www.virustotal.com/#/file/711a691cb3dbc151c34dfb05c72670ce724f97aeb28375777430cc16e784b72a/detection
https://www.hybrid-analysis.com/sample/711a691cb3dbc151c34dfb05c72670ce724f97aeb28375777430cc16e784b72a?environmentId=100

https://www.virustotal.com/#/file/dffc26736e57470e4c56e4adf3f0425080c43a136d0dd72c22075fde3efd2239/detection


▼1.exe

https://www.virustotal.com/#/file/3ea16fdf81960c5bd56902d4ea7dd448fd07d6a6a56dd8ad8a234bad6209439c/detection
https://www.hybrid-analysis.com/sample/3ea16fdf81960c5bd56902d4ea7dd448fd07d6a6a56dd8ad8a234bad6209439c?environmentId=100

https://www.virustotal.com/#/file/be0c8cdc1937d05242c672e3e61097dd1b48466839ac0a64e883d159a8df7343/detection


▼2.exe
https://www.virustotal.com/#/url/33fa462592b309ad2a084dcf7697d8734dce3c70e8be078a8b1c5bf2496a5a22/detection
https://www.virustotal.com/#/file/9e3dad9d075c73dc68d76bdfee5a2400bb8da07094c1059544b434177a8789f0/detection
※ランサムウェアGandCrab v5.1に感染させるようになっている

https://app.any.run/tasks/e81176d8-88fa-44f4-b13e-9eb32b765e0c
https://app.any.run/tasks/fd860015-0b03-44fb-8610-f327773af6dd
https://app.any.run/tasks/4a2eb51f-8489-4200-a727-d7f16eeeefc9
https://app.any.run/tasks/d1a4563a-697b-4f51-9af2-b3429893a96e

▼参考Tweet
https://twitter.com/abel1ma/status/1089498324586000389
https://twitter.com/harugasumi/status/1089502626721349633
https://twitter.com/nao_sec/status/1089509737115217921
https://twitter.com/abel1ma/status/1089651175681445888
https://twitter.com/harugasumi/status/1089735448811851776
26
2019/01/24依頼
FW:
2日受注数
出資金請求書(2019年1月24日)
RE: 20190124 FW:
2019注文
添付資料
不明添付20190124 D O C(※).XLS
(※)任意の数字列
https://www.virustotal.com/#/file/ed6701b3be01b5529db4e8196fa6351aa859655ee4c01ea8f67cc8d781424811/detection
https://www.hybrid-analysis.com/sample/ed6701b3be01b5529db4e8196fa6351aa859655ee4c01ea8f67cc8d781424811?environmentId=100
d71eaf0ad33a749b8fe3fb8dff56a474ed6701b3be01b5529db4e8196fa6351aa859655ee4c01ea8f67cc8d781424811i.imgur[.]com
ropitana[.]com

▼ステガノグラフィの通信先
hxxps://i.imgur.com/ar2vFoS.png
hxxps://images2.imgbox.com/f1/52/9dGwQ4Mn_o.png
hxxps://i.postimg.cc/wgRWyQPd/MAIN2.png?dl=1
hxxps://image.frl/i/4sc06pucz57ewtzd.png
hxxps://i.imgur.com/9Tf1m5c.png
hxxps://images2.imgbox.com/2e/65/qGCb0Rja_o.png
hxxps://i.postimg.cc/dwc1cP5D/doctor.png
多数▼bebloh情報
e57e81cf3859d6bd6b08c10a8a1492d3ccd758e4b8a0ca69e6f51d95f717d490
▼bebloh情報
https://www.virustotal.com/#/file/e57e81cf3859d6bd6b08c10a8a1492d3ccd758e4b8a0ca69e6f51d95f717d490/detection
https://www.hybrid-analysis.com/sample/e57e81cf3859d6bd6b08c10a8a1492d3ccd758e4b8a0ca69e6f51d95f717d490?environmentId=100
https://www.jc3.or.jp/topics/v_log/201901.html#d20190124b

▼ステガノグラフィの通信先をhttp://URLscan.io で見た結果
https://urlscan.io/result/a5183159-a324-4746-ab19-c55ef9183b5a
https://urlscan.io/result/77abb29a-f952-438c-a9f1-b501e7c4035d
https://urlscan.io/result/3d367491-55b9-4dc0-b252-3584abfd57a8
https://urlscan.io/result/b99aae8c-3a9a-47fa-9774-3a24e9771d27
https://urlscan.io/result/c96fc219-9849-4437-a988-96654d5e4950
https://urlscan.io/result/fb8a868d-0e11-4d79-b6f8-877140889f4a
https://urlscan.io/result/9ebe116c-de21-4dc2-9ea9-f72acee4a169
※本件の不審な添付ファイル「20190124 D O C(※).XLS (※)任意の数字列」では、日本語環境かの確認するコードが含まれているようです
⇒If digitt = 81 Then VisualSheet1 Else Application.Quit

▼参考Tweet
https://twitter.com/nao_sec/status/1088406707863052298
https://twitter.com/bomccss/status/1088480913896292352
https://twitter.com/harugasumi/status/1088559195723489281
27
2019/01/178-)
8)
:-D
:D
:-)
;-)
:)
;)
:*
不明添付Love_You_(※)-2019-txt.zip
Love_You_(※)-2019-txt.js
(※)任意の数字列
https://www.hybrid-analysis.com/sample/f5729d5b524472f2417d720e1781f705caf93458faf8d23d0ec9d35047ce3088?environmentId=100
https://www.hybrid-analysis.com/sample/21c3d4edd18719ef01eed7065e8f4b202e388a7a85a03e2ba97c9146ee5db2fc?environmentId=100
https://www.virustotal.com/#/file/8783b952147fef067e346decc7c5c62f40c44572a33cbec1f390c1e6d4430669/detection
https://www.virustotal.com/#/file/236e901054e36dc47841a79dc9ad2437c54f542ead911a7a7282a833092064c8/detection
5A59E6714F9D775B7DCDCFB9E7A3092CE99B5D48331B835FA68E0B07B1DEBBDAD1EED39BF2353CE3365B9166BB861151
f5729d5b524472f2417d720e1781f705caf93458faf8d23d0ec9d35047ce3088
0b056a05bdfa6c62c5ddb73eb0af29ecf74fd2b3e2e8a41b13ee84f21102060a
8783b952147fef067e346decc7c5c62f40c44572a33cbec1f390c1e6d4430669
236e901054e36dc47841a79dc9ad2437c54f542ead911a7a7282a833092064c8
▼ステータスコード:200
hxxp://92.63.197[.]153/mcdonalds[.]exe
hxxp://92.63.197[.]153/s/1[.]exe

▼ステータスコード:404
hxxp://92.63.197[.]153/s/2[.]exe
hxxp://92.63.197[.]153/s/3[.]exe
hxxp://92.63.197[.]153/s/4[.]exe
hxxp://92.63.197[.]153/s/5[.]exe
92.63.197[.]153▼mcdonalds[.]exe
5df55a2d3f688735e0d530a7639dadac3817d4b3f2972276fb3b046d381a9121

▼1.exe
39514226b71aebbe775aa14627c716973282cba201532df3f820a209d87f6df9

▼2.exe
b507c6a07942e83dfec2bd3c272481128d5f5facb4d8eddeaa23f35b3ecc3c16
▼mcdonalds[.]exe
https://www.virustotal.com/#/file/5df55a2d3f688735e0d530a7639dadac3817d4b3f2972276fb3b046d381a9121/detection
https://www.hybrid-analysis.com/sample/5df55a2d3f688735e0d530a7639dadac3817d4b3f2972276fb3b046d381a9121?environmentId=100

▼1.exe
https://www.virustotal.com/#/file/39514226b71aebbe775aa14627c716973282cba201532df3f820a209d87f6df9/detection

▼2.exe
https://www.virustotal.com/#/file/b507c6a07942e83dfec2bd3c272481128d5f5facb4d8eddeaa23f35b3ecc3c16/detection
※ランサムウェアGandCrab v5.1に感染させるようになっている

https://app.any.run/tasks/1d01c6ef-a17f-49ce-8401-3fff614d82cd
https://app.any.run/tasks/4eaadfa4-5081-4f4d-bbb2-5cdbaa657ab3
https://app.any.run/tasks/251e70c6-d973-47a4-8f37-eb7853fcf7c8
28
2019/01/138-)
:-D
:D
:-)
;-)
:)
;)
:*
Always thinking about you
Felt in love with you!
I love you
Just for you!
My letter just for you
Please read and reply
This is my love letter to you
Wrote my thoughts down about you
Wrote the fantasy about us down
Wrote this letter for you
You are my love!
不明添付Love_You_(※)-2019-txt.zip
Love_You_(※)-2019-txt.js
(※)任意の数字列
https://www.virustotal.com/#/file/6fed2f4abda948a7dc6d74628e80d76d82a7930b0b1f2e64e40e91a3c3662512/detection
https://www.virustotal.com/#/file/cfee2ec27f0344f709f20fa97e47501744c3567329e6b3fd3f2ed8cf12eae977/detection
https://www.hybrid-analysis.com/sample/cfee2ec27f0344f709f20fa97e47501744c3567329e6b3fd3f2ed8cf12eae977?environmentId=100
https://www.virustotal.com/#/file/889ab15765126594f3c3e6fddb0f3a3df78bc57fc0a475b11f7fb96539274735/detection
https://www.hybrid-analysis.com/sample/3846f9d0de41be599b63169bdddb53b3e7c61357317d1ca56ba1561b5d2feaf1?environmentId=100
6b3e4e3bcf927a24f639817708ff3102
58dd99c79b52b0aaf7541a1c6ab8142d
71176dfd3665e803ec2842cfb30b38f6
cfee2ec27f0344f709f20fa97e47501744c3567329e6b3fd3f2ed8cf12eae977
889ab15765126594f3c3e6fddb0f3a3df78bc57fc0a475b11f7fb96539274735
6fed2f4abda948a7dc6d74628e80d76d82a7930b0b1f2e64e40e91a3c3662512
hxxp://slpsrgpsrhojifdij[.]ru/krablin[.]exe
hxxp://92.63.197[.]60/m/sexy[.]exe
hxxp://92.63.197[.]48/3[.]exe
92.63.197[.]48
185.46.212[.]88
92.63.197[.]60
4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040▼krablin[.]exe
https://www.virustotal.com/#/file/4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040/detection
https://www.hybrid-analysis.com/sample/4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040

▼3.exe
https://www.virustotal.com/#/file/09c0cf2355dc74e8f864f8186554fc227acf03c9f7f686acf5bfcfba3241bb34/detection
https://www.hybrid-analysis.com/sample/09c0cf2355dc74e8f864f8186554fc227acf03c9f7f686acf5bfcfba3241bb34/5c3af1b07ca3e16f8e6a90a1
※今回から件名に『8-)』が追加
※ペイロードのダウンロード元が前回等と異なる検体がばらまかれている(sexy.exe)
29
2019/01/11:*
:)
:-)
:D
:-D
;)
;-)
Always thinking about you
Felt in love with you!
I love you
Just for you!
My letter just for you
My love letter for you
Please read and reply
This is my love letter to you
Wrote my thoughts down about you
Wrote the fantasy about us down
Wrote this letter for you
You are my love!
My
Always
You
不明添付Love_You_(※)-2019-txt.zip
Love_You_(※)-2019-txt.js
(※)任意の数字列

https://www.virustotal.com/#/file/6e42ad9c545974ca943db43b964f4f0d8a36a028994dfa606118e2f14fc63532/detection
https://www.virustotal.com/#/file/35dd169c8b7cc40f2afa23dc8b408b5881a854adfb65e8ac64ff6e6da63f9655/detection
https://www.hybrid-analysis.com/sample/6f09742d4ba9e18e579653dcbf7c1f47c4da0f1957c98f69ff5ac6683ff2287c?environmentId=100
6dde1ca167ed67944fa5d13b86c6a343
62155339deb1349c9c512f5f2433163e
6e42ad9c545974ca943db43b964f4f0d8a36a028994dfa606118e2f14fc63532
35dd169c8b7cc40f2afa23dc8b408b5881a854adfb65e8ac64ff6e6da63f9655
6f09742d4ba9e18e579653dcbf7c1f47c4da0f1957c98f69ff5ac6683ff2287c
hxxp://slpsrgpsrhojifdij[.]ru/krablin[.]exe
hxxp://slpsrgpsrhojifdij[.]ru/1[.]exe
hxxp://slpsrgpsrhojifdij[.]ru/2[.]exe
hxxp://92.63.197[.]48/m/1[.]exe
92.63.197[.]485e901677dad76c0dc21da659115b4d08e1e27c279c1cd038518ae1518646c306https://www.virustotal.com/#/file/5e901677dad76c0dc21da659115b4d08e1e27c279c1cd038518ae1518646c306/detection※最終的にはランサムウェアGandCrab v5.0.4に感染させるようになっている
https://app.any.run/tasks/ec833126-294c-41d4-9410-b247fd18749c
30
2019/01/08:)
:D
;)
Always thinking about you
Felt in love with you!
I love you
Just for you!
My letter just for you
My love letter for you
Please read and reply
This is my love letter to you
Wrote my thoughts down about you
Wrote the fantasy about us down
Wrote this letter for you
You are my love!
不明添付Love_You_(※)-2019-txt.zip
Love_You_(※)-2019-txt.js
(※)任意の数字列
https://www.virustotal.com/#/file/d5e12ffd641f98a54b893a44ce4c9ba38ad94dd91064a2529e1a9e54961098cd/detection
https://www.hybrid-analysis.com/sample/d5e12ffd641f98a54b893a44ce4c9ba38ad94dd91064a2529e1a9e54961098cd?environmentId=100
https://www.virustotal.com/#/file/25cef750de1e5df1eed63f7fdee03f32e845c57fcaa12e7a2fba69888600816a/detection
https://www.hybrid-analysis.com/sample/25cef750de1e5df1eed63f7fdee03f32e845c57fcaa12e7a2fba69888600816a?environmentId=100
https://www.virustotal.com/#/file/07c8f8562a93e3c08f2e4100d67c6cd5
https://www.virustotal.com/#/file/112fd658ef94dbc4322bd523b2d2e9b9
https://www.virustotal.com/#/file/17ea3d2978d6a8565471a9a7ef9e73af
https://www.virustotal.com/#/file/1d13d5181faf5d4b13dccd05cc9ebed3
https://www.virustotal.com/#/file/1e72a71a9afce9ba5c5ece90266074dc
https://www.virustotal.com/#/file/5df4a8c9b9ea51246acfe26463ca6a54
https://www.virustotal.com/#/file/6695f7d846f3bd6abc645b3d7d6596f1
https://www.virustotal.com/#/file/8ad0576f4c6c190f395dd2f5a148bdba
https://www.virustotal.com/#/file/b189d127cb65cb98a49e7e6902f2e5dd
https://www.virustotal.com/#/file/b28d8fff7aead6206309637a2b8885ec
https://www.virustotal.com/#/file/b8dc65f9dcdd0a2cae211833e8abd936
https://www.virustotal.com/#/file/d12899d75170de35eb8e404d7e5df539
https://www.virustotal.com/#/file/d729fa8ce988b93b472023fd820957d1
https://www.virustotal.com/#/file/e12819d422c8a526e7ec1d92862f7bfa
https://www.virustotal.com/#/file/ed386cf9db6cab26e190c32675264cf5
5d92b42c4f84d5284028f512f49a2326
ca37924eeec025139b300ccee3d18792
07c8f8562a93e3c08f2e4100d67c6cd5
112fd658ef94dbc4322bd523b2d2e9b9
17ea3d2978d6a8565471a9a7ef9e73af
1d13d5181faf5d4b13dccd05cc9ebed3
1e72a71a9afce9ba5c5ece90266074dc
5df4a8c9b9ea51246acfe26463ca6a54
6695f7d846f3bd6abc645b3d7d6596f1
8ad0576f4c6c190f395dd2f5a148bdba
b189d127cb65cb98a49e7e6902f2e5dd
b28d8fff7aead6206309637a2b8885ec
b8dc65f9dcdd0a2cae211833e8abd936
d12899d75170de35eb8e404d7e5df539
d729fa8ce988b93b472023fd820957d1
e12819d422c8a526e7ec1d92862f7bfa
ed386cf9db6cab26e190c32675264cf5
d5e12ffd641f98a54b893a44ce4c9ba38ad94dd91064a2529e1a9e54961098cd
25cef750de1e5df1eed63f7fdee03f32e845c57fcaa12e7a2fba69888600816a
1cb4bd03c77ffdcc4995d6175ae15f1cd5546eb1a8db08499f582be056b73e07
01f0c335a22e04719aca7af39ec90619abfd46a51f8344bb0e8b3fdc365beaed
3f82e5325319cc725e80fd03a08660ab774a77361c0b9f48fb612010bf98ac2b
8498bc74050c9294079d4e43e910693410a5c7718cb81a26144a0b1db405d567
ea8dd520ee6fbfb0a97454b3a5972378c649541b79048ba03315247659f367da
ce3232b6a7b5823001fe1a87d2eef8dccc296d49c36d024a3dabc6e1b3ef2b38
06f98adb42000e436d2acc44bf8607a43a1a9c5345eaf1dc932108052b53bccc
1a99182d515a42f26841d8ff9c8a1b35e6b398e52bbc6d558bfff8fd4eaaef76
d491e8e3b8d3942a2b04937c9aff5008530bc79f88ebf929b7193937ac7f2864
5add2ea9ea81c953030bba306aee0f6c58c67dfc27bb8de5cfeff1acb8372464
ffe657fa081824fcd5842c013a38a72766555626f2319097ab8446d298dab3f0
d4cf63984527ca88b79fb63110a089e50bab65b50e7de020bc5f8e09a416971d
81eb6eb642552327d49439f3d0bca65c7b5856a9c52b447f899234cf03852f72
abc07d2027b87f5cddb0b328eed57512c9a522f6d69a1b43f7e636f14870300a
d5989f2f9811106ec3f483819a2a21b88d89691af9572a08f327e1013b5e70e1
hxxp://slpsrgpsrhojifdij[.]ru/krablin[.]exe92.63.197[.]484c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040https://www.virustotal.com/#/file/4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040/detection
https://www.hybrid-analysis.com/sample/4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
※最終的にはランサムウェアGandCrab v5.0.4とCoinmainerに感染させるようになっている
https://app.any.run/tasks/d695dd79-e1ca-479d-9063-05972351c017
https://isc.sans.edu/diary/24512
31
2019/01/01
~2019/01/06
;-)
:D)
:-)
;)
:D
:)
不明添付IMG(※)_2018-JPG.zip
(※)任意の数字列
https://www.virustotal.com/#/file/29e7715ee8eb83a5eeed362b738f6f7d3a1a5d4d212bd51364a5b4afabeda38a/detection
https://www.virustotal.com/#/file/c42022126b3ec7a61b05985c7d4d9ccc909db0b088f03eeaee2e2980a113227f/detection
https://www.hybrid-analysis.com/sample/0754dfeba09ef3e30d46d85d83559b14fbd4b8e4b019a9f1f62ca129cde53864?environmentId=100
https://www.virustotal.com/#/file/98ff8d2ffd792a2d07eeed9c99397bea8022c3037f37a984a746d7a2d20e40c8/detection
https://www.hybrid-analysis.com/sample/bae8ba38e521cc1d4177b0583a470fa3dd338e069f0f826d97e7a38228cd7ee8?environmentId=100
https://www.virustotal.com/#/file/6364b033c9f8349ffbbdf81c8cb0d126443701744d2dbdbeca5458cb1b016863/detection
https://www.hybrid-analysis.com/sample/9ce508d17d14ab74fbaaea28ae980519e760346fc117bc9effd4066b806802f1?environmentId=100

https://www.hybrid-analysis.com/sample/03ff2e69bb279a9380edd42822788dba2b509c8430e5ed6c004d8c20db775d0e/5c2f448f7ca3e1405a372bb8
https://www.hybrid-analysis.com/sample/0ce33a32a2fea5d785829e5b64719b0b9777ed6de8dbca0ceefb9872be4857e0/5c2e47d07ca3e17e6071829c
https://www.hybrid-analysis.com/sample/34d88669b80cf0f93c615a781dc683682f96cfcd8eced70aee2d74389f0dc69e/5c2e548e7ca3e11fc14b07c3
https://www.hybrid-analysis.com/sample/54cf852550a3478ab0e8930308d9826cbda496c1785ef1de4cb0e8ef482d152c/5c2e49b47ca3e17f966dabd1
https://www.hybrid-analysis.com/sample/5c021031b93d0acde48a275836fc156d3285082bfa0cdd16bd20f5a19a1a20b9/5c2e41867ca3e16b203a933a
https://www.hybrid-analysis.com/sample/6c4312a2a8aba8dd4499fc39ca6fe1c099af421bb642a4872a0f226626cb6c42/5c2e3f3a7ca3e167fb2c0e45
https://www.hybrid-analysis.com/sample/8a68e5359170058ccf332e902e266423599900be8c51a0c73223451185167d91/5c2e44717ca3e1716e2f79cb
https://www.hybrid-analysis.com/sample/9ce508d17d14ab74fbaaea28ae980519e760346fc117bc9effd4066b806802f1/5c2dfdfb7ca3e12fe800962d
https://www.hybrid-analysis.com/sample/fe693a9241ef95fddbf982cf5ef664a2f6d9fe4449adfe32471998eb8d7d7c2f
※ファイルはその他複数あり
533f093eb27fdff3564b438cdc774b7a
7897bcbb554fdab2aeb67905252a9427
ab8a7ac224f209fa8e66cd5a41ac74ac
78b431391218541847f3a5fa2e397b60
※ファイルはその他複数あり
29e7715ee8eb83a5eeed362b738f6f7d3a1a5d4d212bd51364a5b4afabeda38a
c42022126b3ec7a61b05985c7d4d9ccc909db0b088f03eeaee2e2980a113227f
98ff8d2ffd792a2d07eeed9c99397bea8022c3037f37a984a746d7a2d20e40c8
6364b033c9f8349ffbbdf81c8cb0d126443701744d2dbdbeca5458cb1b016863
※ファイルはその他複数あり
hxxp://92.63.197[.]48/m/tm.exe
hxxp://92.63.197[.]48/m/mb.exe

hxxp://92.63.197[.]48/m/1.exe
⇒ランサムウェアGandCrab v5.0.4

※判明しているもののみ記載
92.63.197[.]48
※判明しているもののみ記載
92edf8438fb1a64caaeed3f29e34974fa8855c92bca8f6d56316b5b722a8ec67
5154a51f2940554b9e3b3031193b50003fd7ef9ad050cefb553463e6cdaa6560
da61b72084316419626f6e181fba17688828206ac9e2028f30589e4724f15f89
c3dd0fa37af321000cef9b6654bbd766834540d3e0835e6fbd7e82e8e299f17b
https://www.virustotal.com/#/file/92edf8438fb1a64caaeed3f29e34974fa8855c92bca8f6d56316b5b722a8ec67/detection
https://www.hybrid-analysis.com/sample/92edf8438fb1a64caaeed3f29e34974fa8855c92bca8f6d56316b5b722a8ec67/5c2c76de7ca3e129da23e4b7
https://www.virustotal.com/#/file/5154a51f2940554b9e3b3031193b50003fd7ef9ad050cefb553463e6cdaa6560/detection
https://www.hybrid-analysis.com/sample/5154a51f2940554b9e3b3031193b50003fd7ef9ad050cefb553463e6cdaa6560?environmentId=100
https://www.virustotal.com/#/file/da61b72084316419626f6e181fba17688828206ac9e2028f30589e4724f15f89/detection
https://www.hybrid-analysis.com/sample/da61b72084316419626f6e181fba17688828206ac9e2028f30589e4724f15f89/5c2c77767ca3e127e3501d6d
https://www.virustotal.com/#/file/c3dd0fa37af321000cef9b6654bbd766834540d3e0835e6fbd7e82e8e299f17b/detection
https://www.hybrid-analysis.com/sample/c3dd0fa37af321000cef9b6654bbd766834540d3e0835e6fbd7e82e8e299f17b/5c30ac387ca3e156e42cf0c3
※2019年1月1日~1月6日にばらまかれている模様
※本文は『:)』のみ
※最終的にはランサムウェアGandCrab v5.0.4に感染させるようになっている
⇒現在(2019/01/04)GandCrab v5.0.4を復号するツールなし
⇒ランサムウェアのGandCrab(v5.0.2まで)の復号ツールはこちらからダウンロード出来ます。
 https://www.nomoreransom.org/ja/decryption-tools.html#GandCrabV1V4andV5versions
32
2018/12/28Re: ヴィスト修正不明添付原価請求書です(※).doc
(※)任意の数字列
https://www.virustotal.com/#/file/eebf28c47b1fda3f32cf8e28490d5b36ddbb01aeaa5ee119b8a6105d3079e061/detection
https://www.hybrid-analysis.com/sample/eebf28c47b1fda3f32cf8e28490d5b36ddbb01aeaa5ee119b8a6105d3079e061/5c245be97ca3e159891610a4
e3289ae9fd9b922b8381b704fa22c81aeebf28c47b1fda3f32cf8e28490d5b36ddbb01aeaa5ee119b8a6105d3079e061hxxp://free.diegoalex[.]com/3289fkjsdfyu3[.]bin195.123.245[.]2017accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878chttps://www.virustotal.com/#/file/7accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878c/detection
https://www.hybrid-analysis.com/sample/7accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878c?environmentId=100
https://www.jc3.or.jp/topics/v_log/201812.html#d20181228
※12月27日の分が継続している可能性
33
2018/12/27Re: ヴィスト修正不明添付原価請求書です(※).doc
(※)任意の数字列
https://www.virustotal.com/#/file/12d82b089c31f4cc506552d870ac15cc478c28afe61373b9b467718acce33b00/detection
https://www.hybrid-analysis.com/sample/3a2e9a8399595c2e821725e2eb0a95d6ea8ccf4863f49f72b8ecbdc12c4119a9/5c2457197ca3e14db01814b5
https://www.virustotal.com/#/file/3a2e9a8399595c2e821725e2eb0a95d6ea8ccf4863f49f72b8ecbdc12c4119a9/detection
https://www.hybrid-analysis.com/sample/12d82b089c31f4cc506552d870ac15cc478c28afe61373b9b467718acce33b00?environmentId=100
d9c3cfbd0fff8a2da127fe563a1ffd54
79840741ab330a8f83383d1ce7b3aea8
12d82b089c31f4cc506552d870ac15cc478c28afe61373b9b467718acce33b00
3a2e9a8399595c2e821725e2eb0a95d6ea8ccf4863f49f72b8ecbdc12c4119a9
hxxp://free.diegoalex[.]com/3289fkjsdfyu3[.]bin195.123.245[.]2017accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878chttps://www.virustotal.com/#/file/7accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878c/detection
https://www.hybrid-analysis.com/sample/7accbf97c78c6f30df6031db55eba05fa746cc0941c960822b08a370b3bb878c?environmentId=100
https://www.jc3.or.jp/topics/v_log/201812.html#d20181227
https://www.cc.uec.ac.jp/blogs/news/2018/12/20181227maiwaremail.html
34
2018/12/2512月、原価請求書です。不明添付原価請求書です(※).docx
(※)任意の数字列
https://www.virustotal.com/#/file/3c472af694729da1ecc95cf99158c50ffcf02a2e6948538c326ec8883ddb8c7b/detection
https://www.hybrid-analysis.com/sample/3c472af694729da1ecc95cf99158c50ffcf02a2e6948538c326ec8883ddb8c7b?environmentId=100
https://www.virustotal.com/#/file/0d94117b669e9c102ecf754173c3fbf6ce19445d17eacf2882b323fb465b67be/detection
https://www.virustotal.com/#/file/75ecc5845bec21b1fdf98680de180e0fc227d312f58c02dec7cc52c8ceaab1d7/detection
4c33fdea71051db14e690efe94756b8c
67915b4ba1d2a9aaf0528bdbc1b8229a
b644da18d0858198af8669a5feb876a6
3c472af694729da1ecc95cf99158c50ffcf02a2e6948538c326ec8883ddb8c7b
0d94117b669e9c102ecf754173c3fbf6ce19445d17eacf2882b323fb465b67be
75ecc5845bec21b1fdf98680de180e0fc227d312f58c02dec7cc52c8ceaab1d7
hxxp://emotion.bethlapierre[.]com/8923rfj.bin31.170.107[.]1620c3b5c7e013e67444f0aebb031eed7a2c4c9a06b8a2dd9401b9ec1be1a107afbhttps://www.virustotal.com/#/file/0c3b5c7e013e67444f0aebb031eed7a2c4c9a06b8a2dd9401b9ec1be1a107afb/detection
https://www.hybrid-analysis.com/sample/0c3b5c7e013e67444f0aebb031eed7a2c4c9a06b8a2dd9401b9ec1be1a107afb?environmentId=100
https://www.cc.uec.ac.jp/blogs/news/2018/12/20181225maiwaremail.html
https://www.jc3.or.jp/topics/virusmail.html
35
2018/12/248月、原価請求書です。不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
36
2018/12/22Re: ヴィスト修正不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
※2017年9月13日にばらまかれている内容と本文は同じ可能性大
==================
今回の件名『Re: ヴィスト修正』の不審メールの本文情報からの推測ですが、
2017年9月13日にも同件名でばらまきがあったものの使い回しの様です。
その当時に添付されていた不審ファイルの情報を共有しておきます。
https://www.virustotal.com/#/file/40c8f6c67427e86b5f1e93923bb6f0ea3fe4a378c4a6be4287fc09bf536c5e97/detection
https://www.virustotal.com/#/file/e5c821755bcd4a038ee1af940b2b32adf6d2629c60a39487c1ca8f468f5f64a4/detection
https://www.virustotal.com/#/file/1ec564a978932a6cfefaa22e021e4c1a3af8909251edda2498e1b3f400defcb2/detection
37
2018/12/18[※]注文書の件
[※]申請書類の提出
[※]立替金報告書の件です。
[※]納品書フォーマットの送付
[※]請求データ送付します

※:次のいずれかの記号が入ります
「*」「-」「_」「|」「~」
不明添付D O C [※].XLS
※:任意の数字列
https://www.virustotal.com/#/file/fa5eb74adc22749ffd113ceaa71d23a693af55e605bea1354dc7d352303e9bff/detection
https://www.hybrid-analysis.com/sample/fa5eb74adc22749ffd113ceaa71d23a693af55e605bea1354dc7d352303e9bff?environmentId=100
2c2545df2bbcd506bd09641ec97ca5aefa5eb74adc22749ffd113ceaa71d23a693af55e605bea1354dc7d352303e9bffimages2.imgbox[.]com/4a/4f/BlSALZQZ_o.png複数1c0d4d80c2fe6013da2e4dd036ef5048db439155a19144aa88426d3528dbd53fhttps://www.virustotal.com/#/file/1c0d4d80c2fe6013da2e4dd036ef5048db439155a19144aa88426d3528dbd53f/detectionhttps://www.jc3.or.jp/topics/virusmail.html
https://www.cc.uec.ac.jp/blogs/news/2018/12/20181219.html
38
2018/12/13【楽天市場】注文内容ご確認(自動配信メール)rakuten_order[@]applesupport.cncntrte[.]com
hxxp://eu.kiraneproject[.]com/
紐づくIPは下記IPアドレス
195.123.233[.]150
注文内容ご確認.zip
注文内容ご確認.lnk
https://www.virustotal.com/#/file/11acce4e568000b18e4957e4ef956d681839d8fd4da22346b7effc9161fb7bb0/detection
https://www.hybrid-analysis.com/sample/11acce4e568000b18e4957e4ef956d681839d8fd4da22346b7effc9161fb7bb0
https://www.hybrid-analysis.com/sample/7e7bee88bdd25ab9cc402e8a14ee08615618c55c977993646c89ffd95bc90815?environmentId=100
https://www.virustotal.com/#/file/7e7bee88bdd25ab9cc402e8a14ee08615618c55c977993646c89ffd95bc90815/detection
36806ed6ba0ef9261570476abea09b2b
0d43e1fd27f79e4eae009eb812bade65
11acce4e568000b18e4957e4ef956d681839d8fd4da22346b7effc9161fb7bb0
7e7bee88bdd25ab9cc402e8a14ee08615618c55c977993646c89ffd95bc90815
hxxp://ktr.kiraneproject[.]com/pohaq/info[.]ps1
hxxp://ktr.kiraneproject[.]com/pohaq/fit[.]txt
195.123.233[.]150
0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85
https://www.virustotal.com/#/file/0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85/detection
https://www.hybrid-analysis.com/sample/0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
39
2018/12/11【楽天市場】注文内容ご確認(自動配信メール)楽天市場 <rakuten_order@applesupport.shadidphotography.com>hxxp://rth.cncntrte[.]com/
紐づくIPは下記IPアドレス
195.123.217[.]77
注文内容ご確認.zip
注文内容ご確認.PDF.js
注文内容ご確認.js
https://www.virustotal.com/#/file/97e56c8eb502e7a8198421d2f5ff77fa44434c85df8fcdb6659a02932d19a661/detection
https://www.hybrid-analysis.com/sample/e047fdc27c7468d6cecfcf5c758586ca855e4dd5cdae8a8688665f6aeb129c13?environmentId=100
https://www.virustotal.com/#/file/a606892ad38faa5c4f3810dd52a5282a873cbe8a0993a8530e28ea1065b1a584/detection
https://www.hybrid-analysis.com/sample/a606892ad38faa5c4f3810dd52a5282a873cbe8a0993a8530e28ea1065b1a584?environmentId=100
https://www.virustotal.com/#/file/e828d07247267fca9d80000fa29cba7d7d7d29e0aaad1cb9c70455825de2ad7c/detection
https://www.hybrid-analysis.com/sample/e828d07247267fca9d80000fa29cba7d7d7d29e0aaad1cb9c70455825de2ad7c/5c0f67ff7ca3e105b55dd93d
34b06c408e46130bcde6c127ce361248
b58f6711d24b44cd7b00ee40f27330b1
9f111daecf1cb90c369b14bb4ddddad3
97e56c8eb502e7a8198421d2f5ff77fa44434c85df8fcdb6659a02932d19a661
a606892ad38faa5c4f3810dd52a5282a873cbe8a0993a8530e28ea1065b1a584
e828d07247267fca9d80000fa29cba7d7d7d29e0aaad1cb9c70455825de2ad7c
hxxp://fgyt.shadidphotography.com/789234[.]bin
hxxp://re.ghostzero[.]la/
hxxp://yu.sxkoparty[.]com/
hxxp://nnmj.joshshadid[.]com/
195.123.217[.]774ddd8aef0e491daf102190488ab8004afc297169bb69fd40cbaa46b25f8390a6https://www.virustotal.com/#/file/4ddd8aef0e491daf102190488ab8004afc297169bb69fd40cbaa46b25f8390a6/detection
https://www.cc.uec.ac.jp/blogs/news/2018/12/20181211rakutenmalware.html
https://www.jc3.or.jp/topics/virusmail.html
https://twitter.com/tmmalanalyst/status/1072442761029267456
https://bomccss.hatenablog.jp/entry/2018/12/14/134301
40
2018/12/05【NTT-X Store】商品発送のお知らせ不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
41
2018/12/04【楽天市場】注文内容ご確認(自動配信メール)不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
42
2018/11/29Your invoice from [会社名と人名]不明添付Untitled-(※).doc
※:任意の数字列
https://www.virustotal.com/#/file/dd850a2d509783d8550103d4ab78474d137fc6b64849f8c5f00638cb4dda1886/detection
https://www.hybrid-analysis.com/sample/dd850a2d509783d8550103d4ab78474d137fc6b64849f8c5f00638cb4dda1886?environmentId=100
https://www.virustotal.com/#/file/31cbdc7401361fbaf59d08b79d2081527147f61d2b951de1a9477648e5b218a8/detection
https://www.hybrid-analysis.com/sample/31cbdc7401361fbaf59d08b79d2081527147f61d2b951de1a9477648e5b218a8?environmentId=100
6eca8cd7dfaa8633f527bf714e64e431
d7cadb15f640c32df58881fb09a758f9
dd850a2d509783d8550103d4ab78474d137fc6b64849f8c5f00638cb4dda1886
31cbdc7401361fbaf59d08b79d2081527147f61d2b951de1a9477648e5b218a8
levifca[.]com/y0tYhnWQ
mfpvision[.]com/yAkPNiSmm6
haganelectronics.rubickdesigns[.]com/C96xSAAy2q
catairdrones[.]com/sMQ0n8nNun
radio312[.]com/mp0NHN4cHX
50.74.56[.]147:8080
81.18.134[.]18:8080
181.193.115[.]50
209.182.216[.]177:443
181.60.228[.]203:8080
190.191.88[.]126
186.20.225[.]65:8080
07089c9689dba0e609e8cb56a80975465220b49377608e902415832a09fd8184
68d27ee84a09414459cbd880214ddcfdf5a48f36ebe8d6b79389ac9a56a6836b
https://www.virustotal.com/#/file/07089c9689dba0e609e8cb56a80975465220b49377608e902415832a09fd8184/detection
https://www.hybrid-analysis.com/sample/07089c9689dba0e609e8cb56a80975465220b49377608e902415832a09fd8184?environmentId=100
https://www.virustotal.com/#/file/68d27ee84a09414459cbd880214ddcfdf5a48f36ebe8d6b79389ac9a56a6836b/detection
https://www.hybrid-analysis.com/sample/68d27ee84a09414459cbd880214ddcfdf5a48f36ebe8d6b79389ac9a56a6836b?environmentId=100
https://twitter.com/58_158_177_102/status/1067969430326374400
43
2018/11/27不明(※実際にやりとりされている送受信メールに返信するかたちでばらまかれる)不明添付ATT(※).doc
※:任意の数字列
https://www.virustotal.com/#/file/d0d6557a1068b7519c1a7ce837b3e050114d7b6ae81214b205640bfd6252b3f8/detection
https://www.hybrid-analysis.com/sample/d0d6557a1068b7519c1a7ce837b3e050114d7b6ae81214b205640bfd6252b3f8/5bfc97f47ca3e10c6a182d53
https://www.virustotal.com/#/file/25b375699ab3c9af2732c8382837226e93b94b08b2a15bd28fd7c31c3294273c/detection
https://www.hybrid-analysis.com/sample/25b375699ab3c9af2732c8382837226e93b94b08b2a15bd28fd7c31c3294273c?environmentId=100
3bf814e9b77b52aebd3dd0de758f4800
1f93e9663b1d2aaa20f95d2352a18946
d0d6557a1068b7519c1a7ce837b3e050114d7b6ae81214b205640bfd6252b3f8
25b375699ab3c9af2732c8382837226e93b94b08b2a15bd28fd7c31c3294273c
hxxp[:]//oxaggebrer[.]com/QIC/tewokl.php?l=vunx1.spr

”=vunx1~9”もアリ
95.181.198[.]207241c6152e9fa5d47158f4c4fb365de0acb521a49e562073595675a31db86491ehttps://www.virustotal.com/#/file/241c6152e9fa5d47158f4c4fb365de0acb521a49e562073595675a31db86491e/detection
https://www.hybrid-analysis.com/sample/241c6152e9fa5d47158f4c4fb365de0acb521a49e562073595675a31db86491e?environmentId=100
https://twitter.com/NTTSec_JP/status/1067222660403195905
44
2018/11/16【NTT-X Store】商品発送のお知らせ不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
45
2018/11/15【NTT-X Store】商品発送のお知らせ不明不明不明不明不明不明不明不明不明不明
https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
※この件名は2017年10月6日ぶり
⇒https://www.jc3.or.jp/topics/v_log/201710.html#d20171006a
46
2018/11/15【楽天市場】注文内容ご確認(自動配信メール)不明不明不明不明不明不明不明不明不明不明https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
47
2018/11/14/発注-181112
支払依頼書
【連絡 ※請求書】
不明添付(※)DOC20181114(※).doc
※:任意の数字列
https://www.virustotal.com/#/file/8ed61abc371da7cf5ed2d8b9b7fdf20b8ca1b924c19fc9e8d50ca1feaccb6ae9/detection
https://www.hybrid-analysis.com/sample/8ed61abc371da7cf5ed2d8b9b7fdf20b8ca1b924c19fc9e8d50ca1feaccb6ae9?environmentId=100
bdd9fe7dae3fc4b751f17f13ec9d41b78ed61abc371da7cf5ed2d8b9b7fdf20b8ca1b924c19fc9e8d50ca1feaccb6ae9hxxp://niokrat.com/clifind[.]log

C2:hxxps://abedirer[.]com / 149.129.243[.]34
多数ありfb4077e5ef55027b2972e94fe54eca985dfb933702f09a640a799f31b2181834https://www.virustotal.com/#/file/fb4077e5ef55027b2972e94fe54eca985dfb933702f09a640a799f31b2181834/detection
https://www.hybrid-analysis.com/sample/fb4077e5ef55027b2972e94fe54eca985dfb933702f09a640a799f31b2181834?environmentId=120
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/20/204650
48
2018/11/10【楽天市場】注文内容ご確認(自動配信メール) 不明不明不明不明不明不明不明不明不明不明
https://www.jc3.or.jp/topics/virusmail.html

※ばらまきは広範囲で行われていない?
https://twitter.com/catnap707/status/1062112039064166400
※この件名は2018年7月5日ぶり
49
2018/11/06注文書の件
申請書類の提出
立替金報告書の件です。
納品書フォーマットの送付
請求データ送付します
不明添付Doc06112018(数字).xls
※:任意の数字列
https://www.virustotal.com/#/file/4095b31681f998c808b2e7338fa8adec82c9f5049df457c9f0c0fc562e2a48ab/detection
https://www.hybrid-analysis.com/sample/4095b31681f998c808b2e7338fa8adec82c9f5049df457c9f0c0fc562e2a48ab?environmentId=100
eadd4d15f9e23d579232aff07f9e988a4095b31681f998c808b2e7338fa8adec82c9f5049df457c9f0c0fc562e2a48abhxxps://images2.imgbox[.]com/90/f1/gat2MVsK_o.png

▼bebloh
hxxp://olideron[.]com/connmouse
C2: hxxps://pogertan.com ( 216.58.199[.]228 )


▼ursnif
hxxp://iglesiamistral[.]org/audio/ceeb/educat[.]exe
( 217.160.0[.]251 )
C2: hxxps://niperola[.]com ( 5.8.88[.]247 )
208.99.84[.]104
188.237.190[.]24
▼Bebloh
75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783

▼Ursnif
dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4
https://www.virustotal.com/#/file/75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783/detection
https://www.virustotal.com/#/file/dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/12/201654
50
2018/11/0610月5日日付の管理費請求書
10月課金請求リスト
10月請求書 郵送のご連絡
11月請求書連絡
【再送】30年10月分請求書
〜請求書11月1日〜
ご請求書
別注お支払いの件
請求書
不明添付20181106(数字).xls
※:任意の数字列
https://www.virustotal.com/#/file/81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804/detection
https://www.hybrid-analysis.com/sample/81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804/5be14bf67ca3e1677d6f4560
0edba7614266430b14768292a3c9ce0281e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804hxxps://images2.imgbox[.]com/90/f1/gat2MVsK_o.png

▼bebloh
hxxp://olideron[.]com/connmouse
C2: hxxps://pogertan.com ( 216.58.199[.]228 )


▼ursnif
hxxp://iglesiamistral[.]org/audio/ceeb/educat[.]exe
( 217.160.0[.]251 )
C2: hxxps://niperola[.]com ( 5.8.88[.]247 )
208.99.84[.]104
188.237.190[.]24
▼Bebloh
75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783

▼Ursnif
dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4
https://www.virustotal.com/#/file/75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783/detection
https://www.virustotal.com/#/file/dba40065b6efc6ae10e26ba608817ff04bdbc976e07016d78d0b4a63492e3ae4/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/12/201654
51
2018/11/01【請求書、見積書送付】30/10-11
請求書送信のご連絡
RE: 10月分WO
10月請求書の件
再)ご請求書~
預かり金依頼書の送付(追い金)
2018年10月度 御請求書
不明添付

-(※).xls
※:任意の数字列

https://www.virustotal.com/#/file/bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668/detection
https://www.hybrid-analysis.com/sample/bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668?environmentId=120
e7fb10b7ba0d4f761ad323b88ed69689
1d15107e7ff9867bf904a2a4dc7d9f39
c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a
bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668
images2.imgbox[.]com
martenod[.]com/ufolder

▼C2
hxxps://makarcheck[.]com
IP: 47.254.153[.]36
多数あり4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89https://www.virustotal.com/#/file/4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/08/173353
52
2018/11/01立替金報告書の件です。
申請書類の提出
注文書の件
請求データ送付します
納品書フォーマットの送付
不明添付(※)DOC20181101(※).xls
※:任意の数字列
https://www.virustotal.com/#/file/c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a/detection
https://www.hybrid-analysis.com/sample/c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a?environmentId=100

e7fb10b7ba0d4f761ad323b88ed69689

c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a
images2.imgbox[.]com
martenod[.]com/ufolder

▼C2
hxxps://makarcheck[.]com
IP: 47.254.153[.]36
多数あり4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89https://www.virustotal.com/#/file/4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/08/173353
53
2018/10/3010月請求書の件
2018年10月度 御請求書
RE: 10月分WO
【請求書、見積書送付】30/10-11
再)ご請求書〜
請求書送信のご連絡
預かり金依頼書の送付(追い金)
不明添付(※)請求書(2018年10月).xls
※:任意の数字列

20181030(※).xls
※:任意の数字列
https://www.virustotal.com/#/file/cac15934c258df2a1cc9c5359004f655e40a51cee6a255892e7884b0210425e3/detection
https://www.hybrid-analysis.com/sample/cac15934c258df2a1cc9c5359004f655e40a51cee6a255892e7884b0210425e3?environmentId=120
https://www.virustotal.com/#/file/f39618fbdbb3788fa9444c84522a069b867e3237567ddd722f5e9a42838a4371/detection
https://www.hybrid-analysis.com/sample/f39618fbdbb3788fa9444c84522a069b867e3237567ddd722f5e9a42838a4371?environmentId=100
https://www.virustotal.com/#/file/8da48928f824f5f4da56c1bee55d1b8a42ee416bd3b1527bf88f2ea440c9285f/detection
https://www.hybrid-analysis.com/sample/8da48928f824f5f4da56c1bee55d1b8a42ee416bd3b1527bf88f2ea440c9285f?environmentId=100
dc8245e63d07da4c459aeb2c003f827e
e5c72950358cb38b8a36223ee60b4635
819b894e1021764ba0a627342db77f71
cac15934c258df2a1cc9c5359004f655e40a51cee6a255892e7884b0210425e3
f39618fbdbb3788fa9444c84522a069b867e3237567ddd722f5e9a42838a4371
8da48928f824f5f4da56c1bee55d1b8a42ee416bd3b1527bf88f2ea440c9285f
hxxp://image.ibb.co/jrDJv0/hp[.]png多数あり5741f50148717676588f5e6ae0df16b9323f2e266272f3aa420a266da50fffcahttps://www.virustotal.com/#/file/5741f50148717676588f5e6ae0df16b9323f2e266272f3aa420a266da50fffca/detection
外部通信は発生せず
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/11/08/015117
54
2018/10/24注文書の件
申請書類の提出
立替金報告書の件です。
納品書フォーマットの送付
請求データ送付します
不明添付DOC2410201810(※).xls
※:任意の数字列
https://www.virustotal.com/#/file/54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e/detection
https://www.hybrid-analysis.com/sample/54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e/5bd010b07ca3e1378f5527f3
445d3d5073e9939ad037556e24e05b3754303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2ehxxps://images2.imgbox[.]com/ca/88/A2ZSlW6S_o[.]png

hxxp://pigertime.com/mksetting
208.99.84.102
62.141.244.144
73da11127aa1da5538d153ba7f063c74fb90af46da581f098f179e1bb8371904https://www.virustotal.com/#/url/7149701fd4a4f2fc5f207d9b00c4df394ffc37d05516b4b7c11dbc4dd25fed1c/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/10/26/194719
55
2018/08/08ご請求額の通知
インボイス
プロジェクト
写真
支払い
文書
請求・支払データ
資料
不明添付(※).32.zip
※:任意の数字列

.iqy
https://www.virustotal.com/#/file/ed40b6d8bb352b9e645dcaf40094b3712ef5a5e4ae5505c6c576565d18e86209/detection
https://www.virustotal.com/#/file/b52bf37f47e7991f26b3ecc679d9fc78037f950cbd63ac220ab06b5d5cf5dcfd/detection
feaab576309656fcaff1324b91d17ec9
c8100292be8e5dd627fd731f0c086a6e
ed40b6d8bb352b9e645dcaf40094b3712ef5a5e4ae5505c6c576565d18e86209
b52bf37f47e7991f26b3ecc679d9fc78037f950cbd63ac220ab06b5d5cf5dcfd
jiglid[.]com/exel

jiglid[.]com/version
↓ 
jiglid[.]com/JP

Bebloh

Ursnif
多数あり
70f3bda067b9c3519c909da0b0fda85fcd45f84093f416520972d5b1387c5894

8e7e90ca9812222ed762e6f6db677361aa0db526eca54b2a09fb1cfa41eed63f

▼Bebloh
0323da8293f583e42fd14ad7e997bb3ecc0a508fef9d486314f4d1a1d5c65f58

▼Ursnif
87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57

https://www.virustotal.com/#/file/0323da8293f583e42fd14ad7e997bb3ecc0a508fef9d486314f4d1a1d5c65f58/detection
https://www.virustotal.com/#/file/87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57/detection
https://www.hybrid-analysis.com/sample/87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/08/10/033607
https://blog.trendmicro.com/trendlabs-security-intelligence/iqy-and-powershell-abused-by-spam-campaign-to-infect-users-in-japan-with-bebloh-and-ursnif/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork
56
2018/08/07インボイス Re: 進捗不明添付2018.08.07.xls https://www.virustotal.com/#/file/ae2a04b491f6f19d737b2693b26f7a5d54c724b66d48620577dfbc21f38690b8/detection
https://www.hybrid-analysis.com/sample/ae2a04b491f6f19d737b2693b26f7a5d54c724b66d48620577dfbc21f38690b8?environmentId=100
e2707980305d7518ab41171c96d8ca48ae2a04b491f6f19d737b2693b26f7a5d54c724b66d48620577dfbc21f38690b8hxxp://jiglid[.]com/out 多数あり821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26https://www.virustotal.com/#/file/821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/08/10/024215
57
2018/08/07注文書[※]
※:任意の数字列
不明添付注文書_office.xlshttps://www.virustotal.com/#/file/324c2f02ac07b1610413d4f14a3f72b91bc322c1497ed01c15a5793192c1acd5/detection
https://www.hybrid-analysis.com/sample/324c2f02ac07b1610413d4f14a3f72b91bc322c1497ed01c15a5793192c1acd5/5b694f307ca3e15c803bc169
58e702dd7c39ec64468f244d96e0ac43324c2f02ac07b1610413d4f14a3f72b91bc322c1497ed01c15a5793192c1acd5hxxp://jiglid[.]com/out
hxxp://jiglid[.]com/1.tmp
多数あり821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26https://www.virustotal.com/#/file/821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26/detection
https://twitter.com/bomccss/status/1026741233173983232
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/08/10/024215
58
2018/08/07<要返信:FAX>営業○・出荷×不明添付FAX[出荷].xlshttps://www.hybrid-analysis.com/sample/d48a46e4a294755055ea59256450463b644236b32f62ecbb103b8f0337c4247c?environmentId=100
https://www.virustotal.com/#/file/8957623c094f3ccdec8102f37d72d39279ecaa6a00f61cfe0c16d34105401e21/detection
https://www.hybrid-analysis.com/sample/8957623c094f3ccdec8102f37d72d39279ecaa6a00f61cfe0c16d34105401e21?environmentId=100
d90ff73d19b98b51c60ec9ab61170676d48a46e4a294755055ea59256450463b644236b32f62ecbb103b8f0337c4247c
8957623c094f3ccdec8102f37d72d39279ecaa6a00f61cfe0c16d34105401e21
hxxp://jiglid[.]com/out
hxxp://jiglid[.]com/1.tmp
多数あり821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26https://www.virustotal.com/#/file/821953a1d3e2b44cf2c79a6513c3f85e9603f5ab4f2d448a4d87136850643f26/detection
https://twitter.com/bomccss/status/1026741233173983232
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/08/10/024215
59
2018/08/06お世話になります
ご確認ください
写真添付
写真送付の件
不明添付
(※).00000.iqy
8月・000000.iqy
※:ユーザー名
https://www.virustotal.com/#/file/e9202586bd09cf9457025de2db62622b8d231de0f1ecc5d64ee71909c4c9c3a2/detectionef9ea3ab606adf5bbeffc75b0dccdae2e9202586bd09cf9457025de2db62622b8d231de0f1ecc5d64ee71909c4c9c3a2hxxp://jiglid[.]com/sc4

hxxp://jiglid[.]com/sc4-2.dat

hxxp://jiglid[.]com/ms.xlsx

Bebloh

Ursnif
92.48.206[.]71fe89c50f242f54c09a4a8de3f3c3fd813e6dc41af59cf21ab669b05efedfd0c8

c5d706f09a79bde59257fab77c5406fba89d10efdb9e4941a8b3c1677da1c878

▼Bebloh
5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b

▼Ursnif
9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e
https://www.virustotal.com/#/file/c5d706f09a79bde59257fab77c5406fba89d10efdb9e4941a8b3c1677da1c878/detection
https://www.virustotal.com/#/file/fe89c50f242f54c09a4a8de3f3c3fd813e6dc41af59cf21ab669b05efedfd0c8/detection
https://www.virustotal.com/#/file/9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e/detection
https://www.hybrid-analysis.com/sample/9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e?environmentId=100
https://www.virustotal.com/#/file/5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b/detection
https://www.hybrid-analysis.com/sample/5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b?environmentId=100
https://twitter.com/MalwareInfo_JP/status/1026378994780794882
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/08/10/013314
https://blog.trendmicro.com/trendlabs-security-intelligence/iqy-and-powershell-abused-by-spam-campaign-to-infect-users-in-japan-with-bebloh-and-ursnif/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork
60
2018/07/25【重要】定期的なID・パスワード変更のお願い/コンピュータウイルスにご注意を楽天カード株式会社 <rakuten_card_information@freetoper.accountant>nl.w2tbr[.]net/
紐づくIPは全て下記IPアドレス
195.123.216[.]241
もっと詳しくの情報はこちら.pdf.jshttps://www.virustotal.com/#/file/b546fc2dbd804948bbece5a28508026eacf0ff971854d0c2c2fd279fb315e2f7/detection
https://www.hybrid-analysis.com/sample/b546fc2dbd804948bbece5a28508026eacf0ff971854d0c2c2fd279fb315e2f7
163cfaeeb5fb5e460b318a7e82bc306cb546fc2dbd804948bbece5a28508026eacf0ff971854d0c2c2fd279fb315e2f7hxxp://bn.arranliddel[.]com/0[.]bin195.123.216[.]241eaafc6a6ee5500c128475c60358ec7fabbff7a69b05b35a79707be728f60c2cchttps://www.virustotal.com/#/file/eaafc6a6ee5500c128475c60358ec7fabbff7a69b05b35a79707be728f60c2cc/detection
https://www.hybrid-analysis.com/sample/eaafc6a6ee5500c128475c60358ec7fabbff7a69b05b35a79707be728f60c2cc?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://www.cc.uec.ac.jp/blogs/news/2018/07/20180725.html
https://bomccss.hatenablog.jp/entry/2018/07/27/123238
61
2018/07/18取引情報が更新されました
【発注書受信】
備品発注依頼書の送付
依頼書を
送付しますので
発注依頼書
㈱ 発注書
不明添付Attach_201807※.zip
※:任意の数字列
https://www.virustotal.com/#/file/732d23d9d9b53881ab9e183aec0ce5e28b47fe9f85868187796f45724967f419/detection

▼1-----.jpeg_.vbs
https://www.virustotal.com/#/file/8431aa9312b1ac95a16fa3f14dba262db84c8817765516ca569ff06d6d898d5b/detection
0bd2f91827e3f9e79f2867745d44bdc5
35560ede7b61d89a23f4c1498e2cf8ff
732d23d9d9b53881ab9e183aec0ce5e28b47fe9f85868187796f45724967f419
8431aa9312b1ac95a16fa3f14dba262db84c8817765516ca569ff06d6d898d5b
hxxp://ravigel[.]com/os10.dat
hxxp://ravigel[.]com/cert01.txt
47.74.189[.]69https://www.jc3.or.jp/topics/virusmail.html
62
2018/07/1818/07 製造依頼不明添付2018追加製造.xlshttps://www.virustotal.com/#/file/a67f1f172d846bb7b2e82d2d9d423d0fe12292f2eb4c04e5341acffaa74c800c/detection
https://www.hybrid-analysis.com/sample/a67f1f172d846bb7b2e82d2d9d423d0fe12292f2eb4c04e5341acffaa74c800c/5b4f040f7ca3e1353275a823
https://www.virustotal.com/#/file/e334f91c535aaf02404d898952cd93300daa9c6527790f6b0289885d09de4af3/detection
https://www.hybrid-analysis.com/sample/e334f91c535aaf02404d898952cd93300daa9c6527790f6b0289885d09de4af3?environmentId=100
147590aa93ff42e4bda03d4745d165b9
4508cdd4ea3a98303d5b3fcbccd310ed
a67f1f172d846bb7b2e82d2d9d423d0fe12292f2eb4c04e5341acffaa74c800c
e334f91c535aaf02404d898952cd93300daa9c6527790f6b0289885d09de4af3
hxxp://ravigel[.]com/tvs1.dat47.74.189[.]69eaaed139138504fcac268c50a1bdc9d6b0f2715c794d68c47172fdac3bb7fdc2https://www.virustotal.com/#/file/eaaed139138504fcac268c50a1bdc9d6b0f2715c794d68c47172fdac3bb7fdc2/detection
https://www.hybrid-analysis.com/sample/eaaed139138504fcac268c50a1bdc9d6b0f2715c794d68c47172fdac3bb7fdc2/5b4dcd4c7ca3e165f009a2f4
https://bomccss.hatenablog.jp/entry/2018/07/19/024815
https://www.jc3.or.jp/topics/virusmail.html
63
2018/07/18のご注文ありがとうございます
ダイレクトメール発注
不明添付2018_※_注文.zip
※:任意の数字列
https://www.virustotal.com/#/file/f4ccdf38e3d8a735854f22719a67ddda8b3c39daf908d969d5dbb47ab7f58cd5/details

▼18.07.2018_00003994-33.vbs
https://www.virustotal.com/#/file/add4b9ee57870da12862a3110600f08522169b0c5b9ffd4e3b496a1ce148688a/detection
https://www.hybrid-analysis.com/sample/add4b9ee57870da12862a3110600f08522169b0c5b9ffd4e3b496a1ce148688a?environmentId=100
▼18.07.2018_00003994.PDF
https://www.virustotal.com/#/file/c7c2ab915b0ea3e081d19cecaf7bf6bfeed408c1aa7b3a4eb9d6e4e9cffa0647/detection
https://www.hybrid-analysis.com/sample/c7c2ab915b0ea3e081d19cecaf7bf6bfeed408c1aa7b3a4eb9d6e4e9cffa0647?environmentId=100
427dac26d5478b29b110a167cde02a92
20c9a52088bc5063eb0f40cae6643c47
486679a37d967ba06e04f5b05431cb83
f4ccdf38e3d8a735854f22719a67ddda8b3c39daf908d969d5dbb47ab7f58cd5
add4b9ee57870da12862a3110600f08522169b0c5b9ffd4e3b496a1ce148688a
c7c2ab915b0ea3e081d19cecaf7bf6bfeed408c1aa7b3a4eb9d6e4e9cffa0647
hxxp://ravigel[.]com/1cr.dat47.74.189[.]69不明不明https://www.jc3.or.jp/topics/virusmail.html
64
2018/07/187月
Fw: 資料
ご確認ください
上記書類を送付します。
表題の資料を送付いたします。
再送
申込書類の送付
資料添付します。
不明添付※_書類.zip
※:任意の数字列
https://www.virustotal.com/#/file/2c8ae3926d7e360db377af091df803c18219921b5dd99a92da90a7bf8b61f8d2/detection

▼20180718_2.vbs
https://www.virustotal.com/#/file/a270898758261e81d998bc42d0c87873f8a5d75cc1dae026edb30ecb0573f079/detection
https://www.hybrid-analysis.com/sample/a270898758261e81d998bc42d0c87873f8a5d75cc1dae026edb30ecb0573f079?environmentId=100
▼scan00007.pdf.bin
https://www.virustotal.com/#/file/2b1aeb03f76153befdc5b4929e0ae77e07d71ee8d5b7bda6c64d891b900dcf03/detection
https://www.hybrid-analysis.com/sample/2b1aeb03f76153befdc5b4929e0ae77e07d71ee8d5b7bda6c64d891b900dcf03?environmentId=100
0efcefb682d1bb39a8145692074e25a22c8ae3926d7e360db377af091df803c18219921b5dd99a92da90a7bf8b61f8d2hxxp://ravigel[.]com/1cr.dat47.74.189[.]6906e233ee5db6bfdcf04b746436b84276c191f8fcb334c4550d5a67aacae94732https://www.virustotal.com/#/file/06e233ee5db6bfdcf04b746436b84276c191f8fcb334c4550d5a67aacae94732/detectionhttps://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/19/024221
65
2018/07/18カード利用のお知らせ楽天カード株式会社 <info@mail.rakuten-card.co.jp>pl.declarationvideo[.]com
紐づくIPは全て下記IPアドレス
185.14.31[.]229
もっと詳しくの情報はこちら.pdf.jshttps://www.virustotal.com/#/file/5b1664343ce74627b328e328011b572402325e8f40e06ea7f3e0fa313d75fbe0/detection
https://www.hybrid-analysis.com/sample/5b1664343ce74627b328e328011b572402325e8f40e06ea7f3e0fa313d75fbe0/5b4ed7247ca3e1774520bb05
fe50622e8d2ceaaef50bc998ed143be55b1664343ce74627b328e328011b572402325e8f40e06ea7f3e0fa313d75fbe0hxxp://cr.allweis[.]com/0.bin185.14.31[.]22919364a84a5749747772af4239b5661d192ea11342e479ccd5e7086081e458745https://www.hybrid-analysis.com/sample/19364a84a5749747772af4239b5661d192ea11342e479ccd5e7086081e458745/5b4ed8657ca3e17d395cc73dhttps://www.cc.uec.ac.jp/blogs/news/2018/07/20180705rakutencardmalware.html
https://bomccss.hatenablog.jp/entry/2018/07/19/023410
66
2018/07/177月
Fw: 資料
ご確認ください
上記書類を送付します。
表題の資料を送付いたします。
再送
申込書類の送付
資料添付します。
不明添付※_書類.zip
※:任意の数字列
https://www.virustotal.com/#/file/f2bcc8995a036e778a0c196513ac8aba0c00c97ed2f57446a5d86465c4226083/detection
https://www.hybrid-analysis.com/sample/f2bcc8995a036e778a0c196513ac8aba0c00c97ed2f57446a5d86465c4226083?environmentId=100
2f0e8d04619d3b2f20bc12a1ed7553adf2bcc8995a036e778a0c196513ac8aba0c00c97ed2f57446a5d86465c4226083hxxp://ravigel[.]com/less[.]dat
hxxp://ravigel[.]com/fdds[.]bin
47.74.189[.]6906e233ee5db6bfdcf04b746436b84276c191f8fcb334c4550d5a67aacae94732https://www.virustotal.com/#/file/06e233ee5db6bfdcf04b746436b84276c191f8fcb334c4550d5a67aacae94732/detectionhttps://www.jc3.or.jp/topics/virusmail.html
67
2018/07/10書類について
写真
写真送ります。
現場写真
見積書再送付致します
【至急】対応お願い致します
【その2】
不明添付IMG_(※).zip
※:任意のユーザー名
https://www.virustotal.com/#/file/4165270459a38ca8da6ab6ff7c7b1ecf29c13f6b602788738b8da2f0119ae56d/detection
https://www.hybrid-analysis.com/sample/4165270459a38ca8da6ab6ff7c7b1ecf29c13f6b602788738b8da2f0119ae56d/5b446aec7ca3e131097bdf29
28c15d36e724b7c375fb52b10fd689424165270459a38ca8da6ab6ff7c7b1ecf29c13f6b602788738b8da2f0119ae56dhxxp://giarie[.]com/sc2.dat
hxxp://giarie[.]com/no.bin
92.53.66[.]24481d016e80fddb754b20702be0218c8351cb040e0d3a108a1d972a68c86de4ce9
cb173cf63219e4697e8a72929692d3cf629d9d15a9702724f7ffa8f19d03c31e
https://www.virustotal.com/#/file/81d016e80fddb754b20702be0218c8351cb040e0d3a108a1d972a68c86de4ce9/detection
https://www.hybrid-analysis.com/sample/81d016e80fddb754b20702be0218c8351cb040e0d3a108a1d972a68c86de4ce9?environmentId=100
https://www.virustotal.com/#/file/cb173cf63219e4697e8a72929692d3cf629d9d15a9702724f7ffa8f19d03c31e/detection
https://bomccss.hatenablog.jp/entry/2018/07/10/211643
https://www.jc3.or.jp/topics/virusmail.html
68
2018/07/05【楽天市場】注文内容ご確認(自動配信メール)楽天市場 <order@rakuten.co.jp>多数あり
fj.therealityofyourgreatness[.]com
紐づくIPは全て下記IPアドレス
195.123.238[.]14
もっと詳しくの情報はこちら.pdf.jshttps://www.virustotal.com/#/file/48e97bd1819ba5562b297532608b6b3ae5bff2b2d7d3ec47a0221f3f5c55f58b/details
https://www.hybrid-analysis.com/sample/48e97bd1819ba5562b297532608b6b3ae5bff2b2d7d3ec47a0221f3f5c55f58b?environmentId=100
872d618e313a5470d1da327d187f7da048e97bd1819ba5562b297532608b6b3ae5bff2b2d7d3ec47a0221f3f5c55f58bhxxp://gq.takeitalyhome[.]com/032901[.]bin195.123.238[.]14a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837https://www.virustotal.com/#/file/a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837/detection
https://www.hybrid-analysis.com/sample/a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://www.cc.uec.ac.jp/blogs/news/2018/07/20180705rakutenmalware.html
https://www.inoreader.com/article/3a9c6e7e5a43266d-2018075
69
2018/07/04【楽天カード】カードご請求金額のご案内
【速報版】カード利用のお知らせ(本人ご利用分)
楽天カード株式会社
<info@mail.rakuten-card.co.jp>
多数あり
vi.dustyesky[.]com
紐づくIPは全て下記IPアドレス
195.123.238[.]14
もっと詳しくの情報はこちら.PDF.jshttps://www.virustotal.com/#/file/c94a4bc939685c10181aa25d548bd4aa93866d9ea6640ca6aa8b8f812bd1d62b/details
https://www.hybrid-analysis.com/sample/c94a4bc939685c10181aa25d548bd4aa93866d9ea6640ca6aa8b8f812bd1d62b?environmentId=100
ee558a26912166ad277eb50c1b7e4910c94a4bc939685c10181aa25d548bd4aa93866d9ea6640ca6aa8b8f812bd1d62bhxxp://gq.takeitalyhome[.]com/032901[.]bin195.123.238[.]14 a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837https://www.virustotal.com/#/file/a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837/detection
https://www.hybrid-analysis.com/sample/a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837?environmentId=100
https://www.cc.uec.ac.jp/blogs/news/2018/07/20180704.html
https://www.jc3.or.jp/topics/virusmail.html
https://www.inoreader.com/article/3a9c6e7e5a37a360-20180704
70
2018/0703写真送付の件
写真添付
不明添付2018.(※).写真.xls
※:任意のユーザー名
https://www.virustotal.com/#/file/213cadcebaef97e5ef8d96d14f4d6a96bfc59f1273e100c7e86907cff81154c8/detection
https://www.hybrid-analysis.com/sample/213cadcebaef97e5ef8d96d14f4d6a96bfc59f1273e100c7e86907cff81154c8?environmentId=100
d0d62175f698bbc7e8e6a52b83c6132c213cadcebaef97e5ef8d96d14f4d6a96bfc59f1273e100c7e86907cff81154c8hxxp://cebtedota[.]com/0306201895.179.138[.]241
161.117.9[.]13
46.21.248[.]199
2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78https://www.virustotal.com/#/file/2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78/detection
https://www.hybrid-analysis.com/search?query=2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/27/095523
71
2018/07/03イメージ送付不明添付IMG_※-※-A4.xls  
※:任意の数字列
https://www.virustotal.com/#/file/a2da8194ed5f8e0a2786a597b63b59231f506e91c77599d7cbc0d10d89d9db07/detection
https://www.hybrid-analysis.com/sample/a2da8194ed5f8e0a2786a597b63b59231f506e91c77599d7cbc0d10d89d9db07/5b3b1c627ca3e14c580a5735
5ca205a335f71c0341a033f9be9aa1b1a2da8194ed5f8e0a2786a597b63b59231f506e91c77599d7cbc0d10d89d9db07hxxp://cebtedota[.]com/0306201895.179.138[.]241
161.117.9[.]13
46.21.248[.]199
2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78https://www.virustotal.com/#/file/2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78/detection
https://www.hybrid-analysis.com/search?query=2a3d33977c61cb3a40bcee22e804e602651a09911398a56765220e27aacdbc78
https://www.jc3.or.jp/topics/virusmail.html
https://twitter.com/bomccss/status/1014050975152128000
72
2018/07/027月度発注書送付
注文書をお送りいたします
invoice/証明書
不明添付注文書_(※).xls
※:任意の数字列
https://www.virustotal.com/#/file/2459267409143a7723b6e0fea34ef8f4b4bc510ee37e48f422f3324d696aca18/detection
https://www.hybrid-analysis.com/sample/2459267409143a7723b6e0fea34ef8f4b4bc510ee37e48f422f3324d696aca18/5b3969f57ca3e17ab96aedc4
ba363a2829817240b59ef316c72a00b12459267409143a7723b6e0fea34ef8f4b4bc510ee37e48f422f3324d696aca18hxxp://cebtedota[.]com/csshead46.21.248[.]1997c13b9ab1ce7fdeeb8fbb235ed593e4affdedf317a6b7eac06ca3a64ab62dabahttps://www.virustotal.com/#/file/7c13b9ab1ce7fdeeb8fbb235ed593e4affdedf317a6b7eac06ca3a64ab62daba/detection
https://www.hybrid-analysis.com/sample/7c13b9ab1ce7fdeeb8fbb235ed593e4affdedf317a6b7eac06ca3a64ab62daba/5b3954bc7ca3e1309c1bf888
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/27/094912
73
2018/06/29【速報版】カード利用のお知らせ(本人ご利用分)楽天カード株式会社 <info@mail.rakuten-card.co.jp>多数あり
np.mylittlecleaver[.]com
紐づくIPは全て下記IPアドレス
45.125.65[.]69
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/d02c2f068b1e34a99fa31a66dd490c8025de1378470632af9c23853e66beb99f/detection
https://www.hybrid-analysis.com/sample/d02c2f068b1e34a99fa31a66dd490c8025de1378470632af9c23853e66beb99f?environmentId=100
d84076dcbff29804ddda7b1805b85184d02c2f068b1e34a99fa31a66dd490c8025de1378470632af9c23853e66beb99fhxxps://fj.gueyprotein[.]com/200.bin45.125.65[.]698ad7ac0ffd6f3daeaefcda542a0cea93bf30f2855135965324b151a2c1a794edhttps://www.virustotal.com/#/file/8ad7ac0ffd6f3daeaefcda542a0cea93bf30f2855135965324b151a2c1a794ed/detection
https://www.hybrid-analysis.com/sample/8ad7ac0ffd6f3daeaefcda542a0cea93bf30f2855135965324b151a2c1a794ed/5b35dc3b7ca3e1709d6fe03b
https://www.cc.uec.ac.jp/blogs/news/2018/06/20180629.html
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/27/094430
74
2018/06/28・写真
・写真送付の件
・写真添付
・スナップ写真
・添付写真あり
・写真送ります。
不明添付・(※)_写真①.xls
・(※)_(※)_写真①.xls
・_(※)_写真①.xls
・(※).xls
・(※)_写真.zip
※:任意の数字列
https://www.virustotal.com/#/file/c152aa123ce01f9a01d21cd8074242c950d5c248c7a33b03c8557cf2246555a6/detection
https://www.hybrid-analysis.com/sample/c152aa123ce01f9a01d21cd8074242c950d5c248c7a33b03c8557cf2246555a6?environmentId=100
https://www.hybrid-analysis.com/sample/333ce82ca7591c39a27be2ec07ea3e213e7876ee968d7d736733566883a160bc?environmentId=120
https://www.hybrid-analysis.com/sample/9413e035932981e809435205528fae36cbbfed87b5defc1731817aa0530e2247?environmentId=120
https://www.hybrid-analysis.com/sample/d013920c700e10b5bb87272d508a70a83fb3cabad005c6bce5e6ecbb3511cdef?environmentId=120
https://www.virustotal.com/#/file/c52d97af8390d6c1699928372aaa77862bffbcdad9ea6260b109801ba06f376f/details
https://www.virustotal.com/#/file/00142dc3bb270d637e3d9c0316ef72bfc068c633833a773f1288a46aab0e8845/detection
79adb26e77f97fb033433a265b5c842b
f5139cdecc953a48dfe8a56b1d5274c1
2d9e42a61ed84ac5621dead7798042f3
7761daa3c88c20248de86727290dc7d6
4b3a7c7cf853208bfb24fa810c1d2563
c152aa123ce01f9a01d21cd8074242c950d5c248c7a33b03c8557cf2246555a6
333ce82ca7591c39a27be2ec07ea3e213e7876ee968d7d736733566883a160bc
9413e035932981e809435205528fae36cbbfed87b5defc1731817aa0530e2247
d013920c700e10b5bb87272d508a70a83fb3cabad005c6bce5e6ecbb3511cdef
c52d97af8390d6c1699928372aaa77862bffbcdad9ea6260b109801ba06f376f
00142dc3bb270d637e3d9c0316ef72bfc068c633833a773f1288a46aab0e8845
hxxp://monde[.]at/realst47.74.148[.]105
47.74.145[.]66
8df2efce13a873cfde5a424b0d1c9bdc21056840644d8ee53fb843bfc6a9995ehttps://www.virustotal.com/#/file/8df2efce13a873cfde5a424b0d1c9bdc21056840644d8ee53fb843bfc6a9995e/detection
https://www.hybrid-analysis.com/sample/8df2efce13a873cfde5a424b0d1c9bdc21056840644d8ee53fb843bfc6a9995e?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/27/093836
75
2018/06/26【楽天カード】カードご請求金額のご案内楽天カード株式会社 <info@mail.rakuten-card.co.jp>多数あり
gy.nuecesbend[.]com
紐づくIPは全て下記IPアドレス
198.98.48[.]158
もっと詳しくの情報はこちら.pdf.jshttps://www.virustotal.com/#/file/3f057cd1cc91d243859526d4bf78270ed89ec54655e56d8d65bd4030db00a6b1/detection
https://www.hybrid-analysis.com/sample/3f057cd1cc91d243859526d4bf78270ed89ec54655e56d8d65bd4030db00a6b1?environmentId=100
6776bf65314dbc70fb65bd1be70f80083f057cd1cc91d243859526d4bf78270ed89ec54655e56d8d65bd4030db00a6b1hxxps://gy.nuecesbend[.]com/0.bin198.98.48.15841f89827217f8749bbd170fdebe998922f40ccf43225baef9395db8a70d056c4https://www.virustotal.com/#/file/41f89827217f8749bbd170fdebe998922f40ccf43225baef9395db8a70d056c4/detection
https://www.hybrid-analysis.com/search?query=41f89827217f8749bbd170fdebe998922f40ccf43225baef9395db8a70d056c4
https://www.cc.uec.ac.jp/blogs/news/2018/06/20180626.html
https://bomccss.hatenablog.jp/entry/2018/07/27/093422
76
2018/06/26・注文書の送付(2018.06.26)
・注文書よろしくお願いします。
不明添付(※).注文書(2018.06.26).xls
※:任意の数字列
https://www.virustotal.com/#/file/12259d8b5c59d3268a2a105832bdf2e573c29ce7f089296113a99ef02cf66962/detection
https://www.hybrid-analysis.com/sample/12259d8b5c59d3268a2a105832bdf2e573c29ce7f089296113a99ef02cf66962?environmentId=100
https://www.hybrid-analysis.com/sample/61a35081cf789d8fb750b7312a54d4b9137ee498b572be951b3d1a80d46cf3a3?environmentId=100
999c161893640a5f4175aa2fa06f268312259d8b5c59d3268a2a105832bdf2e573c29ce7f089296113a99ef02cf66962hxxp://gobertonis[.]com/note47.74.148[.]1052cb254b33a9af6a024fcfa1da7365ee12c08f814163bece0d322895ecba7ba02https://www.virustotal.com/#/file/2cb254b33a9af6a024fcfa1da7365ee12c08f814163bece0d322895ecba7ba02/detection
https://www.hybrid-analysis.com/sample/2cb254b33a9af6a024fcfa1da7365ee12c08f814163bece0d322895ecba7ba02?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/07/27/092101
77
2018/06/25【振込み確認書】18.06.14不明添付[DIGIT[1]}_【振込み確認書】18.06.14.xlshttps://www.virustotal.com/#/file/a67ec026bfab756d4a8ae7eb6441c37db2075f5ccba4fbc54020e8551a28f8fb/details
https://www.hybrid-analysis.com/sample/a67ec026bfab756d4a8ae7eb6441c37db2075f5ccba4fbc54020e8551a28f8fb?environmentId=100
54e012c297dd96ce698b7059f145520ca67ec026bfab756d4a8ae7eb6441c37db2075f5ccba4fbc54020e8551a28f8fbhxxp://gobertonis[.]com/photo47.74.148[.]105b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361https://www.virustotal.com/#/file/b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361/detection
https://www.hybrid-analysis.com/sample/b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
78
2018/06/25・メールに添付された請求書デー
・2018.6月分請求データ送付の件
・6月度発注書送付
・ご請求書を添付致しておりますので
・添付ファイルをご確認下さい。
不明添付(※)_6月.xls
※:任意の数字列
https://www.virustotal.com/#/file/78857f96c2216323344b2790391fe3207b137bcfe75ac795242cd515bddc13c8/detection
https://www.hybrid-analysis.com/search?query=78857f96c2216323344b2790391fe3207b137bcfe75ac795242cd515bddc13c8
3bf6402f2bbf5c838913e80bb6dda53278857f96c2216323344b2790391fe3207b137bcfe75ac795242cd515bddc13c8hxxp://gobertonis[.]com/photo47.74.148[.]105b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361https://www.virustotal.com/#/file/b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361/detection
https://www.hybrid-analysis.com/sample/b2b1370ede349d538770309749f7197cdf0983b90bfb1aaf5e9483bfda7c5361?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/004218
79
2018/06/14【振込み確認書】18.06.14不明添付【振込み確認書】18.06.14.xlshttps://www.virustotal.com/#/file/b3612640b7f18c1fe0eb9f64ab82e27064aa4bdc76c629710c5cf8369fc75e06/detection
https://www.hybrid-analysis.com/sample/b3612640b7f18c1fe0eb9f64ab82e27064aa4bdc76c629710c5cf8369fc75e06?environmentId=100
90aa0a85bc208286d3df4232bb7d784cb3612640b7f18c1fe0eb9f64ab82e27064aa4bdc76c629710c5cf8369fc75e06hxxp://zeraum[.]com/mailout78.155.199[.]9760bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7https://www.virustotal.com/#/file/60bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7/detection
https://www.hybrid-analysis.com/sample/60bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/003812
80
2018/06/14(※)6月請求データ
(※)6月度発注書送付
(※)2018.6月分請求データ送付の件
(※){Re: ,Re: Re: , ,Fwd: ,Fwd: Re:, .}のいずれか
不明添付(※).請求・支払データ.xls
※:任意の数字列
https://www.virustotal.com/#/file/6aa670bd806c6c690e900931da4f3ff78efc967a058a939fc75bb866ccfc21a9/detection
https://www.hybrid-analysis.com/sample/6aa670bd806c6c690e900931da4f3ff78efc967a058a939fc75bb866ccfc21a9?environmentId=100
https://www.virustotal.com/#/file/4a98b8cccf0d772df81587ed3076b094cad9a7b6d8c956b0019b56311b22574b/detection
acac6fa70567bcce801f07769b8da017
d03266913e72922117dbfef63b0b0292
6aa670bd806c6c690e900931da4f3ff78efc967a058a939fc75bb866ccfc21a9
4a98b8cccf0d772df81587ed3076b094cad9a7b6d8c956b0019b56311b22574b
hxxp://zeraum[.]com/mailout78.155.199[.]9760bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7https://www.virustotal.com/#/file/60bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7/detection
https://www.hybrid-analysis.com/sample/60bd3a3642cbd5025e150f48688f11702a92d9c16ff254c4d0e8f57fc4621cc7?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/004107
81
2018/06/13注文書の件不明添付運輸注文書.pdf.xlshttps://www.virustotal.com/#/file/fbff0085c5754dbd39eab17c6133ac85773e1b12cb64db646cc0475f4737fa4c/detection
https://www.hybrid-analysis.com/sample/fbff0085c5754dbd39eab17c6133ac85773e1b12cb64db646cc0475f4737fa4c?environmentId=100
950c5f9cf4d0ebe0de24e9d0437228c4fbff0085c5754dbd39eab17c6133ac85773e1b12cb64db646cc0475f4737fa4chxxp://zeraum.com/footerlogo1[.]gif78.155.199[.]97
47.74.254[.]100
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477https://www.virustotal.com/#/file/9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477/detection
https://www.hybrid-analysis.com/sample/9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/003201
82
2018/06/13・Fwd: 6月分請求書リスト
・請求書を送ります
不明添付経理部.(請求書).xlshttps://www.virustotal.com/#/file/412a40cf59759b0188d97649a6baca63d4de4bdfa45a7b5a568d14f8589ef78e/detection6e4c3d92ca0ecc4005da8444b3e65836412a40cf59759b0188d97649a6baca63d4de4bdfa45a7b5a568d14f8589ef78ehxxp://zeraum[.]com/footerlogo.gif78.155.199[.]97
47.74.254[.]100
69e3f671104eee450032d603b4afdf6e0eed82354a909d3b755a0813b5faba05https://www.virustotal.com/#/file/69e3f671104eee450032d603b4afdf6e0eed82354a909d3b755a0813b5faba05/detection
https://www.hybrid-analysis.com/sample/69e3f671104eee450032d603b4afdf6e0eed82354a909d3b755a0813b5faba05?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/002513
83
2018/06/12カード利用のお知らせ多数あり
ua.elpanal.com[.]uy
紐づくIPは全て下記IPアドレス
198.98.48[.]158
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729d/detection
https://www.hybrid-analysis.com/sample/3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729d?environmentId=100
e5519f909df33137fb958bdfdcbc9b6d3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729dhxxps://mm.unitedmfg[.]com/0.bin198.98.48[.]1589d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1fhttps://www.virustotal.com/#/file/9d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1f/detection
https://www.hybrid-analysis.com/sample/9d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1f?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/001645
84
2018/06/12写真送付の件不明添付2018.(※)_写真.xls
※:任意の数字列
https://www.virustotal.com/#/file/447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02/detection
https://www.hybrid-analysis.com/sample/447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02?environmentId=100
8d5cef9163be574dc53a58c358794289447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02hxxp://zeraum[.]com/headtop47.74.254[.]1007921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70https://www.virustotal.com/#/file/7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70/detection
https://www.hybrid-analysis.com/sample/68cb615583672b5336e2b1082d7473c8e46154d4ea2d37a139617d2a427e5103?environmentId=110
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/000955
85
2018/06/12写真送付不明添付2018.(※)_写真.xls
※:任意の数字列
https://www.virustotal.com/#/file/447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02/detection
https://www.hybrid-analysis.com/sample/447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02?environmentId=100
8d5cef9163be574dc53a58c358794289447ea601b16f16b185b37c49b039cb20a430bff0479da07ed0501bef34ab5e02hxxp://zeraum[.]com/headtop47.74.254[.]1007921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70https://www.virustotal.com/#/file/7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70/detection
https://www.hybrid-analysis.com/sample/68cb615583672b5336e2b1082d7473c8e46154d4ea2d37a139617d2a427e5103?environmentId=110
https://www.virustotal.com/#/file/ee1bdeb92113ddde9dda41284509bfe8e86747bed45bdda9c29578b747c93eb5/detection
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/000955
86
2018/06/12【楽天市場】注文内容ご確認(自動配信メール)楽天市場
<order@rakuten.co.jp>
多数あり
ua.elpanal.com[.]uy
紐づくIPは全て下記IPアドレス
198.98.48[.]158
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729d/detection
https://www.hybrid-analysis.com/sample/3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729d?environmentId=100
e5519f909df33137fb958bdfdcbc9b6d3cd5240e10e1e8a7d5ff5a74fcbdcd41945df1387346426826cd519cd23d729dhxxps://mm.unitedmfg[.]com/0.bin198.98.48[.]1589d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1fhttps://www.virustotal.com/#/file/9d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1f/detection
https://www.hybrid-analysis.com/sample/9d55e7d8c83c70ea8c1e7ae17ef56380422dd73ecca008e3c65db0b5cf4e2d1f?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/26/000018
87
2018/06/07
【速報版】カード利用のお知らせ(本人ご利用分)
楽天カード株式会社 <info@mail.rakuten-card.co.jp>多数あり
ni.taxplana[.]com
紐づくIPは全て下記IPアドレス
185.236.202[.]149
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/0f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3ead/detection
https://www.hybrid-analysis.com/sample/0f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3ead?environmentId=100
d7e30293bf5f134b27e89cdd294aa7a0
0f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3ead
hxxps://hu.obci[.]info/010.bin185.236.202[.]1489f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4bhttps://www.virustotal.com/#/file/9f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4b/detection
https://www.hybrid-analysis.com/sample/9f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4b?environmentId=120
https://www.cc.uec.ac.jp/blogs/news/2018/06/20180607.html
https://bomccss.hatenablog.jp/entry/2018/06/25/235419
88
2018/06/07写真送付の件不明添付(※)_写真.xls
※:任意の数字列
https://www.virustotal.com/#/file/b068e4398772a725fafc3914ba1af6aa78e82b15f3c14f6564b260926ce91a65/detection
https://www.hybrid-analysis.com/sample/b068e4398772a725fafc3914ba1af6aa78e82b15f3c14f6564b260926ce91a65/5b18db9a7ca3e17f555ac806
e149e935c0de1545006f4dbeee883a2eb068e4398772a725fafc3914ba1af6aa78e82b15f3c14f6564b260926ce91a65hxxp://tonetdog[.]com/ecotime95.213.237[.]11978f71d3d53ec707725135f6d895260143bd3553a13c936ed9e0fec1d13f98cd5
https://www.virustotal.com/#/file/78f71d3d53ec707725135f6d895260143bd3553a13c936ed9e0fec1d13f98cd5/detection
https://www.hybrid-analysis.com/sample/78f71d3d53ec707725135f6d895260143bd3553a13c936ed9e0fec1d13f98cd5?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/25/235159
89
2018/06/07【楽天市場】注文内容ご確認(自動配信メール)楽天市場
<order@rakuten.co.jp>
多数あり
io.ragnv[.]com
紐づくIPは全て下記IPアドレス
185.236.202[.]149
楽天銀行の重要な情報.pdf.js
https://www.virustotal.com/#/file/0f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3ead/detection
https://www.hybrid-analysis.com/sample/0f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3ead?environmentId=100
d7e30293bf5f134b27e89cdd294aa7a00f58f2393144d9663f1da3656e9133ce81d5283ab7c065ac9cdaade6282a3eadhxxps://hu.obci[.]info/010.bin185.236.202[.]1489f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4bhttps://www.virustotal.com/#/file/9f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4b/detection
https://www.hybrid-analysis.com/sample/9f7b02032349637f0d8c962dab2f08f0e3269c295ac0de385c60274e89390d4b?environmentId=120
https://www.cc.uec.ac.jp/blogs/news/2018/06/20180607rakutenmalware.html
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/25/234814
90
2018/06/06
【速報版】カード利用のお知らせ(本人ご利用分)
楽天カード株式会社 <info@mail.rakuten-card.co.jp>多数あり
紐づくIPは全て下記IPアドレス
185.236.202[.]149
または
185.236.202[.]148
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735/detection
https://www.hybrid-analysis.com/sample/fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735?environmentId=100
15f7f4c3c8060e5a2e26dd256e260ce9fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735hxxp://bn.wonderingwriter[.]com/020.bin185.236.202[.]149601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cdhttps://www.virustotal.com/#/file/601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cd/detection
https://www.hybrid-analysis.com/sample/601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cd?environmentId=100
https://www.cc.uec.ac.jp/blogs/news/2018/06/20180606malwarerakutencard.html
https://bomccss.hatenablog.jp/entry/2018/06/18/231801
91
2018/06/06【楽天市場】注文内容ご確認(自動配信メール)楽天市場
<order@rakuten.co.jp>
多数あり
紐づくIPは全て下記IPアドレス
185.236.202[.]149
または
185.236.202[.]148
楽天銀行の重要な情報.pdf.jshttps://www.virustotal.com/#/file/fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735/detection
https://www.hybrid-analysis.com/sample/fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735?environmentId=100
15f7f4c3c8060e5a2e26dd256e260ce9fce247db612e14783f56d6a7d38d29bc2fface7033d977ce7245331c3bc31735hxxp://bn.wonderingwriter[.]com/020.bin185.236.202[.]149601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cdhttps://www.virustotal.com/#/file/601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cd/detection
https://www.hybrid-analysis.com/sample/601db298c5766c63831148ba376d219702694b51124e1247f8ec69ab8b9118cd?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/18/231046
92
2018/06/06【楽天市場】注文内容ご確認(自動配信メール)楽天市場
<order@rakuten.co.jp>
多数あり
紐づくIPは全て下記IPアドレス
185.236.202[.]149
または
185.236.202[.]148
料金明細をチェック.DOC.jshttps://www.virustotal.com/#/file/ac7d0efeb3d688a3ebb939fe0604b094c7c4011dd65dd0040b496f9a03ee9c12/detection
https://www.hybrid-analysis.com/sample/ac7d0efeb3d688a3ebb939fe0604b094c7c4011dd65dd0040b496f9a03ee9c12?environmentId=100
b5c9b1e0a080605f13c52a25405a3054ac7d0efeb3d688a3ebb939fe0604b094c7c4011dd65dd0040b496f9a03ee9c12hxxp://de.adventuresinprogress[.]com/mass20.bin31.148.220[.]4322ea24e569c5cf1e3d70cf9c9d57b258a4cc1f1d6960f9825643df516804adbbhttps://www.virustotal.com/#/file/22ea24e569c5cf1e3d70cf9c9d57b258a4cc1f1d6960f9825643df516804adbb/detection
https://www.hybrid-analysis.com/sample/22ea24e569c5cf1e3d70cf9c9d57b258a4cc1f1d6960f9825643df516804adbb?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
93
2018/06/056月請求データ.xls
(※)6月分請求データ送付の件
(※)2018.5月分請求データ送付の件.6月請求データ.xls
(※){Re: ,Re: Re: , ,Fwd: ,Fwd: Re:, .}のいずれか
不明添付(※)-6月請求データ.xls
※:任意の数字列
https://www.virustotal.com/#/file/638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113/detection
https://www.hybrid-analysis.com/sample/638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113?environmentId=100
8bdd9bd74f637642a6e15620787edbaf638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113hxxp://tonetdog[.]com/updedge95.213.237[.]119
47.91.56[.]122
445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcechttps://www.virustotal.com/#/file/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec/detection
https://www.hybrid-analysis.com/sample/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/10/171441
94
2018/06/05のご注文について不明添付000000.(※).00.xls
(※)ユーザー名
https://www.virustotal.com/#/file/fa98832efd63fe8021c421b3ed47f818bb2db21b526928cb97489be79cd98514/detection
https://www.hybrid-analysis.com/sample/fa98832efd63fe8021c421b3ed47f818bb2db21b526928cb97489be79cd98514?environmentId=100
b986f76f2f1b9121f71c7ef3476a2c9efa98832efd63fe8021c421b3ed47f818bb2db21b526928cb97489be79cd98514hxxp://tonetdog[.]com/updedge95.213.237[.]119
47.91.56[.]122
445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcechttps://www.virustotal.com/#/file/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec/detection
https://www.hybrid-analysis.com/sample/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://twitter.com/bomccss/status/1004018264391876608
https://twitter.com/bomccss/status/1004018006396002306
https://bomccss.hatenablog.jp/entry/2018/06/10/163544
95
2018/06/05Re: 2018.5月分請求データ送付の件
Re: Re: 2018.5月分請求データ送付の件
Fwd: 2018.5月分請求データ送付の件
Fwd: Re:2018.5月分請求データ送付の件
.2018.5月分請求データ送付の件
2018.5月分請求データ送付の件
不明添付(※)-6月請求データ.xls
※:任意の数字列
https://www.virustotal.com/#/file/638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113/detection
https://www.hybrid-analysis.com/sample/638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113?environmentId=100
8bdd9bd74f637642a6e15620787edbaf638a0bdd8e0f9df15e1bbe6e500ab0e25025eb4342749d64eae054976bfa9113hxxp://tonetdog[.]com/updedge95.213.237[.]119
47.91.56[.]122
445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcechttps://www.virustotal.com/#/file/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec/detection
https://www.hybrid-analysis.com/sample/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://bomccss.hatenablog.jp/entry/2018/06/10/161451
96
2018/06/05RE: 請求書XLSについて
請書及び請求書のご送付
不明添付(※)_サービス㈱様(請求書).xls
※:任意の数字列
https://www.virustotal.com/#/file/df8f2415c56fea68db900f4fc1673a6fc83a245e919c611fe1076a4c5ca3a402/detection
https://www.hybrid-analysis.com/sample/df8f2415c56fea68db900f4fc1673a6fc83a245e919c611fe1076a4c5ca3a402?environmentId=100
https://www.virustotal.com/#/file/a6203a6b3163b65c726df6f62cf47ce00a376ba6e3336b25eb120f7dd046bc32/detection
→マルウェアダウンローダー情報は複数あり
5033076e9e605280eb8b0d5e481a2642
b959de9464c7f7518ad9bbea1f748706
df8f2415c56fea68db900f4fc1673a6fc83a245e919c611fe1076a4c5ca3a402
a6203a6b3163b65c726df6f62cf47ce00a376ba6e3336b25eb120f7dd046bc32
hxxp://tonetdog[.]com/updedge95.213.237[.]119
47.91.56[.]122
445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcechttps://www.virustotal.com/#/file/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec/detection
https://www.hybrid-analysis.com/sample/445157da34a5130d4ff834ba123730461c2d034c7cdd8e0275438fa21afbfcec?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://twitter.com/bomccss/status/1003907270369923072
https://bomccss.hatenablog.jp/entry/2018/06/10/161451
97
2018/05/31Re: 2018.5月分請求データ送付の件
Re: Re: 2018.5月分請求データ送付の件
Fwd: 2018.5月分請求データ送付の件
Fwd: Re:2018.5月分請求データ送付の件
.2018.5月分請求データ送付の件
2018.5月分請求データ送付の件
不明添付(※)_※.201805請求データ.xls
※:任意の数字列
https://www.virustotal.com/#/file/58413c10a54a4b9b3c897b4d250492ebeade0a528ab9ecdf8f6de6c79bb14822/detection
https://www.hybrid-analysis.com/sample/58413c10a54a4b9b3c897b4d250492ebeade0a528ab9ecdf8f6de6c79bb14822/5b0f944e7ca3e1603358afe8
1250050b339916c895f6f747011a6a8e58413c10a54a4b9b3c897b4d250492ebeade0a528ab9ecdf8f6de6c79bb14822hxxp://monerotan[.]com/ieprotocol
47.91.46[.]144
95.213.236[.]72
47.91.44[.]13
47.74.220[.]254
https://www.virustotal.com/#/file/05e3d73346c3ee810089fedbe2dd3ff3ed4d5c518942f39ef308ef98a6c6f693/detection
https://www.hybrid-analysis.com/sample/05e3d73346c3ee810089fedbe2dd3ff3ed4d5c518942f39ef308ef98a6c6f693?environmentId=100
05e3d73346c3ee810089fedbe2dd3ff3ed4d5c518942f39ef308ef98a6c6f693https://www.jc3.or.jp/topics/virusmail.html
https://goo.gl/hFhjfm
https://twitter.com/bomccss/status/1002137648562032640
98
2018/05/30【速報版】カード利用のお知らせ(本人ご利用分)楽天カード株式会社 <info@mail.rakuten-card.co.jp>gq.loriannaharrison[.]net
※その他にも多数あり
紐づくIPは全て下記IPアドレス
137.74.249[.]110
もっと詳しくの情報はこちら.PDF.jshttps://www.virustotal.com/#/file/5be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7/detection
https://www.hybrid-analysis.com/sample/5be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7/5b0e3a4b9ac508f90ba0a95f
6b51df9190abc7ee93a21a6a555dbab35be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7
hxxp://pf.mrprana[.]com/101010.bin
137.74.249[.]110f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4ahttps://www.virustotal.com/#/file/f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4a/detection
https://www.hybrid-analysis.com/sample/f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4a?environmentId=100
https://www.cc.uec.ac.jp/blogs/news/2018/05/20180530malwarerakutencard.html
99
2018/05/30Re: 2018.5月分請求データ送付の件
Re: Re: 2018.5月分請求データ送付の件
Fwd: 2018.5月分請求データ送付の件
Fwd: Re:2018.5月分請求データ送付の件
.2018.5月分請求データ送付の件
2018.5月分請求データ送付の件
不明添付※.[※].201805請求データ.xls
※:任意の数字列
https://www.virustotal.com/#/file/c95c3388d9a36bb1c9362195b321ed4e0728eb69424422187e976597b33425b5/detection7aad8d5fec32db1105ca077b438231c9c95c3388d9a36bb1c9362195b321ed4e0728eb69424422187e976597b33425b5hxxp://monerotan[.]com/itunesync 47.74.220[.]254不明不明https://www.jc3.or.jp/topics/virusmail.html
100
2018/05/30Airdrop申請内容をご確認ください不明cx.theblueprintsound[.]com
※その他にも多数あり
紐づくIPは全て下記IPアドレス
137.74.249[.]110
もっと詳しくの情報はこちら.PDF.jshttps://www.virustotal.com/#/file/5be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7/detection
https://www.hybrid-analysis.com/sample/5be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7/5b0e3a4b9ac508f90ba0a95f
6b51df9190abc7ee93a21a6a555dbab35be32a4da0b9b483dd2d6c241bb7923a704438dac6c767dcf22c74f9aa448cd7
hxxp://pf.mrprana[.]com/101010.bin
137.74.249[.]110f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4ahttps://www.virustotal.com/#/file/f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4a/detection
https://www.hybrid-analysis.com/sample/f17f4bffce4586b54cee1b9354f417b5413ed619dc1534431277477adc048d4a?environmentId=100
https://www.jc3.or.jp/topics/virusmail.html
https://www.cc.uec.ac.jp/blogs/news/2018/05/20180530noahcoin.html
Loading...
Main menu