December Malspam Campaigns

1. Date,Details,Email Payload Type,Users Targeted
2. 12/2/2019,"""RE: DM119110143""; rtf -> agenttesla and formbook",Attachment,11
3. 12/2/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony,Link,498
4. 12/6/2019,"""BECC LTD RFQ 110419""; xlsx -> hawkeye",Attachment,2
5. 12/6/2019,"""INQUIRY - TM/TC/ 2020-0059 / 2020-0098""; doc -> hawkeye",Attachment,2
6. 12/9/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony,Link,881
7. 12/9/2019,"All subjects contain ""Request to revise""; zip -> rtf -> avemaria",Attachment,3
8. 12/9/2019,"""REMINDER: DHL Pending Notification/DHL_AWB_0011179303/AD""; img -> nanocore",Attachment,2
9. 12/10/2019,"""Re: SOA- NET30""; img -> agenttesla",Attachment,83
10. 12/10/2019,All subjects contain UPS; link -> hancitor -> pony -> evilpony -> ursnif -> cobaltstrike,Link,292
11. 12/10/2019,All subjects contain 10.12.2019- or 11.12.2019-; link -> dridex,Link,26
12. 12/12/2019,All subjects contain Apple; link -> hancitor -> pony -> evilpony -> ursnif -> cobaltstrike,Link,541
13. 12/12/2019,"""REQUEST FOR QUOTATION NEEDED URGENTLY""; xlsx -> lokibot",Attachment,2
14. 12/12/2019,"""PURCHASE ORDER FOR TOMORROW""; zip -> agenttesla",Attachment,2
15. 12/15/2019,"""RE:PI( Invoice)""; xlsx -> lokibot",Attachment,2
16. 12/15/2019,"All subjects contain ""Rent""; doc -> ostop -> trickbot continued to 12/17",Attachment,51
17. 12/16/2019,"All attachments named ""invoice<digits>.doc""; doc -> predator ",Attachment,2
18. 12/16/2019,"""RFQ- APPROVED PURCHASE ORDER POIM1911011""; docx -> doc -> formbook",Attachment,2
19. 12/17/2019,"Various subjects, .top .online .site .xyz .club senders, app.php; link -> doc -> dridex continued to 12/19",Link,40
20. 12/17/2019,"""Remittance Advice_44121719""; img -> link -> remcos rat",Attachment,3
21. 12/17/2019,"""Signed Sales Contract 05 cont S18WP""; docx -> doc -> formbook",Attachment,2
22. 12/17/2019,"""Re: TT copy""; doc -> lokibot continued to 12/19",Attachment,4
23. 12/17/2019,"""Shipping Document""; img -> formbook",Attachment,3
24. 12/17/2019,"""T/T $33,015.00""; rar -> formbook",Attachment,3
25. 12/17/2019,"""Proforma Invoice""; rar -> agenttesla",Attachment,4
26. 12/18/2019,All subjects contain Docusign; link -> hancitor -> pony -> evilpony -> cobaltstrike,Link,145
27. 12/19/2019,All subjects contain Docusign; link -> hancitor -> pony -> evilpony -> ursnif -> cobaltstrike,Link,154
28. 12/19/2019,"""Transaction Receipt #0087""; img -> nanocore",Attachment,3
29. 12/19/2019,"All attachments named ""parking17<digits>.doc""; doc -> predator ",Attachment,14
30. 12/20/2019,All subjects contain ticket pkg_ attachments; doc -> predator,Attachment,4
31. 12/20/2019,"""Overdue Invoice""; img -> asyncrat",Attachment,4
32. 12/20/2019,"""Your flight ticket has been confirmed!""; iso -> agenttesla continued to 12/23",Attachment,5
33. 12/20/2019,"""Your AWB Shipment has Arrived""; img -> remcos",Attachment,2
34. 12/21/2019,"""po""; ace -> agenttesla",Attachment,2
35. 12/21/2019,"""Payment Advice Ref: 4567TR: TT757""; iso -> agenttesla http",Attachment,4
36. 12/23/2019,"All subjects contain ""fax""; doc -> trickbot",Attachment,23
37. 12/24/2019,"All subjects contain ""holiday bonus""; link -> trickbot loader -> trickbot",Attachment,32
38. 12/24/2020,"""payment confirmation""; img -> nanocore",Attachment,4
39. 12/26/2020,"""Transaction Receipt""; img -> nanocore",Attachment,10
40. 12/26/2020,"""Complaint on <user last name> at <company name>""; link -> trickbot",Link,12
41. 12/25/2020,"""Re: <company name> corporate present""; link -> trickbot",Link,12
42.  
43. c2's
44. dec2/agenttesla-formbook/,us2.smtp.mailhostbox.com
45. dec6/agenttesla/,smtp.strykeir.com
46. dec6/agenttesla/2/,smtp.strykeir.com
47. dec6/hawkeye/,mail.privateemail.com
48. dec6/hawkeye/3/,mail.privateemail.com
49. dec6/hawkeye/another/,mail.privateemail.com
50. dec9/agenttesla/,smtp.strykeir.com
51. dec9/agenttesla/2/,78.142.19.101
52. dec9/agenttesla/3/,mail.cominf.ro
53. dec9/agenttesla/5/,mail.hhsportsprotection.com
54. dec9/avemaria/,141.255.164.13
55. dec9/formbook/,sangkinmalesnyaginihah.com
56. dec9/formbook/another/,http://www.proteinengineering.science
57. dec9/nanocore/,79.134.225.89
58. dec9/nanocore/another/,miraqueen.publicvm.com
59. dec9/phoenix/,bhavnatutor.com
60. dec10/agenttesla/,mail.newmedicacare.com
61. dec10/agenttesla/2/,mail.privateemail.com
62. dec12/agenttesla/,smtp.perfectgenerators.com
63. dec12/agenttesla/2/,smtp.tkbill.biz
64. dec12/agenttesla/3/,smtp.strykeir.com
65. dec12/formbook/,http://www.fitath0me.com/dg/
66. dec12/lokibot/,corpcougar.in/chigo/Panel/five/fre.php
67. dec12/lokibot/another/,http://corpcougar.in/chigo/Panel/five/fre.php
68. dec13/agenttelsa/,smtp.s0udal.com
69. dec13/lokibot/,http://onlygoood.com/ae1/fre.php
70. dec15/another/,kissmeifucan.ddns.net
71. dec15/lokibot/,http://worldatdoor.in/mexiii/Panel/five/fre.php
72. dec15/lokibot/another/,http://corpcougar.in/chigo/Panel/five/fre.php
73. dec15/nanocore/,reverse.spamassasins.icu
74. dec15/remcos/,reverse.spamassasins.icu
75. dec16/predator/,checksme.info
76. dec17/agenttesla/,SMTP.yandex.com
77. dec17/agenttesla/2/,smtp.juili-tw.com
78. dec17/agenttesla/3/,smtp.juili-tw.com
79. dec17/dridex/,162.213.37.188
80. dec17/formbook/,www.seovault.site
81. dec17/formbook/3/,http://www.mademoda.com/d2d/
82. dec17/lokibot/another/,http://elettroveneta-it.com/oge/fre.php
83. dec17/nanocore/,reverse.spamassasins.icu
84. dec17/nanocore/2/,79.134.225.104
85. dec17/remcos/,top.multigamingjo.waw.pl
86. dec18/agenttesla/,smtp.juili-tw.com
87. dec18/agenttesla/2/,mail.hhsportsprotection.com
88. dec18/agenttesla/3/,smtp.tkbill.biz
89. dec18/nancore/,79.134.225.104
90. dec18/nancore/another/,reverse.spamassasins.icu
91. dec19/agenttesla/,smtp.yandex.com
92. dec19/agenttesla/2/,us2.smtp.mailhostbox.com
93. dec19/agenttesla/3/,smtp.perfectgenerators.com
94. dec19/agenttesla/4/,78.142.19.101
95. dec19/lokibot/,http://svmarketingindia.com/jjv/Panel/five/fre.php
96. dec19/nanocore/,51.38.92.6
97. dec19/nanocore/another/,79.134.225.104
98. dec19/nanocore/yetanother/,79.134.225.104
99. dec19/predator/,http://coinbase-promo.info/
100. dec20/agenttesla/,mail.shreejitransport.com
101. dec20/agenttesla/2/,us2.smtp.mailhostbox.com
102. dec20/agenttesla/3/,smtp.zoho.com
103. dec20/agenttesla/4/,mail.gandi.net
104. dec20/lokibot/,http://svmarketingindia.com/jjv/Panel/five/fre.php
105. dec20/nanocore/,menorte.ddns.net
106. dec20/predator/,http://yoursmb.info/api/check.get
107. dec20/remcos/,futy.ga
108. dec20/remcos/another/,top.multigamingjo.waw.pl
109. dec21/agenttesla/,http://www.svmarketingindia.com/elittte/origin/inc/a179ad1bf53a51.php
110. dec22/agenttesla/,us2.smtp.mailhostbox.com
111. dec23/agenttesla/,mail.privateemail.com
112. dec23/predator/,http://testing0.site/api/check.get
113. dec24/agenttesla/,smtp.juili-tw.com
114. dec26/nanocore/,185.103.96.151
115. dec28/agenttesla/,us2.smtp.mailhostbox.com
116. dec30/nanocore/,indomie.publicvm.com
117.  
118. agenttesla/hawkeye efil emails
119. RCPT TO:<[email protected]>
120. RCPT TO:<[email protected]>
121. RCPT TO:<[email protected]>
122. RCPT TO:<[email protected]>
123. RCPT TO:<[email protected]>
124. RCPT TO:<[email protected]>
125. RCPT TO:<[email protected]>
126. RCPT TO:<[email protected]>
127. RCPT TO:<[email protected]>
128. RCPT TO:<[email protected]>
129. RCPT TO:<[email protected]>
130. RCPT TO:<[email protected]>
131. RCPT TO:<[email protected]>
132. RCPT TO:<[email protected]>