Nov Campaigns, c2s, email exfils

1. Date,Details,Email Payload Type,Users Targeted
2. 11/4/2018,"""MAERSK LINE BILL OF LANDING DOCUMENT/INVOICE|RE:Confirm Account details""; img -> agenttesla continued to 11/6",Attachment,167
3. 11/4/2019,"""PRICE FORECAST INQUIRY""; gz -> netwire continued to 11/5",Attachment,21
4. 11/4/2019,"""APPROVED PURCHASE ORDER PO05-9189 & PO06-9190 FOB JEBEL ALI""; rar -> formbook",Attachment,2
5. 11/4/2019,"""Payment slip attached""; iso -> agenttesla",Attachment,3
6. 11/5/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony,Link,"2,377"
7. 11/5/2019,"""RE:Confirm Account details""; img -> agenttesla continued to 11/7",Attachment,460
8. 11/5/2019,"All subjects contain ""DHL Documents; BL/CI;""; xls -> dridex",Attachment,47
9. 11/6/2019,"""RFQ#BQ-SRN-B19-GZU-815 Supplies""; iso -> agenttesla http",Attachment,3
10. 11/6/2019,All subects contain Harvest; docm -> icedid -> trickbot,Attachment,26
11. 11/6/2019,"""Your package has been delivered""; zip -> vbs -> dridex",Attachment,23
12. 11/7/2019,"All subjects contain ""has invited you to Resume.doc""; doc -> get2",Attachment,529
13. 11/7/2019,"""FedEx Notification""; img -> agenttesla",Attachment,169
14. 11/8/2019,"All subjects contain ""Re: annual bonus form for""; link -> trickbot",Link,2
15. 11/8/2019,"All subjects contain ""contract.docx""; docx -> get2",Link,126
16. 11/11/2019,"All subjects contain ""Microsoft OneDrive N""; zip -> dridex continued to 11/12",Attachment,125
17. 11/11/2019,"""Your package has been delivered""; zip -> vbs -> dridex",Attachment,2
18. 11/11/2019,"""INVOICE COPY // 000060364|subjects contain payment|invoice|DHL""; xls -> dridex d35259088.xls",Attachment,21
19. 11/11/2019,"""ASTIR SA -FINAL ORDER""; rar iso -> hawkeye keylogger",Attachment,2
20. 11/12/2019,"""Shipment Document BL,INV and packing list""; ace -> agenttesla",Attachment,2
21. 11/12/2019,"""Final Order""; iso rar -> hawkeye keylogger",Attachment,2
22. 11/12/2019,"""RE: FACTURA DE FLETE DHL""; rar zip -> lokibot",Attachment,2
23. 11/12/2019,"""Purchase Order 12/11/2019""; zip -> agenttesla",Attachment,5
24. 11/13/2019,Various highjacked subjects; zip -> ursnif Heritage_Partners_Group.zip,Attachment,3
25. 11/13/2019,"""Re: NEW ORDER-P.O. 8576353""; img -> agenttesla",Attachment,24
26. 11/13/2019,"""New Order""; rar -> link -> agenttesla",Attachment,16
27. 11/13/2019,"""New Order # DLU1910-951-DW, 3X HSRO-4040-FF - FCA / SO 138696553""; zip -> lnk -> agenttesla",Attachment,40
28. 11/13/2019,"""Your package has been delivered""; zip -> vbs -> dridex",Attachment,5
29. 11/14/2019,"""Urgent Quotation - #026548""; 7z -> agenttesla",Attachment,6
30. 11/14/2019,"""Re: Purchase Order No. ( PO-191115-02837)""; rar -> agenttesla",Attachment,2
31. 11/14/2019,"""?? RFQ CEPH CRM:041510000249 / F34269 J1704K-03136""; rar -> agenttesla continued to 11/15",Attachment,12
32. 11/15/2019,"""HR has invited you to dismissal order.xlsx""; link -> xls -> get2 -> sdbot",Link,35
33. 11/16/2019,"""DHL Express Shipment Confirmation [AWB-6966188176]""; ace -> lokibot",Attachment,2
34. 11/16/2019,"""Quotation from WAYMAH LIMITED - Waterproofing Roof""; rtf -> agenttelsa",Attachment,3
35. 11/16/2019,All attachments are iqy; buran ransomware,Attachment,13
36. 11/17/2019,"""**TOP URGENT** SOA""; rar -> agenttesla continued to 11/18",Attachment,2
37. 11/18/2019,"""SAMPLE""; img -> agenttesla",Attachment,8
38. 11/18/2019,Various subjects; one letter <digits>_.zip -> vbs -> dridex,Attachment,17
39. 11/18/2019,Various subjects; fax_id<digits>.doc attachment -> predatorthethief,Attachment,3
40. 11/18/2019,"""V235 ASD Statement""; rtf -> netwire",Attachment,2
41. 11/18/2019,"""RFQ Work Order# W45394 Quote# I33613 Ref# 2019-SA-RO-013 2019-09-27 9-42-00 AM""; rar -> agenttesla continued to 11/19",Attachment,17
42. 11/19/2019,Various subjects; <digits>_customer_inv_<digits>.xls|invoice_form|invoice_letter -> dridex continued to 11/20,Attachment,132
43. 11/19/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony -> ursnif -> cobaltstrike,Link,50
44. 11/19/2019,"""RFQ: Sheet & Specification""; iso -> agenttesla",Attachment,2
45. 11/19/2019,"""FIND THE ATTACHED""; link -> formbook",Link,15
46. 11/20/2019,"Most subjects contain ""RE: Payout""; link -> trickbot",Link,11
47. 11/20/2019,"All subjects contain ""Microsoft OneDrive N""; zip -> dridex continued to 11/12",Attachment,3
48. 11/20/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony -> ursnif,Link,12
49. 11/20/2019,"Various subjects, xlsx -> lokibot",Attachment,9
50. 11/20/2019,"""HSBC�SWIFT�Advice�Against�Order#�Ref:[CD0061282]�//�Customer�Ref�//:[A0028218]""; ace -> formbook",Attachment,3
51. 11/21/2019,"""Fw: Re: Re: Request for quotation (Very Urgent)""; zip -> broken :(",Attachment,30
52. 11/21/2019,"""New Order 2020""; xlsx -> agenttesla",Attachment,5
53. 11/21/2019,"All subjects contain ""Annual Bonus|Invoice status""; link -> trickbot",Link,19
54. 11/21/2019,"""Purchase Sample""; img ->",Attachment,2
55. 11/22/2019,"""Re: Kindly Review Payment!""; doc -> netwire",Attachment,2
56. 11/22/2019,"""Fwd: Statement for "": link -> trickbot",Link,12
57. 11/23/2019,"""Re: Urgent Booking Confirmation!""; doc -> netwire",Attachment,3
58. 11/24/2019,"""Re: Request for the current statement""; rar -> ",Attachment,8
59. 11/25/2019,"All subjects contain ""bonus report|RE: <username> statement""; link -> trickbot",Link,23
60. 11/25/2019,"""Case Number: BODO-119748116845""; exe -> formbook",Attachment,4
61. 11/25/2019,"""Your Customer Sent You Files via WeTransfer""; link -> ",Link,4
62. 11/26/2019,"Various subjects attachment name ""copy-Inv. Doc|invoice_swift_date ""; xls -> dridex",Attachment,113
63. 11/26/2019,"""You have received a new fax, document <digits>""; doc -> trickbot",Attachment,2
64. 11/26/2019,"""Request For Quotation and drawings""; doc -> raccoon stealer",Attachment,4
65. 11/26/2019,"""RE: [order confirmation]: PO NOVEMBER 2019""; doc -> agenttesla",Attachment,2
66. 11/26/2019,"All subjects contain ""Microsoft OneDrive N""; zip -> dridex",Attachment,4
67. 11/26/2019,"Various subjects containing ""fax"" efax_ attachments; doc -> trickbot",Attachment,4
68. 11/26/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony -> ursnif -> cobaltstrike,Link,388
69. 11/27/2019,"""Shipment Document BL,INV and packing list""; ace -> formbook",Attachment,5
70. 11/27/2019,All subjects contain DocuSign; link -> hancitor -> pony -> evilpony -> ursnif,Link,300
71.  
72. nov1/agenttesla/,us2.smtp.mailhostbox.com
73. nov1/agenttesla/2/,smtp.lbhrne.com
74. nov1/hawkeye/,mail.privateemail.com
75. nov4/agenttesla/,mail.arkazo.com
76. nov4/agenttesla/2/,mailhostbox.com
77. nov4/agenttesla/3/,smtp.sitechukandlreland.com
78. nov4/agenttesla/4/,us2.smtp.mailhostbox.com
79. nov4/agenttesla/5/,us2.smtp.mailhostbox.com
80. nov4/agenttesla/6/,us2.smtp.mailhostbox.com
81. nov4/formbook/,www.wellmadecostumes.com
82. nov4/formbook/another/,http://www.emmajcoombe.com/h320/
83. nov4/hawkeye/,mail.privateemail.com
84. nov4/nanocore/,79.134.225.76
85. nov4/nanocore/another/,79.134.225.76
86. nov4/nanocore/yetanother/,79.134.225.76
87. nov4/netwire/,noapology.climatechangeawareness.uk
88. nov5/agenttesla-blackrat/,mail.kingstoncomplex.com
89. nov5/agenttesla/,mail.jayakartasoundexpert.com
90. nov5/avemaria/,favour.ddnsgeek.com
91. nov5/dridex/,https://masteronare.com/function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b
92. nov6/agenttesla/,us2.smtp.mailhostbox.com
93. nov6/agenttesla/2/,https://webtoall.in/men/inc/c7afb5603b20fe.php
94. nov6/agenttesla/3/,us2.smtp.mailhostbox.com
95. nov6/agenttesla/4/,mail.belfama.com
96. nov6/formbook/,www.ido-expo.com
97. nov6/orion/,smtp.btconrnect.com
98. nov11/agenttesla/,mail.jayakartasoundexpert.com
99. nov11/agenttesla/2/,mail.vermak.com.tr
100. nov11/dridex/,https://maxinato.com/email.php
101. nov11/hawkeye/,mail.ancopottary.com
102. nov11/hawkeye/3/,smtp.arabsecurify.net
103. nov11/hawkeye/another/,smtp.arabsecurify.net
104. nov11/nanocore/,79.134.225.104
105. nov11/netwire/,noapology.duckdns.org
106. nov12/agenttesla/,secure.emailsrvr.com
107. nov12/agenttesla/2/,us2.smtp.mailhostbox.com
108. nov12/agenttesla/3/,smtp.yandex.com
109. nov12/agenttesla/4/,smtp.ionos.com
110. nov12/agenttesla/5/,smtp.pbrend.com
111. nov12/agenttesla/6/,vermak.com.tr
112. nov12/agenttesla/7/,us2.smtp.mailhostbox.com
113. nov12/formbook/,www.xosuno.com/h342/
114. nov12/hawkeye/,mail.ancopottary.com
115. nov12/lokibot/,37.120.146.13/68259/roks/fre.php
116. nov13/agenttesla/,smtp.hostinger.com
117. nov13/agenttesla/2/,mail.jayakartasoundexpert.com
118. nov13/agenttesla/3/,smtp.pbrend.com
119. nov13/agenttesla/6/,smtp.hotelmadridtorrevieja.com
120. nov13/agenttesla/7/,smtp.hotelmadridtorrevieja.com
121. nov13/agenttesla/8/,smtp.rishichemlcals.com
122. nov13/agenttesla/9/,smtp.hostinger.com
123. nov13/dridex/,https://45.137.151.151/
124. nov13/icedid/,http://aginia.net/data3.php?7D8AAD5B7419DE99
125. nov13/netwire/,noapology.duckdns.org
126. nov14/agenttesla/,mail.ushaprime.com
127. nov14/agenttesla/2/,us2.smtp.mailhostbox.com
128. nov14/agenttesla/3/,smtp.pbrend.com
129. nov14/agenttesla/4/,us2.smtp.mailhostbox.com
130. nov14/agenttesla/5/,smtp.yandex.com
131. nov14/agenttesla/6/,smtp.pbrend.com
132. nov14/dridex/,https://45.137.151.151/
133. nov14/hawkeye/,mail.ancopottary.com
134. nov14/pony/,http://yehovahbuilders.com/MySQL/panelnew/gate.php
135. nov14/remcos/2/,top.multigamingjo.waw.pl
136. nov15/agenttesla/,smtp.zoho.com
137. nov15/agenttesla/another/,premium78.web-hosting.com
138. nov15/nanocore/,chimurenga.duckdns.org
139. nov16/agenttesla/,mail.ushaprime.com
140. nov16/lokibot/,http://dadatiles.com.au/pounds/fre.php
141. nov16/lokibot/another/,http://37.187.207.221/web-content/css/Panel/five/fre.php
142. nov17/agenttelsa/,us2.smtp.mailhostbox.com
143. nov18/agenttesla/,showpromotionsonline.com
144. nov18/hawkeye/,mail.privateemail.com
145. nov18/lokibot/,http://pms-center.com/mb/Panel/fre.php
146. nov18/nanocore/,46.183.222.66
147. nov18/nanocore/another/,khurramchalingang.ddns.net
148. nov18/netwire/,almeenamarine.ddns.net
149. nov18/trickbot/,188.165.62.17
150. nov19/agenttesla/2/,us2.smtp.mailhostbox.com
151. nov19/agenttesla/3/,smtp.hotelmadridtorrevieja.com
152. nov19/agenttesla/4/,smtp.juili-tw.com
153. nov19/formbook/,www.nwsouthroad.com/cix/
154. nov19/hawkeye/,mail.omanipackaging.com
155. nov19/lokibot/,http://awba-groups.com/Broken/fre.php
156. nov19/ta505/,https://microsoft-store-en.com/490183
157. nov20/agenttesla/,mail.shreejitransport.com
158. nov20/agenttesla/2/,smtp.ionos.com
159. nov20/agenttesla/3/,smtp.juili-tw.com
160. nov20/agenttesla/4/,mail.tawakalimpex.com
161. nov20/agenttesla/5/,us2.smtp.mailhostbox.com
162. nov20/formbook/,http://www.domferz.com/h342/
163. nov20/formbook/another/,www.thankslotto.com
164. nov20/formbook/yetanother/,http://www.domferz.com/h342/
165. nov20/lokibot/,http://indextechno.com/cyber/tech/coded/fre.php
166. nov20/lokibot/2/,http://kitchenraja.in/jay/Panel/five/fre.php
167. nov20/nanocore/,79.134.225.104
168. nov20/njrat-agenttesla/,103.139.45.248
169. nov20/trickbot/,117.255.221.135
170. nov21/agenttesla/,us2.smtp.mailhostbox.com
171. nov21/agenttesla/2/,smtp.juili-tw.com
172. nov21/agenttesla/3/,showpromotionsonline.com
173. nov21/agenttesla/4/,mail.koohejisafety.com
174. nov21/lokibot/,http://indextechno.com/cyber/tech/coded/fre.php
175. nov21/lokibot/another/,http://awba-groups.com/Broken/fre.php
176. nov21/remcos/,reverse.spamassasins.icu
177. nov21/trickbot/,https://195.123.220.193/run6/
178. nov22/agenttesla/,smtp.tetenel.com
179. nov22/agenttesla/2/,smtp.hotelmadridtorrevieja.com
180. nov22/amadey/,http://217.8.117.46/5vFgnRd4hdDbgS3H/index.php
181. nov22/hawkeye/,mail.lnventcast.in
182. nov22/netwire/,185.165.153.221
183. nov23/netwire/,superserver100.hopto.org
184. nov24/agenttesla/,smtp.highestgame.us
185. nov24/lokibot/,http://villa-samnang.com/wpadmin/sever/wpincludes/files/fre.php
186. nov24/phoenix/,mail.foodreview.world
187. nov25/agenttelsa/,mail.hervitama.co.id
188. nov25/agenttelsa/2/,server252.web-hosting.com
189. nov25/agenttelsa/3/,smtp.universelcanning.com
190. nov25/agenttelsa/4/,mail.arkazo.com
191. nov25/agenttelsa/5/,smtp.tkbill.biz
192. nov25/formbook/,www.italianato.com
193. nov25/hawkeye/,mail.privateemail.com
194. nov25/nanocore/,91.193.75.181
195. nov25/trickbot/,https://181.112.157.42:449/run8
196. nov26/agenttesla/,smtp.cnlembor.com
197. nov26/azorult/,https://algo.empirehempmarket.com/index.php
198. nov26/dridex/,124.156.35.183
199. nov26/formbook/,http://www.wasserschaden-hero.com/ut/
200. nov26/hawkeye/,mail.privateemail.com
201. nov26/hawkeye/2/,mail.privateemail.com
202. nov26/hawkeye/3/,mail.privateemail.com
203. nov26/raccoon/,http://34.76.145.229/gate/log.php
204. nov26/trickbot/,108.170.52.149
205. nov27/formbook/,www.jscheide.com/s0s/
206.  
207. RCPT TO:<bijo@lbhrne.com>
208. RCPT TO:<chinaloggers@juili-tw.com>
209. RCPT TO:<eliteexports@yandex.com>
210. RCPT TO:<erik.smeyers@grraco.com>
211. RCPT TO:<gm-fc@omanipackaging.com>
212. RCPT TO:<img@kingstoncomplex.com>
213. RCPT TO:<info@highestgame.us>
214. RCPT TO:<info@hotelmadridtorrevieja.com>
215. RCPT TO:<info@rishichemlcals.com>
216. RCPT TO:<info@showpromotionsonline.com>
217. RCPT TO:<info@tawakalimpex.com>
218. RCPT TO:<loggers@sitechukandlreland.com>
219. RCPT TO:<mpotyrala@pbrend.com>
220. RCPT TO:<nicholas@btconrnect.com>
221. RCPT TO:<payurprice@arabsecurify.net>
222. RCPT TO:<purchase@ushaprime.com>
223. RCPT TO:<sales@cnlembor.com>
224. RCPT TO:<star-money@tetenel.com>
225. RCPT TO:<thb@tbh-tw.com>
226. RCPT TO:<voicemail@showpromotionsonline.com>