Jan Malware Campaigns

1. Date,Details,Email Payload Type,Users Targeted
2. 1/2/2020,"""Re: <last name> documents""; link -> trickbot",Attachment,12
3. 1/3/2020,"""RFQ : REQUIREMENT""; img -> netwire",Attachment,3
4. 1/5/2020,"""Re-Update Your Account""; rar -> avemaria continued to 1/6",Attachment,2
5. 1/6/2020,"""TT Remittance Advice/SOA""; gz -> lokibot",Attachment,3
6. 1/6/2020,"""Re: (KCPC)New order""; img -> agenttesla",Attachment,6
7. 1/6/2020,"""Overdue Invoice""; img -> nanocore",Attachment,4
8. 1/7/2020,"""PO No. 4900035375 dated 07.10.2019.""; doc -> formbook",Attachment,2
9. 1/7/2020,"""Purchase Order PO-19/19642, dated 07-01-20202,""; xlsx -> formbook",Attachment,2
10. 1/7/2020,"""RE: New order-AlAnsari Technical""; img -> agenttesla continued to 1/8",Attachment,12
11. 1/7/2020,"""RFP Invitation Letter from RT(pvt) on competitive bidding""; rar -> agenttesla",Attachment,2
12. 1/7/2020,"""Transfer set up (#101908269)""; rar -> agenttesla",Attachment,2
13. 1/7/2020,"""Re: Outstanding Wire Transfer""; doc -> broken :(",Attachment,3
14. 1/8/2020,"""SWIFT Confirmation Received: 8742571554 | Wed, 08 Jan 2020 11:05:22""; rar -> agenttesla",Attachment,2
15. 1/9/2020,"""RE: New Order-ANUARY 08, 2020 ""; rar -> nanocore",Attachment,2
16. 1/9/2020,"""Sales Order 0000157266""; img -> nanocore",Attachment,3
17. 1/9/2020,"""Shipping Documents/ bill of lading> IWM/CO/260&457/20""; rtf -> formbook continued to 1/12",Attachment,77
18. 1/10/2020,"""RE: ?? ?? SOA""; img -> agenttesla continued to 1/11",Attachment,4
19. 1/13/2020,"""RFQ: MMA-222752572-20""; xlsx -> hawkeye",Attachment,2
20. 1/13/2020,"""Unpaid PO'S""; doc -> emotet",Attachment,5
21. 1/13/2020,"All subjects contain ""Deposit-<digits>""; link -> dridex",Attachment,5
22. 1/14/2020,"""products inquiry""; rtf -> agenttesla",Attachment,10
23. 1/14/2020,"""Request for Quotation - V-40795""; iso -> nanocore",Attachment,3
24. 1/14/2020,"""! **URGENT** Request for Quote - DERIVEN IMPORTS/EXPORTS SW011020""; rar -> agenttesla",Attachment,4
25. 1/15/2020,"""ORDER N.1SH on 15.01.2020 PO#99057-78""; doc -> agenttesla",Attachment,3
26. 1/15/2020,"""Enquiry: MV MOL Genesis, E6211926716""; xlsx -> lokibot",Attachment,19
27. 1/15/2020,"""Re: Payment Breakdown for Consignment 16/01/2020""; img -> agenttesla continued to 1/17",Attachment,86
28. 1/15/2020,"""Forwader Instructions and Shipment Quotation.""; zip -> agenttesla",Attachment,2
29. 1/15/2020,"""Payment Update""; xls -> agenttlesla",Attachment,11
30. 1/16/2020,"""Your Order is on its way! 1912030I""; img -> nanocore",Attachment,2
31. 1/16/2020,"""Proforma Invoice""; rar -> ",Attachment,27
32. 1/16/2020,"""RFQ 202001033""; doc -> pony",Attachment,32
33. 1/16/2020,All subjects pertain to parking; p-<digits>.doc -> predator,Attachment,4
34. 1/16/2020,"""Re: Wire transfer copy""; zip and rtf -> lokibot",Attachment,9
35. 1/17/2020,"""HSBC SWIFT Advice Against Order# Ref:[BA0061762] // Customer Ref //:[A0064218]""; xlsx ->formbook continued to 1/19",Attachment,10
36. 1/19/2020,"""Dhl BILL OF LANDING DOCUMENT/INVOICE|DHL Shipment Notification :720983301529""; img -> agenttesla continued to 1/20",Attachment,97
37. 1/20/2020,"""Payment Advice""; rar exe -> agenttesla",Attachment,4
38. 1/20/2020,"""DHL BILL OF LANDING DOCUMENT/INVOICE""; rar -> pony continued to 1/21",Attachment,46
39. 1/21/2020,All subjects contain Docusign; link -> hancitor -> pony -> evilpony,Link,65
40. 1/21/2020,"All subjects contain ""invoice is ready""; link -> trickbot",Link,6
41. 1/21/2020,"""Invoice Due <digits>""; doc -> dridex",Attachment,5
42. 1/21/2020,"""DHL AWB Number:6278216733""; img -> agenttesla",Attachment,106
43. 1/22/2020,"""Telex Transfer""; zip -> agenttelsa",Attachment,5
44. 1/22/2020,"All subjects contain ""RE: <last name> wire transfer confirmation""; link -> trickbot",Link,6
45. 1/22/2020,All subjects contain Docusign; link -> hancitor -> pony -> evilpony,Link,111
46. 1/23/2020,"""New Order PO-8879""; img ->",Attachment,2
47. 1/23/2020,All subjects contain Docusign; link -> hancitor -> pony -> evilpony,Link,34
48. 1/23/2020,"""NEFT-UTR:SBI0000779853011""; rar -> formbook",Attachment,8
49. 1/23/2020,"""Remittance Advice""; doc -> nanocore",Attachment,3
50. 1/24/2020,"""URGENT QUOTATION EN01/2020""; docx xlsx -> agenttesla",Attachment,3
51. 1/24/2020,"All subjects contain ""wire confirmation|termination list""; link -> trickbot",Link,16
52. 1/25/2020,MT-103 SWIFT PAYMENT COPY; rar -> pony,Attachment,6
53. 1/27/2020,All subjects contain Docusign; link -> hancitor -> pony -> evilpony,Link,89
54. 1/28/2020,"""Payment Remittance - MT103""; doc -> agenttesla",Attachment,11
55. 1/28/2020,"""Invoice Due #<digits>""; doc -> dridex",Attachment,8
56. 1/28/2020,All subjects contain Docusign; link -> hancitor -> pony -> evilpony,Link,89
57. 1/29/2020,""" Fwd: COPY DOCS//DRAFT BL//RE: SHIPMENT DETAILS//RE: SALE CONTRACT//RE: SALES""; rar -> agenttesla",Attachment,2
58. 1/29/2020,"""Re: P.O 099656754-0134""; img -> agenttesla",Attachment,2
59. 1/29/2020,"""BMS PO: 4820 - Shipping Documents - Yr PO - 1-28-2020(S19)""; xlsx -> agenttesla",Attachment,5
60. 1/29/2020,"""!KINDLY ACKNOWLEDGE OUR PROPOSAL! We Hope To Start A Strong Business Relationship With You This 2020""; ",Attachment,2
61. 1/29/2020,"""DHL Parcel Notification ready for drop-off""; rar -> lokibot",Attachment,7
62. 1/29/2020,"""FedEX Express Shipping Document Notification""; rar -> lokibot continued to 02/01",Attachment,11
63. 1/30/2020,"""RE: RE: Proforma Invoice; rar -> formbook",Attachment,5
64. 1/30/2020,"""Sales Contract and P.O sheet of New Order - Confirmation""; xlsx -> agenttesla",Attachment,2
65. 1/30/2020,"""AWD Ref#080739391234""; rar -> lokibot",Attachment,3
66. 1/30/2020,"All subjects contain ""DocuSign""; doc -> predator",Attachment,9
67. 1/30/2020,"""Request Quotation (QTK19-678)""; img -> formbook",Attachment,3
68.  
69. c2's and mail hosts
70. jan3/netwire/,185.103.96.151
71. jan3/remcos/,datus666.ga
72. jan5/agenttesla/,http://www.svmarketingindia.com/j-p/origin/inc/e73c66abc32466.php
73. jan5/avemaria/,185.140.53.232
74. jan5/lokibot/another/,http://svmarketingindia.com/jjv/Panel/five/fre.php
75. jan6/adwind/,185.103.96.151
76. jan6/agenttesla/2/,smtp.yandex.com
77. jan6/agenttesla/3/,https://softtouchcollars.com/origin/inc/ee1a20487ca101.php
78. jan6/agenttesla/,smtp.zellico.com
79. jan6/formbook/,http://35.222.251.6/avisos/index.php
80. jan6/hawkeye/,us2.smtp.mailhostbox.com
81. jan6/keylogger/,smtp.privateemail.com
82. jan6/lokibot/,107.175.150.73/~giftioz/.cttr/fre.php
83. jan6/nanocore/,212.83.46.28
84. jan7/formbook/,http://www.apll-isd.com/is/
85. jan7/lokibot/,107.175.150.73/~giftioz/.soxot/fre.php
86. jan8/agenttesla/2/,http://rigdps1.com/sn/webpanel/inc/827acc3012fd2a.php
87. jan8/agenttesla/3/,smtp.tkbill.biz
88. jan9/agenttesla/,smtp.tkbill.biz
89. jan9/formbook/2/,www.testci20170831033002.net
90. jan9/formbook/,http://www.beattheburnout.com/fh/
91. jan9/nanocore/,185.165.153.129
92. jan9/nanocore/2/,185.103.96.151
93. jan9/nanocore/3/,185.140.53.131
94. jan9/predator/,wangg-bg.site
95. jan10/agenttesla/2/,mail.riversweet.com
96. jan10/agenttesla/,mail.dormakeba.com
97. jan10/nanocore/,noapology.duckdns.org
98. jan11/agenttesla/,smtp.yandex.com
99. jan11/nanocore-netwire-agenttesla/,185.103.96.151
100. jan12/agenttesla/,mail.expocant.com
101. jan13/agenttesla/2/,mail.dormakeba.com
102. jan13/agenttesla/,smtp.ahrass.com
103. jan13/dridex/,https://37.247.54.134/
104. jan13/emotet/,http://24.164.79.147:8080/RVpaLh31ZWSH3PF
105. jan13/hawkeye/2/,mail.cadvil.com
106. jan13/hawkeye/,mail.privateemail.com
107. jan13/nanocore/,nze1010.ddns.net
108. jan13/netwire/,checker.rneiko-elec.com
109. jan13/remcos/,top1.supertouchhaircare.waw.pl
110. jan14/404k/,mail.villa-samnang.com
111. jan14/agenttelsa/2/,mail.gandi.net
112. jan14/agenttelsa/3/,https://www.emtelakproperties.com/sn/webpanel/inc/e84858e7d9bca5.php
113. jan14/agenttelsa/,mail.lepta.website
114. jan14/hawkeye/,mail.privateemail.com
115. jan14/lokibot/2/,http://heartychern.com/drunk/five/fre.php
116. jan14/lokibot/,http://afas-kr.com/didi/five/fre.php
117. jan14/nanocore/,185.140.53.131
118. jan14/nanocore/2/,185.140.53.131
119. jan14/netwire/,185.140.53.80
120. jan15/agenttesla/2/,mail.axspckg.com
121. jan15/agenttesla/3/,https://www.emtelakproperties.com/sn/webpanel/inc/e84858e7d9bca5.php
122. jan15/agenttesla/4/,mail.emailsrvr.com
123. jan15/agenttesla/,ike2020.xyz
124. jan15/azorult/,107.175.150.73/~giftioz/.azma/index.php
125. jan15/dridex/,104.131.41.185
126. jan15/hawkeye/2/,us2.smtp.mailhostbox.com
127. jan15/hawkeye/,mail.privateemail.com
128. jan15/lokibot/,http://107.175.150.73/~giftioz/.hokbi/fre.php
129. jan15/nanocore/,185.140.53.131
130. jan15/nanocore/2/,godwin.ddns.net
131. jan15/nanocore/3/,dataserverr.duckdns.org
132. jan15/netwire/,checker.rneiko-elec.com
133. jan15/remcos/,216.38.8.176
134. jan15/trickbot/,makeupartistrybyrsa.com
135. jan16/agenttesla/2/,mail.lepta.website
136. jan16/agenttesla/3/,smtp.ahrass.com
137. jan16/agenttesla/,ike2020.xyz
138. jan16/crimson/,danielmeyer.duckdns.org
139. jan16/darkcomet/,aaronjames-31665.portmap.host
140. jan16/hawkeye/2/,mail.alpssoftech.in
141. jan16/hawkeye/,mail.privateemail.com
142. jan16/lokibot/2/,http://afas-kr.com/didi/five/fre.php
143. jan16/lokibot/3/,onlygodam.com
144. jan16/lokibot/,onlygodam.com
145. jan16/pony/2/,http://79.134.225.45/yitrfi67fu6y6rfuyf/
146. jan16/pony/,http://1800propainter.com/sepp/panelnew/gate.php
147. jan16/predator/,http://yestroy.site/api/check.get
148. jan16/ta505-get2/,https://selling-group.com/2020hny
149. jan17/formbook/2/,http://www.cliiq.cloud/qt/
150. jan17/formbook/,http://www.dremtnw.com/wh/
151. jan17/lokibot/,afas-kr.com
152. jan17/nanocore/,godwin.ddns.net
153. jan18/hawkeye/,mail.alpssoftech.in
154. jan19/agenttesla/2/,smtp.yandex.com
155. jan19/agenttesla/3/,mail.arabianwebdesigner.com
156. jan19/agenttesla/,smtp.ionos.com
157. jan20/agenttesla/2/,us2.smtp.mailhostbox.com
158. jan20/agenttesla/3/,smtp.ahrass.com
159. jan20/agenttesla/4/,smtp.zeyiti-sa.com
160. jan20/agenttesla/5/,mail.privateemail.com
161. jan20/agenttesla/,smtp.shreegroup.in
162. jan20/azorult/,http://35.158.92.3/index.php
163. jan20/hworm/,185.244.30.212/is-ready
164. jan20/nanocore/,185.140.53.131
165. jan21/agenttesla/2/,mail.arabianwebdesigner.com
166. jan21/agenttesla/3/,server252.web-hosting.com
167. jan21/agenttesla/4/,mail.emailsrvr.com
168. jan21/agenttesla/5/,mail.cargoair.bg
169. jan21/agenttesla/,smtp.goldsmiths-uk.com
170. jan21/hancitor/,http://lietarion.com/4/forum.php
171. jan21/pony/,http://ozteary.ru/ozor/gate.php
172. jan21/remcos/,globalwebpay.co
173. jan21/trickbot/,http://4bec.org/kflmgkkjdfkmkfl
174. jan22/agenttesla/2/,us2.smtp.mailhostbox.com
175. jan22/agenttesla/3/,smtp.generce.com
176. jan22/agenttesla/,78.142.19.101
177. jan22/lokibot/,http://107.175.150.73/~giftioz/.nonb/fre.php
178. jan22/netwire/,bilimoney.ddns.net
179. jan22/pony/,allenservice.ga
180. jan22/qbot/,24.184.6.58
181. jan23/agenttesla/2/,mail.hervitama.co.id
182. jan23/agenttesla/3/,mail.gandi.net
183. jan23/agenttesla/4/,smtp.blowtac-tw.com
184. jan23/agenttesla/,ike2020.xyz
185. jan23/azorult/,http://107.175.150.73/~giftioz/.azma/index.php
186. jan23/formbook/2/,http://www.moz-cafe5thst.com/jg/
187. jan23/formbook/3/,http://www.nyoxibwer.com/s8y/
188. jan23/formbook/,http://www.yuyou988.com/kt0/
189. jan23/hancitor/,http://tariroalz.com/4/forum.php
190. jan23/nanocore/,viccavi.duckdns.org
191. jan23/unknown/,mail.arabianwebdesigner.com
192. jan24/agenttesla/2/,smtp.fernsturm.com
193. jan24/agenttesla/,smtp.yandex.com
194. jan24/trickbot/,alwasl-syria.com
195. jan25/agenttesla/2/,217.174.152.175
196. jan25/agenttesla/,mail.privateemail.com
197. jan25/blackrat/,79.134.225.70
198. jan26/agenttesla/2/,smtp.goldsmiths-uk.com
199. jan26/agenttesla/3/,smtp.shreegroup.in
200. jan26/agenttesla/4/,mail.villa-samnang.com
201. jan26/agenttesla/,smtp.shreegroup.in
202. jan27/agenttesla/2/,smtp.blacksea.red
203. jan27/agenttesla/,server252.web-hosting.com
204. jan27/lokibot/,afas-kr.com
205. jan27/nanocore/2/,kissmeifucan.ddns.net
206. jan27/nanocore/,jukax.ddns.net
207. jan27/netwire/,79.134.225.96
208. jan27/predator/,http://mastreb.site
209. jan27/,us2.smtp.mailhostbox.com
210. jan28/agenttesla/2/,ike2020.xyz
211. jan28/agenttesla/3/,mail.gpphysio.co.za
212. jan28/agenttesla/,us2.smtp.mailhostbox.com
213. jan28/dridex/,https://109.123.107.19/
214. jan28/formbook/2/,www.markmackoart.com/s8y/
215. jan28/formbook/3/,www.honolulunightout.com
216. jan28/formbook/4/,www.gztla.com
217. jan28/formbook/,www.markmackoart.com
218. jan29/agenttesla/10/,mail.gpphysio.co.za
219. jan29/agenttesla/11/,mail.besco.com.sa
220. jan29/agenttesla/12/,mail.besco.com.sa
221. jan29/agenttesla/2/,mail.gpphysio.co.za
222. jan29/agenttesla/3/,us2.smtp.mailhostbox.com
223. jan29/agenttesla/4/,ftp.exploits.site
224. jan29/agenttesla/5/,smtp.shreegroup.in
225. jan29/agenttesla/6/,ike2020.xyz
226. jan29/agenttesla/7/,us2.smtp.mailhostbox.com
227. jan29/agenttesla/8/,https://credoaz.com/journals/webpanel/inc/6c7fce35255143.php
228. jan29/agenttesla/9/,mail.besco.com.sa
229. jan29/agenttesla/,https://credoaz.com/journals/webpanel/inc/6c7fce35255143.php
230. jan29/formbook/2/,www.indianaerofun.com/e56
231. jan29/formbook/3/,www.assignmentasiantyper.com
232. jan29/formbook/4/,www.onlinebhikhari.com
233. jan29/formbook/,www.urbnhousing.com
234. jan29/lokibot/2/,http://kayfundz.ru/kay/eng/gate.php
235. jan29/lokibot/3/,http://89.249.65.212/africa/logs/fre.php
236. jan29/lokibot/,http://zeyadigital.com/etty/black/download/fre.php
237. jan29/ursnif/,thiganoz.com
238. jan30/agenttesla/,ike2020.xyz
239. jan30/avemaria/,tain77.duckdns.org
240. jan30/formbook/2/,www.jazminewphoto.com
241. jan30/formbook/4/,www.radissonhyd.com
242. jan30/formbook/,www.374cb.com
243. jan30/hawkeye/,mail.saytalish.com
244. jan30/lokibot/2/,http://193.142.59.107/africa/logs/fre.php
245. jan30/lokibot/3/,worldatdoor.in/32/index.php
246. jan30/lokibot/4/,193.142.59.107
247. jan30/lokibot/5/,http://89.249.65.212/africa/logs/fre.php
248. jan30/lokibot/6/,http://193.142.59.107/africa/logs/fre.php
249. jan30/lokibot/,http://zeyadigital.com/etty/black/download/fre.php
250. jan30/predator/,bubble2-bg.site
251. jan30/raccoon/,http://34.65.176.45/gate/log.php
252. jan31/agenttesla/,mail.xerindo.com
253. jan31/netwire/,79.134.225.71
254.  
255. email efils
256. RCPT TO:<books@lepta.website>
257. RCPT TO:<mohamedadjal@ahrass.com>
258. RCPT TO:<mark.william09@yandex.com>
259. RCPT TO:<info@shreegroup.in>
260. RCPT TO:<francis@zeyiti-sa.com>
261. RCPT TO:<mohamedadjal@ahrass.com>
262. RCPT TO:<fallin@damllakimya.com>
263. RCPT TO:<sales@expocant.com>
264. RCPT TO:<tee.gan@yandex.ru>
265. RCPT TO:<mohamedadjal@ahrass.com>
266. RCPT TO:<dejoy@cadvil.com>
267. RCPT TO:<off20r@deepsaeemirates.com>
268. RCPT TO:<support@generce.com>
269. RCPT TO:<fallin@damllakimya.com>
270. RCPT TO:<tmoneyn@tkbill.biz>
271. RCPT TO:<doggy@sonofgrace.website>
272. RCPT TO:<takers@blacksea.red>
273. RCPT TO:<money@zellico.com>
274. RCPT TO:<bachar@idearnaroc.com>
275. RCPT TO:<204@goldsmiths-uk.com>
276. RCPT TO:<info@shreegroup.in>
277. RCPT TO:<info@shreegroup.in>
278. RCPT TO:<uba@dormakeba.com>
279. RCPT TO:<khalid@besco.com.sa>
280. RCPT TO:<tee.gan@yandex.ru>
281. RCPT TO:<tee.gan@yandex.ru>
282. RCPT TO:<info@shreegroup.in>
283. RCPT TO:<khalid@besco.com.sa>
284. RCPT TO:<eileen@blowtac-tw.com>
285. RCPT TO:<dewi@hervitama.co.id>
286. RCPT TO:<mark.william09@yandex.com>
287. RCPT TO:<doggy@sonofgrace.website>
288. RCPT TO:<204@goldsmiths-uk.com>
289. RCPT TO:<tmoneyn@tkbill.biz>
290. RCPT TO:<michellej@fernsturm.com>