Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48. Automated analysis    shows that the malware tries to phones home to lasub-hasta.com on 126.96.36.199 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity on this server which you might want to take into account if you are thinking of blocking this IP.
From: "Harry_Buck@wellsfargo.com" [Harry_Buck@wellsfargo.com]
Subject: Documents - WellsFargo
Please review attached files.
Wells Fargo Advisors
817-683-6287 cell Harry_Buck@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Tuesday, 8 October 2013
Fake Well Fargo spam comes with a malicious attachment / lasub-hasta.com
this one, but comes with a slightly different attachment: