From: JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]
Date: 18 March 2015 at 17:49
Subject: FW: Customer account docs
As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.
The executable has a low VirusTotal detection rate of 3/57. Various automated analysis tools     show the malware downloading additional components from:
It then attempts to POST data to an IP at 220.127.116.11 (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.
The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.
The download locations for this Upatre/Dyre combination change all the time, but the IP address of 18.104.22.168 has been around for a little while. Also, it is a characteristic of this malware that it calls out to checkip.dyndns.org to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.