Date: 22 June 2015 at 13:07Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.
Subject: Shareholder alert
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
The Malwr report indicates network traffic to:
18.104.22.168 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 22.214.171.124 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.