From "Clyde Medina" [Clyde.Medina@swift.com]
Date Wed, 30 Sep 2015 12:35:56 GMT
Subject FW : Incoming SWIFT
We have received this documents from your bank regarding an incoming SWIFT transfer.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.
Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56.
Automated analysis is pending, although the payload is almost definitely Upatre/Dyre. Please check back later.
The Hybrid Analysis report shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 126.96.36.199 in Nigeria which I recommend you block or monitor.