Date: 24 November 2015 at 16:57
Subject: Serafini_Billing_Statement 2003
Signed by: 163.com
Hi Please see attached a copy of your statement for the month of Nov 2015
That IP belongs to Eurobyte LLC in Russia. I recommend that you block it.
This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55 and an MD5 of 68940329224ab93ce4b688df33a9274f. The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report demonstrates the ransomware in action most clearly.
One unusual characteristic is that it POSTs to a lot of webservers (also listed in these reports   ) although I don't know how significant it is. Almost all the domain names being with "A":