From: ScotiaBank [Secure.Mail@scotiabankmail.com]
Date: 27 April 2017 at 14:13
Subject: Secure email communication
Signed by: scotiabankmail.com
Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email.
Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [188.8.131.52 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.
Malwr Analysis of the downloaded file shows attempted communications to:
184.108.40.206 (Ringnett, Norway)
220.127.116.11 (Level 3, US)
18.104.22.168 (Ringnett, Norway)
scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 22.214.171.124 (City Network Hosting AB, Sweden)