From: invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date: 2 April 2015 at 11:46
Subject: Outstanding invoice
Dear [victim],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here
I would be grateful if you could look into this matter and advise on an expected payment date .
Courtney Mason
Credit Control
Tel: 0845 300 2952
The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:
eduardohaiek.com/images/wicon1.png
edrzambrano.com.ve/images/wicon1.png
It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.
Recommended blocklist:
141.105.140.0/22
eduardohaiek.com
edrzambrano.com
MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6