“ADP Payroll Invoice” with password protected ZIP archive contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ADP Payroll Invoice”.

This email is send from the spoofed address “”ADPClientServices@adp.com” <billing.address.updates@adp.com>” and has the following body:

Your ADP Payroll invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Important: Please open the attached file using your temporary password. Your temporary password is: 941VAX332ED

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing ADP Payroll.

Please do not respond to this message. It comes from an unattended mailbox.

The attached file invoice381624185029.zip, which is a password protected ZIP archive, contains the 49 kB large file invoice381624185029.exe.

The trojan is known as Trojan.Upatre.IS, Trojan.Upatre.IS(b), Evilware.Outbreak, a variant of Win32/Kryptik.ECNL, Upatre-FADQ!C9F6E7A044F4 or BehavesLike.Win32.Upatre.pt.

At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 895e23a7f5094fbab7b1392c56c4e3d50154c6d141d26a3933c3a09e47fe33bc