Online banking application form from Leicester Business Banking Customer Support contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “Online banking application form********* CRM:013142608″.

This email is send from the spoofed address “xxxxx ” and has the following body:

Please find enclosed the requested online application form which
you will need to complete and return to myself via the post.
Kind Regards
Eloy Avery
Relationship Manager’s Assistant
Leicester Business Banking Customer Support
1st Floor
1 Granby Street
Leicester LE1 6EJ
Tel: 0116 2739605
Fax: 0116 2585469
E Mail:
Internal depot code – 021
DATA CLASSIFICATION: unless otherwise stated the information contained within this email is CONFIDENTIAL
Manage your finances anytime, anywhere – download our free Business Banking mobile app
National Westminster Bank Plc, Registered in England No. 110108. Registered Office: 019 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.
Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

The attached file Online banking upd appl contains the 36 kB large file Online banking upd appl form.scr.

The trojan is known as Win32/TrojanDownloader.Waski.Z, UDS:DangerousObject.Multi.Generic, Win32.Trojan.Fakedoc.Auto or TROJ_UPATRE.NAI.

At the time of writing, 6 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: d46d08b4ee94c57efa56f55fdf995a88b64b3bd63a077577b5888fc750743d33