HSBC Email Virus

Also Known As: HSBC bank virus
Type: Trojan
Distribution: Low
Damage level: Severe

HSBC Email Virus removal guide

What is HSBC Email Virus?

"HSBC Email Virus" is another spam email campaign similar to ADP Invoice, Barclays Secured Message, Sage Invoice, and many others. This campaign is designed to distribute a trojan-type virus called TrickBot. The emails essentially state that the a money payment has not been processed and encourages users to open an attached MS Word document for more information. This is a scam - once opened, the attachment stealthily downloads and installs malware.

HSBC Email Virus malware

Firstly, HSBC is one of the largest banks in the world and has nothing to do with this spam campaign. Cyber criminals simply hide behind the name to trick unsuspecting users into opening the attachment. As mentioned above, the email states that a payment cannot be processed and encourages the user to open the attached document and perform a number of steps to resolve this issue. As mentioned, this is a scam. Cyber criminals use the names of legitimate companies and governmental agencies, since it is much simpler to trick users into opening files received from people or companies with familiar names (in this case, a large bank). TrickBot is a very dangerous virus. After system infiltration, it hijacks browsers and modifies visited websites so that entered logins/passwords are sent to a remote server controlled by TrickBot's developers. Therefore, cyber criminals might gain access to users' private accounts, including social networks, banks, and so on. Cyber criminals aim to generate as much revenue as possible, and so there is a high probability that these people will take advantage of any information obtained. Therefore, the presence of TrickBot malware can lead to serious privacy issues and significant financial loss. If you have recently opened attachments distributed via an "HSBC Email Virus" spam campaign, you should immediately scan the system with a legitimate anti-virus/anti-spyware suite and eliminate all detected threats.

Threat Summary:
Name HSBC bank virus
Threat Type Trojan, Password stealing virus, Banking malware, Spyware
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.

To eliminate HSBC bank virus our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

There are many trojan-type viruses that share similarities with TrickBot (including, for example, LokiBot, Emotet, Adwind, and FormBook). As with HSBC Email Virus, these viruses are also distributed using spam email campaigns. In addition, most trojans are designed to record personal information. Some, however, proliferate other viruses (usually, ransomware). In any case, all pose a direct threat to your privacy and browsing safety.

How did HSBC Email Virus infect my computer?

As mentioned above, "HSBC Email Virus" distributes a malicious MS Word document. After opening this file, users are encouraged to enable macro commands (otherwise the content will not be displayed properly), however, this is a trick - by enabling macros, users allow the document to execute commands that stealthily download and install TrickBot. This distribution method, however, has a major flaw - documents are able to download malware only if the user opens them using the MS Word program. Therefore, if the file is opened using any other app, malware will not be downloaded. Furthermore TrickBot targets the Microsoft Windows Operating System only - if you are using another platform, you are safe.

How to avoid installation of malware?

Lack of knowledge and careless behavior are the main reasons for computer infections - the key to safety is caution. Therefore, it is very important to pay close attention when browsing the Internet. Think twice before opening email attachments. If the file seems irrelevant or has been received from a suspicious email address, it should never be opened. 2010 and newer MS Office versions are developed to open new documents in "Protected View" mode. This prevents download and installation of malware. Therefore, using old versions is risky. We also strongly recommend that you have a reputable anti-virus/anti-spyware suite installed and running. If you have already opened "HSBC Email Virus" attachment, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

Text presented in the "HSBC Email Virus" email message:

Subject: Important : Troubles processing BACs payment
Good Morning,
We’re having troubles processing your request, we encountered an error processing your BACs payment.
What we need you to do
1. The documents are delivered through secure email via an attached file from HSBC. Please be aware this may be delivered to the spam folder.
2. When you open the document a message will appear saying the document requires phone verification. When you click the Send Code button, a code will be sent to your mobile phone.
3. Key that code in to the Code box on screen and select OK. You will now be able to complete the fields in the document as required.
4. Please note that the signature you upload needs to be a clear, current version of your standard signature which once added to the bank mandate can be used to authorise such account transactions as the paying away of funds.
5. Please ensure when you complete the form, that full names including any middle names are included.
6. When the final signatory has completed and signed the documents they will then be returned to me via secure email.
Yours sincerely
James Holand

Transaction Processing Specialist | Operations BACs, Faster Payments, CDD | Email:

Malicious attachment distributed via "HSBC Email Virus" spam campaign:

Malicious attachment distributed through HSBC Email Virus spam campaign

Second variant of "HSBC Email Virus":

Second HSBC Email Virus campaign variant

Text presented within this email:

Subject: Incoming high value CHAPS payments

Good Morning ,

We received 2 high value CHAPS payments requests into the branch today.

Please complete and sign the attached documents and return for processing.
We require this information before we can release the payments to your account.

Thank you,

Olivia Brown BA (Hons) Cert (RBCB)
Business Banking and Wealth Management
18 North Street, Leatherhead, Surrey KT22 7AR. South Region.

Phone 08455928172

HSBC Bank plc
Registered Office: 8 Canada Square, London E14 5HQ
Registered in England – Number 14259
Authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority and the Prudential Regulation Authority

This E-mail is confidential

It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail.

Internet communications cannot be guaranteed to be timely secure, error or virus-free. The sender does not accept liability for any errors or omissions.

Screenshot of the malicious attachment proliferated using the second variant of "HSBC Email Virus":

HSBC Email Virus another attachment

Third variant of "HSBC Email Virus":

HSBC Email sample 3

Text presented within this email:

Subject: Account Review

Account Review
Dear Sir/Madam

The account review files has been issued at the request of our customer, please download it from the link below:


Your documents have been encrypted with the strongest encryption and a unique key, please print and sign the attached document.

Yours faithfully,
Global Payment and Cash Management

Screenshot of the malicious attachment proliferated using the third variant of "HSBC Email Virus":

HSBC Email Virus malicious attachment (sample 3)

Yet another variant of HSBC email spam campaign:

A variant of HSBC email virus

Text presented within this email:

Good day, Our Ref: WA3AEMIDLGB31.
Find enclosed payment copy made to your company account on behalf of our client to your receiving bank dated 10/04/2019. Kindly confirm payment and client Ref details from attache' swift copy and advice accordingly.
Awaiting your confirmation
Best Regards,
David Wong Funds Transfer Dept., Business Banking, Eastern District, Commercial Banking The Hongkong and Shanghai Banking Corporation Limited (1-1SBC 14/F, Causeway Bay Plaza Two, 463-483 Lockhart Road, Causeway Bay, Hong Kong. Email:  web: hxxps://

Screenshot of the malicious Microsoft Excel attachment ("Paymentreceipt.xlsx"):

HSBC Email virus malicious attachment

Yet another variant of "HSBC" email spam campaign. This variant distributes NanoCore remote access trojan and the attachment is "swift_274456.iso", which contains "swift_274456.exe" file.

Screenshot of deceptive email:

HSBC email spam campaign distributing NanoCore trojan

Text presented within this email:

Greetings.. The attached payment advice is issued at the request of our customer. please kindly confirm your bank swift-code/account body,

we have been trying to send this funds out to you lately but it had always bounced back.

This advice is for your reference only**
Yours faithfully,

Global Payments and Cash Management


Skype: rick.tev2
This is not an auto-generated email, please TAKE NOTE. Awaiting your urgent reply in order to proceed again.
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.

2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.

3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

Screenshot of the malicious attachment:

HSBC email spam campaign malicious attachment swift_274456.iso

Threat Summary:
Name swift_274456.iso
Threat Type Remote access trojan, Password stealing virus, Banking malware, Spyware
Detection Names Antiy-AVL (Trojan[Dropper]/Win32.Sysn), McAfee (Artemis!9585B363E418), Microsoft (Trojan:Win32/Sonbokli.A!cl), Tencent (Win32.Trojan.Autoit.Auto), Full List (VirusTotal)
Payload NanoCore RAT
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.

To eliminate HSBC bank virus our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Instant automatic removal of HSBC bank virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of HSBC bank virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":


manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

extract and run autoruns.exe

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck the "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

locate the malware file you want to remove

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.