MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480
SHA3-384 hash: dc60a77df4667b49820e1f3612640804641ec61f82ee6707869fa81a6bbc2b7667f5761ca73bc584b565952b3424254f
SHA1 hash: 74e2c387e5723f9e30727800df70b35d64724b52
MD5 hash: c03539ea1351c9026f0e54d6f9d4c1cf
humanhash: california-two-one-black
File name:PO#MAIN450000000227897_Sraco.bat
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:196'423 bytes
First seen:2026-04-09 10:54:02 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:vDMZbUktBmyB/HHW/PCCMSmTbs1EOygCWqk21kMTA+hq+DwZNWoi9BTnCMoXyE6:vDMZQktBm0/HHWnCCMfYEOCazD+pkZ4T
Threatray 11 similar samples on MalwareBazaar
TLSH T14E14123BCBC5BA5ECA051B7420F5C894227EEA878B13E34EC54C7AA527AC4C531DDB54
Magika batch
Reporter lowmal3
Tags:bat StrelaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480.txt
Verdict:
No threats detected
Analysis date:
2026-04-09 10:55:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9681cd2b-92bc-4585-a4aa-eb8077486fe9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60950/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d785626a61012f6ad055c4
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 obfuscated
Link:
https://www.filescan.io/uploads/69d78558d920e19044f507db/reports/8611b8ff-0cd4-4f79-a77a-6686698f3807/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-09T03:38:00Z UTC
Last seen:
2026-04-11T09:16:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480/results?tab=lookup
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895886
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queues an APC in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Capture Wi-Fi password
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious command line found
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1895886 Sample: PO#MAIN450000000227897_Sraco.bat Startdate: 09/04/2026 Architecture: WINDOWS Score: 100 40 twc.trafficmanager.net 2->40 42 time.windows.com 2->42 44 2 other IPs or domains 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Capture Wi-Fi password 2->56 58 Yara detected Strela Stealer 2->58 60 13 other signatures 2->60 10 cmd.exe 1 2->10         started        signatures3 process4 signatures5 70 Bypasses PowerShell execution policy 10->70 72 Uses netsh to modify the Windows network and firewall settings 10->72 74 Tries to harvest and steal WLAN passwords 10->74 76 Suspicious command line found 10->76 13 powershell.exe 16 18 10->13         started        18 conhost.exe 10->18         started        20 cmd.exe 1 10->20         started        process6 dnsIp7 52 pwndrop.llcsintez-n.org 64.23.210.220, 443, 49718 AFFINITY-FTLUS United States 13->52 38 MutationHorsebackR...uentsMilfhunter.bat, ASCII 13->38 dropped 80 Early bird code injection technique detected 13->80 82 Creates an undocumented autostart registry key 13->82 84 Contains functionality to start a terminal service 13->84 86 7 other signatures 13->86 22 RegAsm.exe 27 13->22         started        file8 signatures9 process10 dnsIp11 46 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 22->46 48 twc.trafficmanager.net 40.119.6.228, 123, 51978 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->48 50 107.172.135.18, 4449, 49721 AS-COLOCROSSINGUS United States 22->50 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->62 64 Contains functionality to start a terminal service 22->64 66 Contains functionality to hide user accounts 22->66 68 8 other signatures 22->68 26 cmd.exe 2 22->26         started        signatures12 process13 file14 36 C:\Users\user\AppData\...\wifi_profiles.tmp, ASCII 26->36 dropped 78 Tries to harvest and steal WLAN passwords 26->78 30 netsh.exe 2 26->30         started        32 conhost.exe 26->32         started        34 chcp.com 1 26->34         started        signatures15 process16
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-04-09 10:54:25 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arskcuyjlsrhx3ghic4b72dcuix4wk4jrbes2dutyek575c6usaa._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
0563f9e1d0fe8c2cf932f55fb8341ee86c1d1ee7d1be5d99f929db36d92dcf97
StrelaStealer
1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
StrelaStealer
5f8c68208da634266a32abc0ae86146ed0178e4f5c2253e880b4cfc6caac5f06
StrelaStealer
6c088016a0e185ffe40ec6cf25173f5e623ac11193b247e4ca7230ffd797fa82
StrelaStealer
7baec10572549525371602d096866b664b63f9bd0d8b15a21a0e68bda1d76432
StrelaStealer
93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
StrelaStealer
d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
StrelaStealer
d2011ed4fe2998724e3312174be8f32f65f858ddcd1f1b40ea3ac0806c007d9f
StrelaStealer
e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
StrelaStealer
error
StrelaStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260409-mzqpsafx7z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StrelaStealer

Batch (bat) bat 0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/60950/

Comments