MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3483b7680898f8691b352ba248dc962c3e7734e7da76f78dcd4a31e2a2342ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SiriusRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: 3483b7680898f8691b352ba248dc962c3e7734e7da76f78dcd4a31e2a2342ea1
SHA3-384 hash: 11e2e25e4e7f1fda7970f820f06665af22a805bfbe437b0d1240aefc07e683131e10f3230ec6e9a9ec39d687a1eb1a15
SHA1 hash: eb2807792d9638986206622279ccb2f62c8a4331
MD5 hash: 75757460119ac9a01665a0e268bab386
humanhash: jersey-michigan-four-fourteen
File name:ET8356296342523.js
Download: download sample
Signature SiriusRAT
File size:2'700'262 bytes
First seen:2026-06-22 15:17:31 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:pPly9JGCkCKvkS9/yx1xs8HbUQyUUU/UCUeUUUXUh5:QV7J
Threatray 58 similar samples on MalwareBazaar
TLSH T1B8C5CA68CFA291509122EB169DE22161626F236737DB6D3C347F0FDC1B126F6513AB0E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter abuse_ch
Tags:js SiriusRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
125
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 conhost powershell repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-06-22T07:47:00Z UTC
Last seen:
2026-06-23T23:46:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic
Result
Threat name:
RDPWrap Tool, Clipboard Hijacker, Phoeni
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Phoenix Stealer
Yara detected RDPWrap Tool
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931982 Sample: ET8356296342523.js Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 35 ip-api.com 2->35 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Generic Stealer 2->49 51 6 other signatures 2->51 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 53 JScript performs obfuscated calls to suspicious functions 10->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->55 57 Suspicious execution chain found 10->57 59 WScript reads language and country specific registry keys (likely country aware script) 10->59 13 conhost.exe 10->13         started        process6 signatures7 61 Encrypted powershell cmdline option found 13->61 16 powershell.exe 1 32 13->16         started        process8 dnsIp9 31 ip-api.com 208.95.112.1, 49706, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 16->31 33 94.26.106.34, 4449, 49705, 49707 DF-TRANSITDE Germany 16->33 27 C:\Users\user\AppData\...\places.sqlite-shm, data 16->27 dropped 29 C:\Users\user\AppData\...\cookies.sqlite-shm, data 16->29 dropped 37 Creates an undocumented autostart registry key 16->37 39 Contains functionality to start a terminal service 16->39 41 Contains functionality to hide user accounts 16->41 43 10 other signatures 16->43 21 msedge.exe 3 16->21         started        23 chrome.exe 1 16->23         started        file10 signatures11 process12 process13 25 msedge.exe 21->25         started       
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-22 15:24:47 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Result
Malware family:
siriusrat
Score:
  10/10
Tags:
family:siriusrat collection defense_evasion discovery execution persistence rat
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Detects SiriusRAT
Family: SiriusRAT
Malware Config
C2 Extraction:
94.26.106.34:4449
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments