MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 58 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe
SHA3-384 hash: c00935c1296201ee8f99d02564bbd24da45465fd5f687876f95e94c147d2cf9a2afcc275c24dbca831d817341509a963
SHA1 hash: 10de61d5eb28aa22e81c8aa07021d8e5d2ea2955
MD5 hash: 58de9a3596dcbd86d6e37e55e2f9572d
humanhash: venus-mars-vegan-bulldog
File name:setup.msi
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:11'649'024 bytes
First seen:2026-04-11 18:46:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:ujkjviEtUvQw9BDJuyx6GK3ji5Stzvdf3c0c5r5jEOuIbxsbFSdPMG:ujkjPah9hJ6GK3jXtLdEVruIbxSm7
TLSH T11EC6335637A3494AE08B433062238656EB24BC465B9C63DF4258FF1B4E737F06CB5AB4
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi StrelaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/8e431512-f37e-4fc6-b16c-fab1008c1218/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61175/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69da970266ab6d001dd15c9b
Tags:
shellcode spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm installer lolbin packed rundll32 wix
Link:
https://www.filescan.io/uploads/69da96fc799d5bf325f7e1b9/reports/d1a0280a-b42e-48e7-8bde-416d04e2eec4/overview
Verdict:
Suspicious
Labled as:
W64/ABTrojan.QUDR
Link:
https://www.hybrid-analysis.com/sample/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe
Verdict:
Malicious
File Type:
msi
First seen:
2026-04-11T15:57:00Z UTC
Last seen:
2026-04-11T16:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Reflo.sb Trojan-PSW.MSIL.Phemedrone.go Trojan-PSW.MSIL.Phemedrone.sb Trojan-GameThief.Win32.Worgtop.f Trojan-GameThief.MSIL.Worgtop.c Trojan-PSW.Agent.HTTP.C&C Trojan-PSW.Win32.Agent.sb Trojan-Downloader.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan-GameThief.MSIL.Worgtop.b Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.DiscoStealer.sb
Link:
https://opentip.kaspersky.com/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe/results?tab=lookup
Result
Threat name:
AveMaria, GO Agent, Go Keylogger, Gocode
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1896928
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AveMaria stealer
Yara detected GO Agent
Yara detected Go Keylogger
Yara detected Gocoder ransomware
Yara detected Keylogger Generic
Yara detected Strela Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1896928 Sample: setup.msi Startdate: 11/04/2026 Architecture: WINDOWS Score: 100 86 api.telegram.org 2->86 88 ip-api.com 2->88 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Sigma detected: Capture Wi-Fi password 2->100 104 13 other signatures 2->104 12 msiexec.exe 3 5 2->12         started        15 rundll32.exe 2 2->15         started        18 msiexec.exe 4 2->18         started        signatures3 102 Uses the Telegram API (likely for C&C communication) 86->102 process4 file5 72 C:\Windows\Installer\MSI7FFA.tmp, PE32+ 12->72 dropped 74 C:\Windows\Installer\MSI7B75.tmp, PE32+ 12->74 dropped 20 msiexec.exe 5 15 12->20         started        23 msiexec.exe 12->23         started        76 C:\Users\user\AppData\...\CripStealer.exe, PE32 15->76 dropped 78 C:\Users\user\...\mainthost.dll.tmp (copy), PE32+ 15->78 dropped 120 Found many strings related to Crypto-Wallets (likely being stolen) 15->120 25 cmd.exe 1 15->25         started        80 C:\Users\user\AppData\Local\...\MSI57FF.tmp, PE32+ 18->80 dropped signatures6 process7 file8 64 C:\Users\user\AppData\Local\...\mainthost.dll, PE32+ 20->64 dropped 66 C:\Users\user\AppData\...\offlinesvc.dll, PE32+ 20->66 dropped 68 C:\Users\user\AppData\Local\...\wpdshim.dll, PE32+ 20->68 dropped 70 C:\Users\user\...\wpfrender_14AC20A3.dll, PE32+ 20->70 dropped 27 rundll32.exe 2 20->27         started        32 CripStealer.exe 3 25->32         started        34 conhost.exe 25->34         started        process9 dnsIp10 94 45.90.98.215, 49718, 49725, 49729 MEER-ASmeerfarbigGmbHCoKGDE Germany 27->94 82 C:\Users\user\AppData\...\CripStealer.exe, PE32 27->82 dropped 84 C:\...\wpfrender_14AC20A3.dll.tmp (copy), PE32+ 27->84 dropped 114 System process connects to network (likely due to code injection or exploit) 27->114 116 Protects its processes via BreakOnTermination flag 27->116 36 cmd.exe 1 27->36         started        118 Multi AV Scanner detection for dropped file 32->118 file11 signatures12 process13 process14 38 CripStealer.exe 19 2 36->38         started        42 conhost.exe 36->42         started        dnsIp15 90 ip-api.com 208.95.112.1, 443, 49734 TUT-ASUS United States 38->90 92 api.telegram.org 149.154.166.110, 443, 49736 TELEGRAMRU United Kingdom 38->92 106 Multi AV Scanner detection for dropped file 38->106 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->108 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->110 112 11 other signatures 38->112 44 netsh.exe 2 38->44         started        46 net.exe 1 38->46         started        48 VaultCmd.exe 1 38->48         started        50 3 other processes 38->50 signatures16 process17 process18 52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        58 conhost.exe 50->58         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started       
Score:
97%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.Worgtop
Link:
https://tip.neiki.dev/file/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe
Threat name:
Win64.Trojan.Phemedrone
Create hunting rule
Status:
Malicious
First seen:
2026-04-11 05:36:38 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpqkurwx7rw6vmcpeeeidzhzz2mrj7j4uqd7p4xwpavw5yhgfd7a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection credential_access defense_evasion discovery persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260411-xesnrahz5z/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Event Triggered Execution: Installer Packages
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4be0aa46d7fc6deab04f210881e4f9ce9914fd3ca407f7f2f6782b6ee0e628fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Go_Malware_Yamux_Variant
Create hunting rule
Author:Gemini
Description:Detects a specific Go-based malware variant using the yamux library, with shared strings and constants across x86 and ARM architectures.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:WIN_WebSocket_Base64_C2_20250726
Create hunting rule
Author:dogsafetyforeverone
Description:Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61175/

Comments