MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a
SHA3-384 hash: ca566752fa785f10adc3b1411bcd14014a8624c588b38e30a8f74dd053ea11df529fa30a240d6adfb98a0ba9e5f68e1e
SHA1 hash: 152ebf56ed04ad5680e32efd883451fe704a7e5b
MD5 hash: bcb1952382493e027419c720e27f4ad6
humanhash: low-lake-jersey-minnesota
File name:Riyadh Project 1107-991875 Kiosk Proj.js
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:292'860 bytes
First seen:2026-04-15 07:52:44 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:0WmHCBjqVBgZSb/tttDKW6taOtVKBfg8NbuT8tUwTHsT:0WmmjwgZSrttJK9tauVKBfBi6zTW
Threatray 128 similar samples on MalwareBazaar
TLSH T12A540F38ADEE001AB1B3EF55AEE47493D96FBB63370E989C1081034A4723945EDD563E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika autohotkey
Reporter abuse_ch
Tags:js StrelaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.26250.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69df23b1f68adfe10039f374
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/69df44329124ebc08752919c/reports/d3bf1f7b-860b-4c73-8475-23b0909ad197/overview
Verdict:
Suspicious
Labled as:
TR/JS.Downloader
Link:
https://www.hybrid-analysis.com/sample/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a
Verdict:
Malicious
File Type:
js
First seen:
2026-04-15T01:00:00Z UTC
Last seen:
2026-04-15T23:51:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a/results?tab=lookup
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1898555
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898555 Sample: Riyadh Project 1107-991875 ... Startdate: 15/04/2026 Architecture: WINDOWS Score: 100 23 ip-api.com 2->23 25 dubaitechnicalservice.ae 2->25 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 55 JScript performs obfuscated calls to suspicious functions 9->55 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->57 59 Suspicious execution chain found 9->59 61 WScript reads language and country specific registry keys (likely country aware script) 9->61 12 conhost.exe 9->12         started        process6 signatures7 63 Bypasses PowerShell execution policy 12->63 15 powershell.exe 14 15 12->15         started        process8 dnsIp9 29 dubaitechnicalservice.ae 103.227.176.4, 443, 49693 A2HOSTINGUS Singapore 15->29 31 Early bird code injection technique detected 15->31 33 Hijacks the control flow in another process 15->33 35 Contains functionality to start a terminal service 15->35 37 6 other signatures 15->37 19 help.exe 13 15->19         started        signatures10 process11 dnsIp12 27 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 19->27 47 Contains functionality to start a terminal service 19->47 49 Contains functionality to hide user accounts 19->49 51 Deletes shadow drive data (may be related to ransomware) 19->51 53 Unusual module load detection (module proxying) 19->53 signatures13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-15 04:00:24 UTC
File Type:
Text (JavaScript)
AV detection:
2 of 36 (5.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pleiitcxpjuuaxvpfdrzp7q5hpjntdujtvawjxpcxrbwpwk7bv5a._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
StrelaStealer
206bc809554c8877ae3ddff321ce2a637a122451a24482eac52d5606680f4488
StrelaStealer
3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90
StrelaStealer
435bceaf240dd7711542a723a6988b280948e77e9953614d981d653680de9f49
StrelaStealer
4f7a1178edc345dbb094aef8d04c5ccdb2d11dc90ac1eae893841f90e1c5a066
StrelaStealer
5f8c68208da634266a32abc0ae86146ed0178e4f5c2253e880b4cfc6caac5f06
StrelaStealer
8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df
StrelaStealer
d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
StrelaStealer
e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
StrelaStealer
error
StrelaStealer
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260415-jrl5vag16j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ac8844c577a69405eaf28e397fe1d3bd2d98e899d4164dde2bc4367d95f0d7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments