MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f
SHA3-384 hash: 3265700b1c95b62e2a89d68d32a6d7eb7f3e8bc5bd99e5796355b9619a0cd3ae7d9fc2aec7b78b1fc8a9893247f2aef7
SHA1 hash: bce5940bf4e2061a7f34c422110e5843c78682d9
MD5 hash: 3c4112a19fe87b0a372894f6ddcdcd92
humanhash: idaho-alabama-ten-delaware
File name:2202031HBL 2ND UPDATE OBD BL.js
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:352'244 bytes
First seen:2026-03-24 08:56:22 UTC
Last seen:2026-03-24 11:58:40 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:YTJzhkCgs/yOZDxwVSoBr6qS2W4ceV09Wna5F63QjVCYBvRFemjJ7efW:YTphk9sTSUoBrK4ceV0oaAQnp9ke
TLSH T1A874494653F98508F5F34F88BEBB64610E7BBE6A1D39C02D25A8140D4AB3E149CA57F3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter lowmal3
Tags:js StrelaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c251ebaacb4c376b1355ec
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
exploit repaired
Link:
https://www.filescan.io/uploads/69c251e92000fc76c3fbe207/reports/15eac143-5089-4ce8-af38-31492978fb76/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f
Verdict:
Malicious
File Type:
js
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f/results?tab=lookup
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1888084
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queues an APC in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Clipboard Hijacker
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1888084 Sample: 2202031HBL 2ND UPDATE OBD BL.js Startdate: 24/03/2026 Architecture: WINDOWS Score: 100 39 www.google.com 2->39 41 i.postimg.cc 2->41 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Capture Wi-Fi password 2->57 59 Yara detected Strela Stealer 2->59 61 9 other signatures 2->61 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 75 JScript performs obfuscated calls to suspicious functions 11->75 77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->77 79 Suspicious execution chain found 11->79 81 WScript reads language and country specific registry keys (likely country aware script) 11->81 14 conhost.exe 11->14         started        process6 signatures7 83 Bypasses PowerShell execution policy 14->83 17 powershell.exe 15 18 14->17         started        process8 dnsIp9 37 i.postimg.cc 162.251.63.43, 443, 49693 AS-GLOBALTELEHOSTUS United States 17->37 47 Early bird code injection technique detected 17->47 49 Creates an undocumented autostart registry key 17->49 51 Hijacks the control flow in another process 17->51 53 8 other signatures 17->53 21 RegAsm.exe 25 17->21         started        signatures10 process11 dnsIp12 43 170.168.61.77, 4449, 49695 HNBCOL-ASUS United States 21->43 45 www.google.com 142.251.154.119, 443, 49694 GOOGLEUS United States 21->45 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->63 65 Tries to steal Mail credentials (via file / registry access) 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 69 5 other signatures 21->69 25 cmd.exe 2 21->25         started        signatures13 process14 file15 35 C:\Users\user\AppData\...\wifi_profiles.tmp, ASCII 25->35 dropped 71 Uses netsh to modify the Windows network and firewall settings 25->71 73 Tries to harvest and steal WLAN passwords 25->73 29 netsh.exe 2 25->29         started        31 conhost.exe 25->31         started        33 chcp.com 1 25->33         started        signatures16 process17
Score:
56%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-24 07:15:52 UTC
File Type:
Text (JavaScript)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2fzxsynxibhdlkdcb3sdgyhgwckz2yhlmjr6spwklutclphrahq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260324-kwpbfagw2n/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StrelaStealer

Java Script (JS) js 7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments