MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
SHA3-384 hash: 3856dd8b672f7d170f1996bb7f508d15cf773ccbab14b4b7515ffe0a545c21dde9c7840e796993574a0863e6408cc682
SHA1 hash: 16f5398cf0893a9b6744024c20a59eba40a1dc80
MD5 hash: 3f56517f1c31f0866504a5126dc05ff2
humanhash: tennis-black-uniform-carpet
File name:Confirmation Slip-025521443553574554#.vbs
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:23'609 bytes
First seen:2026-04-09 07:13:13 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:KKpB/6ySwa0SWLcgiyPS5icQI36Yig66oiciwLSdMLaJ5E2PKZ5kR8VmY6nuV0/f:KI+KoNt3BqDiweneH929e6UfA6I0g
Threatray 26 similar samples on MalwareBazaar
TLSH T165B2303EC9859FF00B2A31A2A52F7A1664150367B5382A4D78CFC19D3B35A50CBF54EE
Magika vba
Reporter abuse_ch
Tags:StrelaStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60912/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d7519d66ab6d001dd082b2
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 encrypted evasive guloader obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69d751995ea31bc68a1a7224/reports/55fb4171-991d-489f-95fd-9e4d559c4761/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
Result
Gathering data
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-07T07:35:00Z UTC
Last seen:
2026-04-09T03:51:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd/results?tab=lookup
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895730
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Capture Wi-Fi password
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1895730 Sample: Confirmation Slip-025521443... Startdate: 09/04/2026 Architecture: WINDOWS Score: 100 53 www.sucre.SSERVER-UPDATESYSTEMONLING.TOP 2->53 55 twc.trafficmanager.net 2->55 57 3 other IPs or domains 2->57 73 Sigma detected: Register Wscript In Run Key 2->73 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 17 other signatures 2->79 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        16 wscript.exe 2->16         started        signatures3 process4 dnsIp5 101 VBScript performs obfuscated calls to suspicious functions 10->101 103 Suspicious powershell command line found 10->103 105 Wscript starts Powershell (via cmd or directly) 10->105 107 3 other signatures 10->107 18 powershell.exe 15 19 10->18         started        69 127.0.0.1 unknown unknown 13->69 signatures6 process7 dnsIp8 59 178.16.53.75, 49697, 80 DUSNET-ASDE Germany 18->59 61 hasteb.in 45.33.64.25, 443, 49694 LINODE-APLinodeLLCUS United States 18->61 49 C:\Users\user\AppData\Local\Temp\wrfdse.bat, ASCII 18->49 dropped 81 Contains functionality to start a terminal service 18->81 83 Contains functionality to hide user accounts 18->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 18->85 87 5 other signatures 18->87 23 RegAsm.exe 27 18->23         started        27 cmd.exe 1 18->27         started        29 conhost.exe 18->29         started        file9 signatures10 process11 dnsIp12 63 ip-api.com 208.95.112.1, 49703, 80 TUT-ASUS United States 23->63 65 twc.trafficmanager.net 40.119.6.228, 123, 58200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->65 67 www.sucre.SSERVER-UPDATESYSTEMONLING.TOP 104.164.46.149, 49705, 56545 EGIHOSTINGUS United States 23->67 89 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->89 91 Contains functionality to start a terminal service 23->91 93 Contains functionality to hide user accounts 23->93 99 7 other signatures 23->99 31 cmd.exe 2 23->31         started        95 Uses netsh to modify the Windows network and firewall settings 27->95 97 Tries to harvest and steal WLAN passwords 27->97 35 conhost.exe 27->35         started        37 tasklist.exe 1 27->37         started        39 tasklist.exe 1 27->39         started        41 5 other processes 27->41 signatures13 process14 file15 51 C:\Users\user\AppData\...\wifi_profiles.tmp, ASCII 31->51 dropped 71 Tries to harvest and steal WLAN passwords 31->71 43 netsh.exe 2 31->43         started        45 conhost.exe 31->45         started        47 chcp.com 1 31->47         started        signatures16 process17
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-04-07 19:40:13 UTC
File Type:
Text (VBS)
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=so3qzpyognrbjgoy2b3p5tre4vudaa6hfbssoemtjuf7ygicvw6q._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
262bb0abdf65d6d2baa592eb249d2693281a1c9c6180d1e46c57e79f52cb37b4
StrelaStealer
42baa3989be154fa6628de08549d127bfa94531e13b9bb103d3bc9244a6038bf
StrelaStealer
4af155941c33440f41066c2921cf11751dec770659ea2addcdbad749ccbc84cb
StrelaStealer
501738b2515bb3e418091fc3cd9408ee7f8d84b527c643be1ed6f8057353b20e
StrelaStealer
953779109c84c5136c1e4430120482dde9983f5f35a9ab8ef3c72f0709556f25
StrelaStealer
99c04e506e0bfa4ca0bbd3aa52020a7274c036769e95fa34573eb24e88530313
StrelaStealer
b6d89d2122cf96591699f6d423c75e2aaaaa2711183b907c4f4794c5a4a398f9
StrelaStealer
c004d5a9ea82ed2ee97a77101674a1daf798b65e21c0fd33d6bc1ec703f7eda9
StrelaStealer
de63e0dac9cd8bfe25df3aed44fe5802fe142f022118b3e352c6028fccf9d2e9
StrelaStealer
e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
StrelaStealer
error
StrelaStealer
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection defense_evasion discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260409-h2azwsbw7r/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60912/

Comments