MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
SHA3-384 hash: 86cede72d76bbd8d28237360d82bb0a1df128e06f437669c6274655ae2d0cdce701bccd5baf5586aa9288fda676b04e7
SHA1 hash: a5d43e547437af6e91f32c16953f387c8eb5b37c
MD5 hash: b0bd26cf16fc1414b5417637dce0803d
humanhash: chicken-solar-asparagus-xray
File name:b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:971'776 bytes
First seen:2025-03-10 12:07:02 UTC
Last seen:2025-03-10 13:10:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:rdjdSauRZTnkPX1uhrOCD2oJc8/BcTONUdg5SmOwOa:rdjdSrbnkPX1TMc6BkO15POFa
Threatray 114 similar samples on MalwareBazaar
TLSH T1E32512581308CA03CAAE4A35D5F2E2B547FDDDDAB642E3529AD8ADFF7586F100942093
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon b0b268e8ccd486a2 (11 x Formbook, 5 x SnakeKeylogger, 3 x MassLogger)
Reporter adrian__luca
Tags:exe StrelaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KIT Bestellung Nr. 20851878.7z
Verdict:
Suspicious activity
Analysis date:
2025-02-27 07:15:53 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/3d8ce685-3e4c-42f9-b3c6-83d2639623ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cedea70d1b39e3a208b912
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Searching for synchronization primitives
Creating a window
Launching a service
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook infostealer obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67ced5fcb32a56d0c2cf36bb/reports/2ab8fe34-bbc7-4c3b-971a-fe685994a7c8/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f33f534-429f-4333-a84c-dde0848001ac
Result
Threat name:
Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1634600
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Stealer
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634600 Sample: rvFsBUph9Z.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 73 hottie1.duckdns.org 2->73 75 241.215.8.0.in-addr.arpa 2->75 77 2 other IPs or domains 2->77 101 Suricata IDS alerts for network traffic 2->101 103 Sigma detected: Scheduled temp file as task from temp location 2->103 105 Multi AV Scanner detection for submitted file 2->105 109 10 other signatures 2->109 9 rvFsBUph9Z.exe 11 7 2->9         started        13 nEUjcdDABpNRwd.exe 2->13         started        signatures3 107 Uses dynamic DNS services 73->107 process4 file5 53 C:\Users\user\AppData\...\nEUjcdDABpNRwd.exe, PE32 9->53 dropped 55 C:\...\nEUjcdDABpNRwd.exe:Zone.Identifier, ASCII 9->55 dropped 57 C:\Users\user\AppData\Local\...\tmp55FB.tmp, XML 9->57 dropped 59 C:\Users\user\AppData\...\rvFsBUph9Z.exe.log, ASCII 9->59 dropped 111 Uses schtasks.exe or at.exe to add and modify task schedules 9->111 113 Writes to foreign memory regions 9->113 115 Allocates memory in foreign processes 9->115 117 Adds a directory exclusion to Windows Defender 9->117 15 MSBuild.exe 4 9->15         started        19 powershell.exe 23 9->19         started        21 schtasks.exe 1 9->21         started        119 Multi AV Scanner detection for dropped file 13->119 121 Injects a PE file into a foreign processes 13->121 23 MSBuild.exe 13->23         started        25 schtasks.exe 13->25         started        27 MSBuild.exe 13->27         started        signatures6 process7 dnsIp8 81 hottie1.duckdns.org 69.61.84.211, 13650, 49707, 49741 GLOBALCOMPASSUS United States 15->81 83 Tries to steal Mail credentials (via file / registry access) 15->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 15->85 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->87 99 4 other signatures 15->99 29 chrome.exe 15->29         started        32 chrome.exe 15->32 injected 34 chrome.exe 15->34 injected 89 Loading BitLocker PowerShell Module 19->89 36 conhost.exe 19->36         started        38 WmiPrvSE.exe 19->38         started        40 conhost.exe 21->40         started        91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->91 93 Tries to harvest and steal browser information (history, passwords, etc) 23->93 95 Writes to foreign memory regions 23->95 97 Allocates memory in foreign processes 23->97 42 chrome.exe 23->42         started        46 2 other processes 23->46 44 conhost.exe 25->44         started        signatures9 process10 dnsIp11 79 192.168.2.5, 13650, 138, 443 unknown unknown 29->79 48 chrome.exe 29->48         started        51 chrome.exe 42->51         started        process12 dnsIp13 61 www.google.com 142.250.184.196, 443, 49713, 49714 GOOGLEUS United States 48->61 63 plus.l.google.com 142.250.185.110, 443, 49732 GOOGLEUS United States 48->63 69 4 other IPs or domains 48->69 65 142.250.184.238, 443, 49763 GOOGLEUS United States 51->65 67 142.250.186.132, 443, 49752, 49753 GOOGLEUS United States 51->67 71 4 other IPs or domains 51->71
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 20:40:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrqjmu3exm2nybryzh4itmbxz726sv4szhnjswfi3gvg35phy6ma._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
053db2d3b7df1490f84781536a2d0e66cc920b4ccdbfcc510c39a9661915f992
StrelaStealer
b51868a125a577733f6208c4f11c8887aca278b339abe7f62fe2a4808a8399aa
StrelaStealer
ca763bc6524433635d6e783c01d6eaac6e7afcefab82124d0fd98715e1d982cc
StrelaStealer
e1ac8636bad99361fb9c659acdbfcf925147d60655e0c7ede10c5d6f6f944678
StrelaStealer
error
StrelaStealer
fffcac101917438d0e914c5967ce1fec5dea4a776965b7740c7f45ec91480c37
StrelaStealer
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250310-paex4atya1/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94957d19-024a-4ef4-815a-323e1560f05a
Unpacked files
SH256 hash:
b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
MD5 hash:
b0bd26cf16fc1414b5417637dce0803d
SHA1 hash:
a5d43e547437af6e91f32c16953f387c8eb5b37c
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
SH256 hash:
772f54e413ceb58a5efe007b8c5258931f0af035ab9c651916e56c0a80b3ddc5
MD5 hash:
552922c5451a781fc53b559cd09fab8e
SHA1 hash:
6dd5c4b8180db20ab22e5827b9a6928ccfdf4c4d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
SH256 hash:
c8d43ea1c3138e9de58868af6d60660cbf6d8b6e08f0dc1b0c20870eb3b7983e
MD5 hash:
877273f4d18c07b8f0a557b96adc0428
SHA1 hash:
b6d652ae17e1f387048a76aa93a703d7f80580d1
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
SH256 hash:
dbdbf4597b5391da016b2fa2e9369373f11df2f1591041d967ee3902767db68b
MD5 hash:
08d845abf45ad3296a8708ea9a3e001c
SHA1 hash:
c741ce63a2e750573772b80ab8f3f71c31e9e3de
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
SH256 hash:
6a0449db54ed7bb48c41b3bd14e85bc41f197875614062754ca276810e796dfc
MD5 hash:
ae59ccd6b3bf461171da1fd4e4a6ca56
SHA1 hash:
2e43509c1f3cb33f0848a6fc667a8b1e0c9939b2
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
Parent samples :
ceb2439ede02213d08dbb5cf64ade11b7f5558a5234e544a0c53cfa337f6860f
b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
SH256 hash:
44f3da177f5192e99fefb98dd7cce27eb97607738b5dc5b0e39d5b55738fb65e
MD5 hash:
bd4a57ad61615d0cc3f3594db5333463
SHA1 hash:
7e3cecd4b9cb8832091b21d9e2800140f6a58661
Link:
https://www.unpac.me/results/5757538b-0dfb-4dd7-a84f-3feeacb6ca3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/b460965364bb34dc0638c9f889b037cff5e95792c9da9958a8d9aa6df5e7c798

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments