MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c778eba8e5385b17a51bbef0e1b3c51db6dc485378c90cff1b9db7aad67c8349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



StrelaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash: c778eba8e5385b17a51bbef0e1b3c51db6dc485378c90cff1b9db7aad67c8349
SHA3-384 hash: 6d5063a4d8161934754bf6903fe96daee7ed1f3265a06881eba36b193fa9e17372e4b1da7443126088d34b9e2b7a7554
SHA1 hash: 735573e3e29a6255fcf335ab8a8e18020d3da8a6
MD5 hash: 9a4af3cda32ac05dc35940d1e97147ee
humanhash: july-lion-diet-xray
File name:PO-986.js
Download: download sample
Signature StrelaStealer
File size:296'102 bytes
First seen:2026-04-23 10:57:24 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:uvcRH/do5f1wM2eChIdSBhgabSPKPOzaSwSVqA3EPjN6HOTM8kz6NQP/h0akOo:tRH/K5f1wM2eChIehgQSPKPOzwDYqjgE
Threatray 165 similar samples on MalwareBazaar
TLSH T11F543038AAEA4019B1B3EF54AEE47493E92FBB73370E985C1081034A4723945EDD573E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika autohotkey
Reporter proxylife
Tags:js StrelaStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
144
Origin country :
TR TR
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
encrypted repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-04-22T20:45:00Z UTC
Last seen:
2026-04-23T09:27:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic Trojan.Win32.Inject.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Queues an APC in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1903341 Sample: PO-986.js Startdate: 23/04/2026 Architecture: WINDOWS Score: 100 35 www.google.com 2->35 37 meridia.rs 2->37 39 ip-api.com 2->39 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected Generic Stealer 2->55 57 Yara detected Strela Stealer 2->57 59 7 other signatures 2->59 11 wscript.exe 1 1 2->11         started        signatures3 process4 signatures5 69 JScript performs obfuscated calls to suspicious functions 11->69 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->71 73 Suspicious execution chain found 11->73 75 WScript reads language and country specific registry keys (likely country aware script) 11->75 14 conhost.exe 11->14         started        process6 signatures7 77 Bypasses PowerShell execution policy 14->77 17 powershell.exe 14 15 14->17         started        process8 dnsIp9 33 meridia.rs 85.17.22.178, 443, 49712 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 17->33 45 Early bird code injection technique detected 17->45 47 Contains functionality to start a terminal service 17->47 49 Contains functionality to hide user accounts 17->49 51 6 other signatures 17->51 21 RegAsm.exe 13 17->21         started        signatures10 process11 dnsIp12 41 188.215.229.24, 4449 YISP-ASNL Netherlands 21->41 43 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 21->43 61 Contains functionality to start a terminal service 21->61 63 Contains functionality to hide user accounts 21->63 65 Deletes shadow drive data (may be related to ransomware) 21->65 67 3 other signatures 21->67 25 netsh.exe 2 21->25         started        27 netsh.exe 2 21->27         started        signatures13 process14 process15 29 conhost.exe 25->29         started        31 conhost.exe 27->31         started       
Gathering data
Threat name:
Win32.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-04-23 03:01:28 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence privilege_escalation
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments