MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d362b36a33f98fdb589221f230c33e0e1e606db7dd5c7bd060be71ea8cfb6d04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StrelaStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	d362b36a33f98fdb589221f230c33e0e1e606db7dd5c7bd060be71ea8cfb6d04
SHA3-384 hash:	5f4fb2ceb727b5f94d7ed9c3754e18d65eb15920c4b48684c56dfce486c9e144e01960407001ad1084ce4a1bf92c53b0
SHA1 hash:	e0bcbae7e828b2084dffe8caae99924b45707aff
MD5 hash:	9bd7a2cf81d437e25d7b46a35695d014
humanhash:	winner-ten-missouri-hawaii
File name:	Hsbc swift_ 2024-18-01 0048432819249575920 DOCS.rar
Download:	download sample
Signature	StrelaStealer Create hunting rule
File size:	1'411'266 bytes
First seen:	2024-01-18 12:20:20 UTC
Last seen:	2024-01-18 12:20:59 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:k+sEwpO4o+7UOB548kxlWnz8A/q6skW8w9swMh5ESypwG1re6MykL:vsEioMCenz8Ibk25Rb6LkL
TLSH	T14A6533B791FC1F2F92E786D560CFDA611000F523E5E7FC66A29AB625052C60C7D8AF12
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	HSBC payment rar StrelaStealer SWIFT

cocaman

Malicious email (T1566.001)
From: "Accounts <accountsarviups.pvt@gmail.com>" (likely spoofed)
Received: "from [141.98.10.81] (unknown [141.98.10.81]) "
Date: "18 Jan 2024 13:18:31 +0100"
Subject: "Payment Advice"
Attachment: "Hsbc swift_ 2024-18-01 0048432819249575920 DOCS.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Hsbc swift_ 2024-18-01 0048432819249575920 DOCS.cmd
File size:	1'825'746 bytes
SHA256 hash:	e1407224ef8bf4ca74997f4389bd427dca0e57bf1918d12a8d3f27625d6ee368
MD5 hash:	67de6c54dbb904d4bceeab12c97e0a08
MIME type:	text/plain
Signature	StrelaStealer

Vendor Threat Intelligence

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cmd lolbin

Link:

https://www.filescan.io/uploads/65a917b08369fab94df0863d/reports/3c555783-896e-493c-aab5-dbef71da9479/overview

Verdict:

Suspicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d362b36a33f98fdb589221f230c33e0e1e606db7dd5c7bd060be71ea8cfb6d04

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d362b36a33f98fdb589221f230c33e0e1e606db7dd5c7bd060be71ea8cfb6d04/

Threat name:

Document-HTML.Hacktool.Heuristic

Status:

Malicious

First seen:

2024-01-18 12:20:24 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

5 of 38 (13.16%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2nrlg2rt7gh5wwesehzdbqz6bypga3nx3vohxudaxzy6vdh3nuca._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/d362b36a33f98fdb589221f230c33e0e1e606db7dd5c7bd060be71ea8cfb6d04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BlackGuard_Rule Create hunting rule
Author:	Jiho Kim
Description:	Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:	https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection