MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrelaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
SHA3-384 hash: 5116e9e8394655d12749e0c3f8791c743caad8fba6cf1b70197eda01082c98c9497f5d2b2431b7d7af9c211ebf187a2b
SHA1 hash: 0a279ced254e41b1d49fd631490c948e256a211e
MD5 hash: 005709dd2ba7f7bb3da265d9bfaf3d09
humanhash: wyoming-oregon-sixteen-mississippi
File name:Confirmation slip-025521443553574554#.vbs
Download: download sample
Signature StrelaStealer
Create hunting rule
File size:23'643 bytes
First seen:2026-04-06 14:34:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:KDLdIWFcpmksTkDqfAcnBCkL+uGhTQdNwxwUwyxI7tPrR4qpOrCJsg0qxGetLurX:KxkBDqfnUNVSqwU0F3oNsQCC4mSg
Threatray 20 similar samples on MalwareBazaar
TLSH T12AB21F3EC885DFF40B6A31D5A56F7916A8580363B4382A4C79CFC1993B3A950CBB11ED
Magika vba
Reporter abuse_ch
Tags:StrelaStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60612/
Detection(s):
SecuriteInfo.com.VBS.Starter.527.4405.6715.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d3c4a566ab6d001dcf7daa
Tags:
obfuscate dropper xtreme
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 encrypted evasive guloader obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69d3c4a42346b9da57c18533/reports/6ce58f1a-96a2-4c4b-97c1-d18a99d00245/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-05T09:43:00Z UTC
Last seen:
2026-04-08T11:41:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b/results?tab=lookup
Result
Threat name:
Clipboard Hijacker, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1894031
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Capture Wi-Fi password
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1894031 Sample: Confirmation slip-025521443... Startdate: 06/04/2026 Architecture: WINDOWS Score: 100 52 www.sucre.SSERVER-UPDATESYSTEMONLING.TOP 2->52 54 twc.trafficmanager.net 2->54 56 3 other IPs or domains 2->56 72 Sigma detected: Register Wscript In Run Key 2->72 74 Suricata IDS alerts for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 17 other signatures 2->78 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 dnsIp5 88 VBScript performs obfuscated calls to suspicious functions 10->88 90 Suspicious powershell command line found 10->90 92 Wscript starts Powershell (via cmd or directly) 10->92 94 3 other signatures 10->94 20 powershell.exe 15 20 10->20         started        68 127.0.0.1 unknown unknown 13->68 signatures6 process7 dnsIp8 58 178.16.53.75, 49682, 80 DUSNET-ASDE Germany 20->58 60 hasteb.in 45.33.64.25, 443, 49681 LINODE-APLinodeLLCUS United States 20->60 50 C:\Users\user\AppData\Local\Temp\wrfdse.bat, ASCII 20->50 dropped 80 Contains functionality to start a terminal service 20->80 82 Contains functionality to hide user accounts 20->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 20->84 86 5 other signatures 20->86 25 RegAsm.exe 27 20->25         started        29 cmd.exe 1 20->29         started        31 conhost.exe 20->31         started        file9 signatures10 process11 dnsIp12 62 ip-api.com 208.95.112.1, 49688, 80 TUT-ASUS United States 25->62 64 twc.trafficmanager.net 40.119.6.228, 123, 54199 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->64 66 www.sucre.SSERVER-UPDATESYSTEMONLING.TOP 104.164.46.149, 49689, 56545 EGIHOSTINGUS United States 25->66 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->96 98 Contains functionality to start a terminal service 25->98 100 Contains functionality to hide user accounts 25->100 106 7 other signatures 25->106 33 cmd.exe 2 25->33         started        102 Uses netsh to modify the Windows network and firewall settings 29->102 104 Tries to harvest and steal WLAN passwords 29->104 36 conhost.exe 29->36         started        38 tasklist.exe 1 29->38         started        40 tasklist.exe 1 29->40         started        42 5 other processes 29->42 signatures13 process14 signatures15 70 Tries to harvest and steal WLAN passwords 33->70 44 netsh.exe 2 33->44         started        46 conhost.exe 33->46         started        48 chcp.com 1 33->48         started        process16
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
Verdict:
Malware
YARA:
1 match(es)
Tags:
Scripting.Dictionary Scripting.FileSystemObject VBScript WScript.Network WScript.Shell
Link:
https://app.malva.re/file/005709dd2ba7f7bb3da265d9bfaf3d09
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-04-06 14:35:22 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sfk4mbqhovkxxzgvfkuxxe5vdjccw2yjqkmnj4h4at7jd64mefq._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
StrelaStealer
262bb0abdf65d6d2baa592eb249d2693281a1c9c6180d1e46c57e79f52cb37b4
StrelaStealer
42baa3989be154fa6628de08549d127bfa94531e13b9bb103d3bc9244a6038bf
StrelaStealer
4d0f0fde3e1161d1b776e24739f2ddf0979e3dc6be33b1b832dd5a74d6660e93
StrelaStealer
501738b2515bb3e418091fc3cd9408ee7f8d84b527c643be1ed6f8057353b20e
StrelaStealer
953779109c84c5136c1e4430120482dde9983f5f35a9ab8ef3c72f0709556f25
StrelaStealer
99c04e506e0bfa4ca0bbd3aa52020a7274c036769e95fa34573eb24e88530313
StrelaStealer
b6d89d2122cf96591699f6d423c75e2aaaaa2711183b907c4f4794c5a4a398f9
StrelaStealer
cc59432c013a67e42a5b0199f9e205890954a7095b68f1391d9ea931c3a7d65e
StrelaStealer
de63e0dac9cd8bfe25df3aed44fe5802fe142f022118b3e352c6028fccf9d2e9
StrelaStealer
error
StrelaStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection defense_evasion discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260406-rx3nsact7m/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60612/

Comments