MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033
SHA3-384 hash: cef969e62084e075127b0af379a628703ee4dda9faf495d2f208d468d4f1d101f6426cad4a0492f779dd8e9ef8dbbcd5
SHA1 hash: 4741412b25e14dccb02fb94f8e99b2674bdc19bb
MD5 hash: 0927f23f69465e634203cf724babd90a
humanhash: winter-sad-cup-black
File name:UPDATED STATEMENT OF ACCOUNT ,PDF.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:314'794 bytes
First seen:2025-11-06 16:45:05 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 6144:T3YWjl/eQl0MtN32zVbWhG1eSwj+v67mZjpF:3jl/eG52xaweJ8CmZjH
TLSH T1A064195A3F9D99B1E52760334954D22D3928E5EBC600E18F1BFD6C1CDC78C680B96ACB
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
178.16.54.225:59007

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.16.54.225:59007 https://threatfox.abuse.ch/ioc/1634606/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
strrat
Create hunting rule
ID:
1
File name:
_07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033.zip
Verdict:
Malicious activity
Analysis date:
2025-11-06 16:49:48 UTC
Tags:
java rat strrat scan
Link:
https://app.any.run/tasks/5ef24bca-5c07-4c12-9f45-e9d27ce9323d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Strrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36383/
Detection(s):
Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

Java.Malware.CVE_2021_44228-9915819-0
Create hunting rule

PUA.Java.Packer.Allatori-1
Create hunting rule

Verdict:
Unknown
Score:
0.0%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690cd0b0ea0f3e915c23b4b3
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/690cd0a51543dae899d0c7fd/reports/1aa4f30b-e2bc-480d-bf6a-332ade1132b3/overview
Verdict:
Suspicious
Labled as:
JAVA/AVI.Agent
Link:
https://www.hybrid-analysis.com/sample/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033
Verdict:
Malicious
File Type:
jar
First seen:
2025-10-28T00:19:00Z UTC
Last seen:
2025-11-06T18:07:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Java.Generic Trojan-Dropper.Win32.Dapato.sb Trojan.Java.Agent.sb Backdoor.Java.StrRat.sb
Link:
https://opentip.kaspersky.com/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033/results?tab=lookup
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1809456
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys to launch java
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1809456 Sample: UPDATED STATEMENT OF ACCOUN... Startdate: 06/11/2025 Architecture: WINDOWS Score: 100 82 idcheck.duckdns.org 2->82 84 repo1.maven.org.cdn.cloudflare.net 2->84 86 4 other IPs or domains 2->86 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Antivirus detection for dropped file 2->108 112 9 other signatures 2->112 11 cmd.exe 2 2->11         started        14 javaw.exe 2->14         started        16 javaw.exe 2->16         started        18 2 other processes 2->18 signatures3 110 Uses dynamic DNS services 82->110 process4 signatures5 118 Uses schtasks.exe or at.exe to add and modify task schedules 11->118 120 Uses ping.exe to check the status of other devices and networks 11->120 122 Uses WMIC command to query system information (often done to detect virtual machines) 11->122 20 java.exe 23 11->20         started        24 conhost.exe 11->24         started        process6 dnsIp7 88 github.com 140.82.114.4, 443, 49688 GITHUBUS United States 20->88 90 release-assets.githubusercontent.com 185.199.109.133, 443, 49691 FASTLYUS Netherlands 20->90 92 repo1.maven.org.cdn.cloudflare.net 104.18.18.12, 443, 49687, 49689 CLOUDFLARENETUS United States 20->92 72 C:\...\UPDATED STATEMENT OF ACCOUNT ,PDF.jar, Zip 20->72 dropped 26 java.exe 2 11 20->26         started        file8 process9 file10 74 C:\...\UPDATED STATEMENT OF ACCOUNT ,PDF.jar, Zip 26->74 dropped 76 C:\...\UPDATED STATEMENT OF ACCOUNT ,PDF.jar, Zip 26->76 dropped 78 C:\...\UPDATED STATEMENT OF ACCOUNT ,PDF.jar, Zip 26->78 dropped 124 Creates autostart registry keys to launch java 26->124 126 Creates autostart registry keys with suspicious names 26->126 30 java.exe 11 26->30         started        35 cmd.exe 1 26->35         started        37 conhost.exe 26->37         started        signatures11 process12 dnsIp13 96 194.61.54.66, 51964 WELLWEBNL Russian Federation 30->96 98 178.16.54.225, 49696, 59007 DUSNET-ASDE Germany 30->98 100 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 30->100 80 C:\Users\user\...\jna8703919924635259596.dll, PE32 30->80 dropped 102 Uses WMIC command to query system information (often done to detect virtual machines) 30->102 39 cmd.exe 30->39         started        42 cmd.exe 30->42         started        44 cmd.exe 1 30->44         started        50 7 other processes 30->50 46 conhost.exe 35->46         started        48 schtasks.exe 1 35->48         started        file14 signatures15 process16 signatures17 116 Uses WMIC command to query system information (often done to detect virtual machines) 39->116 52 WMIC.exe 39->52         started        55 conhost.exe 39->55         started        68 2 other processes 42->68 57 PING.EXE 1 44->57         started        60 conhost.exe 44->60         started        62 conhost.exe 50->62         started        64 WMIC.exe 50->64         started        66 conhost.exe 50->66         started        70 9 other processes 50->70 process18 dnsIp19 114 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 52->114 94 idcheck.duckdns.org 66.54.61.194 HPESUS United States 57->94 signatures20
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033
Threat name:
ByteCode-JAVA.Trojan.Strrat
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 06:48:25 UTC
File Type:
Binary (Archive)
Extracted files:
550
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6sj62oiv72dcoafveea4r4r7jmovnantt5pnnnnvkzb2wqh2azq._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat discovery execution persistence stealer trojan
Link:
https://tria.ge/reports/251106-t9j4bazldq/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
STRRAT
Strrat family
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07a49f69c8af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/07a49f69c8aff4313805a9080e4791fa58eab40d9cfaf6b5adaab21d5a07d033

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:STRRAT
Create hunting rule
Author:NDA0E
Description:Detects STRRAT config filename
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36383/

Comments