MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9
SHA3-384 hash: a6c7cad2755e0054431ad6924db7974f6d04928a9b598379f1fd59ab6bd80ac5e05106105055aeb0f197d8332b8fd8fb
SHA1 hash: ede4b114704aa305aa5d8a38efac970870c8830f
MD5 hash: f27c858bd876a8b76099a27355ec5a8d
humanhash: freddie-wisconsin-eighteen-uncle
File name:RICHIESTA-QUOTAZIONI.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:66'517 bytes
First seen:2024-06-26 15:32:46 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 1536:4M/kpUvIa3EVYmmd2ittWJiQYciZbzHbWf9CRkgjaCpwrkd:cUvImEVrEOiQGZrkxEBwa
TLSH T10253F12CBCCCC577CBB7197D85AC5103E712F0ADD1AA6267AED1F898D562D480706BC8
TrID 72.9% (.JAR) Java Archive (13500/1/2)
21.6% (.ZIP) ZIP compressed archive (4000/1)
5.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter NDA0E
Tags:geo ITA jar Spam-ITA STRRAT


Avatar
NDA0E
STRRAT C2:
elastsolek1.duckdns.org:4787 (37.120.199.54:4787)
zekeriyasolek45.duckdns.org:4787 (154.13.163.54:4787)

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
strrat
Create hunting rule
ID:
1
File name:
RICHIESTA-QUOTAZIONI.jar
Verdict:
Malicious activity
Analysis date:
2024-06-26 15:27:05 UTC
Tags:
strrat
Link:
https://app.any.run/tasks/878dca48-ab17-4ec6-87ec-b6c220b94d53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Java.Packer.Allatori-1
Create hunting rule

Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667c4cfbc6541e8c57fff6f3win7simulatefull_triage
Tags:
Execution Network Stealth Java
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/667c34aeeae3878d8f3b807c/reports/ed1f467d-963b-4b1d-b7ef-ea9f469de0a8/overview
Verdict:
Suspicious
Labled as:
Exploit.Zip.Heuristic
Link:
https://www.hybrid-analysis.com/sample/0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9
Result
Threat name:
STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1463098
Signature
Creates autostart registry keys to launch java
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Malicious sample detected (through community Yara rule)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AllatoriJARObfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1463098 Sample: RICHIESTA-QUOTAZIONI.jar Startdate: 26/06/2024 Architecture: WINDOWS Score: 100 72 elastsolek1.duckdns.org 2->72 74 ip-api.com 2->74 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 88 4 other signatures 2->88 10 cmd.exe 2 2->10         started        14 javaw.exe 2 2->14         started        16 javaw.exe 2->16         started        18 3 other processes 2->18 signatures3 86 Uses dynamic DNS services 72->86 process4 file5 70 C:\cmdlinestart.log, ASCII 10->70 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 10->94 20 java.exe 2 13 10->20         started        24 conhost.exe 10->24         started        signatures6 process7 file8 64 C:\Users\user\...\RICHIESTA-QUOTAZIONI.jar, Zip 20->64 dropped 66 C:\Users\user\...\RICHIESTA-QUOTAZIONI.jar, Zip 20->66 dropped 68 C:\ProgramData\...\RICHIESTA-QUOTAZIONI.jar, Zip 20->68 dropped 90 Creates autostart registry keys to launch java 20->90 92 Creates autostart registry keys with suspicious names 20->92 26 java.exe 4 20->26         started        29 cmd.exe 1 20->29         started        31 icacls.exe 1 20->31         started        signatures9 process10 dnsIp11 76 elastsolek1.duckdns.org 37.120.199.54, 4787, 49711, 49720 M247GB Romania 26->76 78 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 26->78 33 cmd.exe 1 26->33         started        35 cmd.exe 1 26->35         started        37 cmd.exe 1 26->37         started        45 2 other processes 26->45 39 conhost.exe 29->39         started        41 schtasks.exe 1 29->41         started        43 conhost.exe 31->43         started        process12 process13 47 WMIC.exe 1 33->47         started        50 conhost.exe 33->50         started        52 WMIC.exe 1 35->52         started        54 conhost.exe 35->54         started        56 WMIC.exe 1 37->56         started        58 conhost.exe 37->58         started        60 WMIC.exe 1 45->60         started        62 conhost.exe 45->62         started        signatures14 96 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 47->96
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9/
Threat name:
ByteCode-JAVA.Trojan.StrRat
Create hunting rule
Status:
Malicious
First seen:
2024-06-26 10:36:59 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkbqirfizb7jr2ut67tsn3hrvirkub3ztp3ng5hnylc57xpfch4q._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat discovery persistence stealer trojan
Link:
https://tria.ge/reports/240626-sy6mha1arh/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Drops startup file
Modifies file permissions
STRRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:JAR_STRRAT_April_2024
Create hunting rule
Author:NDA0E
Description:Detects STRRAT Java Archive

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

STRRAT

Java file jar 0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments