MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b
SHA3-384 hash: b12f0cb6abb55e579b9ff55dd6733541e1acb017c061697ef8f5273284c1df64a035c5c3fbfe50001126d11b03d2a654
SHA1 hash: ee6351459e638e23d615ca12e8f67a45e95561f1
MD5 hash: 201335ec3d0506fe45a5f793f9190fb6
humanhash: oven-lactose-eight-cola
File name:Proforma2.js
Download: download sample
Signature STRRAT
Create hunting rule
File size:783'771 bytes
First seen:2026-02-24 13:30:16 UTC
Last seen:2026-02-24 13:53:07 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:Jj4KmImYEs938FFchbJ0xIziezWVCE1LRzOVGJcgNiMQJ:aKmL4meieI9nNiM2
Threatray 2'693 similar samples on MalwareBazaar
TLSH T19FF4F1214B841FA4DEA85A0BD0BD4A1E57F1078BC619B4DDEB23BD07AFEFD04411A2D9
Magika txt
Reporter abuse_ch
Tags:23-94-206-26 js STRRAT


Avatar
abuse_ch
STRRAT C2:
23.94.206.26:5610

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.94.206.26:5610 https://threatfox.abuse.ch/ioc/1754200/

Intelligence

File Origin
# of uploads :
3
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.DownLoader.5029.22244.3039.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699da7f3c950ab5d9ab12e3c
Tags:
vmdetect stration malcrypt spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm babar base64 crypt divergent dropper obfuscated obfuscated packed repaired
Link:
https://www.filescan.io/uploads/699da7f2cd25bfe1dfd8f724/reports/be8a831b-4a7a-4124-b74f-12f1c5de51c2/overview
Verdict:
Malicious
Labled as:
GT:JS.Divergent.3.6A2842B0;JS:Trojan.Cryxos.5674;Gen:Babar.530915;JS:Trojan.Cryxos.5674;Java.Trojan.Generic.29230;Java.Trojan.Generic.29244;Java.Trojan.GenericA.35832;Java.Trojan.GenericA.34611;Java.Trojan.GenericA.35834;Java.Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b
Verdict:
Malicious
File Type:
js
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-Downloader.Java.Agent.sb Trojan-Downloader.JS.Cryptoload.sb Trojan-Spy.Noon.HTTP.ServerRequest Backdoor.Agent.TCP.C&C Trojan-Spy.Win32.Noon.sb HEUR:Trojan-PSW.Script.Stealer.gen HEUR:Trojan.Java.Agent.gen Backdoor.Win32.Androm.sb Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Agent.sb Trojan-Downloader.Win32.Dapato Trojan-Dropper.JS.SDrop.sb HEUR:Worm.Script.SAgent.gen HEUR:Trojan.Script.Generic Trojan-Spy.Win32.Noon.bpyg Trojan-Dropper.Win32.Dapato.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan-Downloader.Script.Generic Backdoor.Java.Agent.dn Backdoor.Java.StrRat.sb
Link:
https://opentip.kaspersky.com/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b/results?tab=lookup
Result
Threat name:
FormBook, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1874084
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Creates autostart registry keys to launch java
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AllatoriJARObfuscator
Yara detected FormBook
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1874084 Sample: Proforma2.js Startdate: 24/02/2026 Architecture: WINDOWS Score: 100 109 jareyo.duckdns.org 2->109 111 www.xn--1rwm7w8mt.net 2->111 113 18 other IPs or domains 2->113 133 Suricata IDS alerts for network traffic 2->133 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 141 16 other signatures 2->141 12 wscript.exe 4 3 2->12         started        16 javaw.exe 2->16         started        18 javaw.exe 2->18         started        20 2 other processes 2->20 signatures3 139 Uses dynamic DNS services 109->139 process4 file5 103 C:\Users\user\AppData\Local\Temp\svchost.js, ASCII 12->103 dropped 105 C:\Users\user\AppData\Local\Temp\adobe.js, ASCII 12->105 dropped 165 Benign windows process drops PE files 12->165 167 JScript performs obfuscated calls to suspicious functions 12->167 169 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->169 171 WScript reads language and country specific registry keys (likely country aware script) 12->171 22 wscript.exe 2 2 12->22         started        26 wscript.exe 2 12->26         started        signatures6 process7 file8 97 C:\Users\user\AppData\Local\Temp\Vev.jar, Zip 22->97 dropped 149 WScript reads language and country specific registry keys (likely country aware script) 22->149 28 javaw.exe 22 22->28         started        99 C:\Users\user\AppData\Local\Temp99yBe.exe, PE32 26->99 dropped 31 NyBe.exe 26->31         started        signatures9 process10 dnsIp11 121 github.com 140.82.113.3, 443, 49688 GITHUBUS United States 28->121 123 release-assets.githubusercontent.com 185.199.110.133, 443, 49692 FASTLYUS Netherlands 28->123 125 repo1.maven.org.cdn.cloudflare.net 104.18.18.12, 443, 49689, 49690 CLOUDFLARENETUS United States 28->125 34 java.exe 28->34         started        173 Antivirus detection for dropped file 31->173 175 Multi AV Scanner detection for dropped file 31->175 177 Maps a DLL or memory area into another process 31->177 38 ctmA5EInN1bTBM.exe 31->38 injected signatures12 process13 file14 91 C:\Users\user\...\jna7217211319644141202.dll, PE32 34->91 dropped 93 C:\Users\user\AppData\Roaming\Vev.jar, Zip 34->93 dropped 95 C:\Users\user\AppData\Roaming\...\Vev.jar, Zip 34->95 dropped 143 Creates autostart registry keys to launch java 34->143 40 java.exe 34->40         started        45 cmd.exe 34->45         started        47 conhost.exe 34->47         started        145 Maps a DLL or memory area into another process 38->145 49 regini.exe 13 38->49         started        signatures15 process16 dnsIp17 115 jareyo.duckdns.org 23.94.206.26, 49699, 5610 AS-COLOCROSSINGUS United States 40->115 117 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 40->117 119 str-master.pw 178.162.202.97, 80 LEASEWEB-DE-FRA-10DE Germany 40->119 101 C:\Users\user\...\jna1106907427470466975.dll, PE32 40->101 dropped 153 Uses WMIC command to query system information (often done to detect virtual machines) 40->153 51 cmd.exe 40->51         started        54 cmd.exe 40->54         started        56 cmd.exe 40->56         started        69 2 other processes 40->69 155 Uses schtasks.exe or at.exe to add and modify task schedules 45->155 58 conhost.exe 45->58         started        60 schtasks.exe 45->60         started        157 Tries to steal Mail credentials (via file / registry access) 49->157 159 Tries to harvest and steal browser information (history, passwords, etc) 49->159 161 Modifies the context of a thread in another process (thread injection) 49->161 163 4 other signatures 49->163 62 XtVtBEpGF.exe 49->62 injected 65 chrome.exe 49->65         started        67 firefox.exe 49->67         started        file18 signatures19 process20 dnsIp21 147 Uses WMIC command to query system information (often done to detect virtual machines) 51->147 71 WMIC.exe 51->71         started        74 conhost.exe 51->74         started        76 WMIC.exe 54->76         started        79 conhost.exe 54->79         started        81 conhost.exe 56->81         started        83 WMIC.exe 56->83         started        127 www.tungstenammo.com 156.224.45.155, 49706, 49707, 49708 VPSQUANUS Seychelles 62->127 129 www.wisc.cloud 18.164.116.8, 49710, 49711, 49712 MIT-GATEWAYSUS United States 62->129 131 5 other IPs or domains 62->131 85 WerFault.exe 65->85         started        87 conhost.exe 69->87         started        89 WMIC.exe 69->89         started        signatures22 process23 file24 151 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 71->151 107 stdout, ASCII 76->107 dropped signatures25
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/201335ec3d0506fe45a5f793f9190fb6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b
Threat name:
Script-JS.Trojan.Divergent
Create hunting rule
Status:
Malicious
First seen:
2026-02-24 13:30:33 UTC
File Type:
Text (HTML)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqd4h37q57mvqix6hwzypaetwis5iwicf26cmjkxjqz5qqit2fnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1e149f42536045407a56ad43e530c89ef2d9ec052c45d94af5578bc6a9399ecf
STRRAT
1f58eaedefb85d620985c5fc267c05ffa7c4877cbff67763da7ebe2fe540d220
STRRAT
44eb0ca230176e7653e8287dac64b16e4cfde7088635498e52d802d8a3dcb7e9
STRRAT
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
STRRAT
5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
STRRAT
b79268daae3fcb3b75bdb26c6dd2d2224626369a32469b22c5f36b8bd0fe9f04
STRRAT
e5736df87221b67a2e2a614374e1d6353043b95e08448ea9260e103ab18a5c8d
STRRAT
eb4f9a361af2fec77bcdea8b68e5aaf3d8e0ebbac245623975e99cf2a73861b3
STRRAT
error
STRRAT
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
STRRAT
f424bb11bb0e71134361f14d3d698933095f8d464d710eb12c131652bbda5164
STRRAT
+ 2'683 additional samples on MalwareBazaar
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat discovery execution persistence stealer trojan
Link:
https://tria.ge/reports/260224-qr13bsgt3d/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
STRRAT
Strrat family
Malware Config
C2 Extraction:
jareyo.duckdns.org:5610
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1c07c3eff0ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

STRRAT

Java Script (JS) js 1c07c3eff0efd95822fe3db3878093b225d459022ebc2625574c33d84113d15b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784992/
  
Delivery method
Distributed via web download

Comments