MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b
SHA3-384 hash: 0d04d489b2b875ffb67feb212aa90a405be588983b58e48e315931570adf6981a336d9f8b59372af51977f7685776dab
SHA1 hash: a41ab5fcf9d73b1c56eb78601a5526da758ec3f0
MD5 hash: 85b5b42578e91f7cec8970cbc0723a84
humanhash: uniform-arkansas-edward-table
File name:Angebotsanfrage.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:98'442 bytes
First seen:2026-02-12 10:10:06 UTC
Last seen:2026-02-12 14:02:42 UTC
File type:Java file jar
MIME type:application/zip
ssdeep 1536:dBGy3fI8QJzkjKFR6eq7OZJJsKvGQTWXqqUoymWn:dcWIfV7ch7uJpT2TvymWn
TLSH T147A309587B48D0B6D763B0F30A5C930AA974F5EFA65461CB1EF0AC9DDCA98400F6278D
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
37.120.199.54:4781

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.120.199.54:4781 https://threatfox.abuse.ch/ioc/1746819/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
strrat
Create hunting rule
ID:
1
File name:
Angebotsanfrage.jar
Verdict:
Malicious activity
Analysis date:
2026-02-12 10:11:26 UTC
Tags:
java auto-startup auto-reg auto-sch evasion strrat rat remote
Link:
https://app.any.run/tasks/4236d208-81cf-48b9-9266-a2ce262a892f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53114/
Detection(s):
TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

PUA.Java.Packer.Allatori-1
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698da70e2afa47e5c64640a6
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
strrat
Link:
https://www.filescan.io/uploads/698da70b930564ff3c9c6211/reports/3b545aeb-3858-4e59-aa2e-f0c358c599f8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b
Verdict:
Malicious
File Type:
jar
First seen:
2026-02-12T02:39:00Z UTC
Last seen:
2026-02-13T17:13:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.TCP.C&C HEUR:Trojan.Java.Generic Trojan-Dropper.Win32.Dapato.sb Trojan.Java.Agent.sb Trojan.APosT.UDP.C&C Backdoor.Java.Agent.sb
Link:
https://opentip.kaspersky.com/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b/results?tab=lookup
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1868307
Signature
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1868307 Sample: Angebotsanfrage.jar Startdate: 12/02/2026 Architecture: WINDOWS Score: 100 67 elastsolek21.duckdns.org 2->67 69 ip-api.com 2->69 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 6 other signatures 2->83 10 cmd.exe 2 2->10         started        13 javaw.exe 2 2->13         started        15 javaw.exe 2 2->15         started        17 3 other processes 2->17 signatures3 81 Uses dynamic DNS services 67->81 process4 signatures5 87 Uses schtasks.exe or at.exe to add and modify task schedules 10->87 89 Uses WMIC command to query system information (often done to detect virtual machines) 10->89 19 java.exe 1 7 10->19         started        23 conhost.exe 10->23         started        process6 file7 61 C:\Users\user\AppData\...\Angebotsanfrage.jar, Zip 19->61 dropped 63 C:\Users\user\AppData\...\Angebotsanfrage.jar, Zip 19->63 dropped 65 C:\ProgramData\...\Angebotsanfrage.jar, Zip 19->65 dropped 85 Creates autostart registry keys to launch java 19->85 25 java.exe 4 19->25         started        29 cmd.exe 1 19->29         started        signatures8 process9 dnsIp10 71 elastsolek21.duckdns.org 37.120.199.54, 4781, 49693 M247GB Romania 25->71 73 ip-api.com 208.95.112.1, 49695, 80 TUT-ASUS United States 25->73 91 Uses WMIC command to query system information (often done to detect virtual machines) 25->91 31 cmd.exe 1 25->31         started        34 cmd.exe 1 25->34         started        36 cmd.exe 1 25->36         started        42 2 other processes 25->42 38 conhost.exe 29->38         started        40 schtasks.exe 1 29->40         started        signatures11 process12 signatures13 95 Uses WMIC command to query system information (often done to detect virtual machines) 31->95 44 WMIC.exe 1 31->44         started        47 conhost.exe 31->47         started        49 WMIC.exe 1 34->49         started        51 conhost.exe 34->51         started        53 WMIC.exe 1 36->53         started        55 conhost.exe 36->55         started        57 WMIC.exe 1 42->57         started        59 conhost.exe 42->59         started        process14 signatures15 93 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 44->93
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b
Threat name:
ByteCode-JAVA.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-12 10:10:33 UTC
File Type:
Binary (Archive)
Extracted files:
162
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ealsyz6bclskyg3zg4rnpdol57ch4edouu3hyepibclh2hc3x4vq._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat execution persistence stealer trojan
Link:
https://tria.ge/reports/260212-l7g7yafy7g/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
STRRAT
Strrat family
Malware Config
C2 Extraction:
elastsolek21.duckdns.org:4781
zekeriyasolek44.duckdns.org:4781
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20172c67c112/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/20172c67c112e4ac1b793722d78dcbefc47e106ea5367c11e808967d1c5bbf2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:STRRAT
Create hunting rule
Author:NDA0E
Description:Detects STRRAT config filename
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53114/

Comments