MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20c90a2dc95ae965457ca1b792f97dd8a755b75df6edad3d39dcf540be6306af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



STRRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash: 20c90a2dc95ae965457ca1b792f97dd8a755b75df6edad3d39dcf540be6306af
SHA3-384 hash: dcb9df9803ca184da3f98b166097939ee66773fb70d00d1f370bfade5514a4ed9eb3ac398002229acfdc9328bab526c8
SHA1 hash: 6dbcf0aedd7b0194d8ae3ce1a92e9c6b56e5c488
MD5 hash: 0d012eb23b23a296c21c9448249a5eea
humanhash: speaker-triple-moon-ceiling
File name:Request For Quotation.js
Download: download sample
Signature STRRAT
File size:756'747 bytes
First seen:2025-09-06 07:00:47 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:pQli5HTHrIji+8BYjwqpPq4Dvl0FFvpQcCIuQ/UOGSHeMPwOvkSdFgtlCkQVF7b3:uE
TLSH T1BAF4A8C55568790697A3F534C322E123EC38ED1328EB12D6BDC43A49AEF6C545EBDA30
Magika javascript
Reporter abuse_ch
Tags:js RAT STRRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
372
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Tags:
autorun emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
banload evasive obfuscated obfuscated
Verdict:
Malicious
File Type:
text
First seen:
2025-09-04T04:39:00Z UTC
Last seen:
2025-09-04T04:39:00Z UTC
Hits:
~1000
Result
Threat name:
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS/JS script found (suspicious encoded strings)
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772241 Sample: Request For Quotation.js Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 45 str-master.pw 2->45 47 repo1.maven.org 2->47 49 4 other IPs or domains 2->49 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 8 other signatures 2->67 10 wscript.exe 1 2 2->10         started        14 notepad.exe 2->14         started        16 notepad.exe 2->16         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\letdxzti.txt, Zip 10->41 dropped 71 JScript performs obfuscated calls to suspicious functions 10->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->73 18 javaw.exe 22 10->18         started        signatures6 process7 dnsIp8 51 github.com 140.82.112.4, 443, 49689 GITHUBUS United States 18->51 53 release-assets.githubusercontent.com 185.199.111.133, 443, 49690 FASTLYUS Netherlands 18->53 55 dualstack.sonatype.map.fastly.net 199.232.192.209, 443, 49686, 49687 FASTLYUS United States 18->55 21 java.exe 16 18->21         started        process9 file10 39 C:\Users\user\...\jna5288260406455328339.dll, PE32 21->39 dropped 24 cmd.exe 1 21->24         started        27 java.exe 10 21->27         started        31 conhost.exe 21->31         started        process11 dnsIp12 69 Uses schtasks.exe or at.exe to add and modify task schedules 24->69 33 conhost.exe 24->33         started        35 schtasks.exe 24->35         started        57 str-master.pw 5.79.71.225, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 27->57 59 harold.jetos.com 23.94.206.25, 3608 AS-COLOCROSSINGUS United States 27->59 43 C:\Users\user\...\jna3300332011754618747.dll, PE32 27->43 dropped 37 conhost.exe 27->37         started        file13 signatures14 process15
Verdict:
inconclusive
YARA:
1 match(es)
Threat name:
Script-JS.Trojan.Cryxos
Status:
Malicious
First seen:
2025-09-04 07:56:44 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:strrat execution persistence stealer trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
STRRAT
Strrat family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_STRRAT_javascripts_Malware
Author:daniyyell
Description:Detects obfuscated JavaScript code indicative of STRRAT malware.
Rule name:SUSP_Base64_Encoded_Hex_Encoded_Code_RID3420
Author:Florian Roth
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments