MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01
SHA3-384 hash: e397e12dd678b5d18b3dc4ef07f12f9b377b1f7d9426eeade4960025b8595531f2691d1606f90eed5baa25f2f2db6e57
SHA1 hash: ac5669bba03079a4699305312b35cb09faf29c1c
MD5 hash: 40022f794f3c8e822519c73498ec92b5
humanhash: monkey-lima-queen-papa
File name:Teklif-Talebi.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:98'458 bytes
First seen:2026-02-27 08:02:27 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 1536:9B6y3vI8QZzUj+FRGeu7OZJJsKvGwrWXqeUoGKWx:9M6IfljgJ7uJNr23vGKWx
TLSH T1DEA3F7547A44D07AEB63F1730958922BB974ECEF926469870FF0BC9DDCA98800F627C5
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter lowmal3
Tags:jar STRRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01.zip
Verdict:
Malicious activity
Analysis date:
2026-02-27 08:04:43 UTC
Tags:
java auto-startup auto-sch auto-reg
Link:
https://app.any.run/tasks/9979a38c-bfd1-4b05-9567-3216b81f5948

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54833/
Detection(s):
SecuriteInfo.com.Heur.7080.12095.UNOFFICIAL
Create hunting rule

TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.27226.6877.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.26168.21752.UNOFFICIAL
Create hunting rule

PUA.Java.Packer.Allatori-1
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a14fc38fffa866e3b2ac2e
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
strrat
Link:
https://www.filescan.io/uploads/69a14fc19eaae84659401eb8/reports/2e10dbe9-4800-45e5-8524-2536e3337394/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01
Verdict:
Malicious
File Type:
jar
Detections:
Trojan.Java.Agent.sb Trojan.APosT.UDP.C&C Backdoor.Java.Agent.sb Backdoor.Agent.TCP.C&C HEUR:Trojan.Java.Generic Trojan-Dropper.Win32.Dapato.sb
Link:
https://opentip.kaspersky.com/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01/results?tab=lookup
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875809
Signature
Creates autostart registry keys to launch java
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875809 Sample: Teklif-Talebi.jar Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 67 elastsolek21.duckdns.org 2->67 69 ip-api.com 2->69 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 6 other signatures 2->83 10 cmd.exe 2 2->10         started        13 javaw.exe 2 2->13         started        15 javaw.exe 2 2->15         started        17 3 other processes 2->17 signatures3 81 Uses dynamic DNS services 67->81 process4 signatures5 89 Uses schtasks.exe or at.exe to add and modify task schedules 10->89 91 Uses WMIC command to query system information (often done to detect virtual machines) 10->91 19 java.exe 2 7 10->19         started        23 conhost.exe 10->23         started        process6 file7 61 C:\Users\user\AppData\...\Teklif-Talebi.jar, Zip 19->61 dropped 63 C:\Users\user\AppData\...\Teklif-Talebi.jar, Zip 19->63 dropped 65 C:\ProgramData\...\Teklif-Talebi.jar, Zip 19->65 dropped 85 Creates autostart registry keys to launch java 19->85 87 Creates autostart registry keys with suspicious names 19->87 25 java.exe 4 19->25         started        29 cmd.exe 1 19->29         started        signatures8 process9 dnsIp10 71 elastsolek21.duckdns.org 37.120.199.54, 4781, 49687 M247GB Romania 25->71 73 ip-api.com 208.95.112.1, 49691, 80 TUT-ASUS United States 25->73 93 Uses WMIC command to query system information (often done to detect virtual machines) 25->93 31 cmd.exe 1 25->31         started        34 cmd.exe 1 25->34         started        36 cmd.exe 1 25->36         started        42 2 other processes 25->42 38 conhost.exe 29->38         started        40 schtasks.exe 1 29->40         started        signatures11 process12 signatures13 97 Uses WMIC command to query system information (often done to detect virtual machines) 31->97 44 WMIC.exe 1 31->44         started        47 conhost.exe 31->47         started        49 WMIC.exe 1 34->49         started        51 conhost.exe 34->51         started        53 WMIC.exe 1 36->53         started        55 conhost.exe 36->55         started        57 WMIC.exe 1 42->57         started        59 conhost.exe 42->59         started        process14 signatures15 95 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 44->95
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01
Threat name:
ByteCode-JAVA.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-26 00:10:40 UTC
File Type:
Binary (Archive)
Extracted files:
162
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldtwblc6ncoer7o755lotdqirwk3dgbyydlkpa3xpm74wbuyzqaq._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat execution persistence stealer trojan
Link:
https://tria.ge/reports/260227-jxs6cahs7c/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
STRRAT
Strrat family
Malware Config
C2 Extraction:
elastsolek21.duckdns.org:4781
zekeriyasolek44.duckdns.org:4781
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58e760ac5e68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:STRRAT
Create hunting rule
Author:NDA0E
Description:Detects STRRAT config filename
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

STRRAT

Java file jar 58e760ac5e689c48fddfef56e98e088d95b19838c0d6a783777b3fcb0698cc01

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/54833/

Comments