MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bfe96a9e46a3ec8a49b5ea3cb026f9049d2656dc1ec5de4b379c00e62b65117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



STRRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments

SHA256 hash: 5bfe96a9e46a3ec8a49b5ea3cb026f9049d2656dc1ec5de4b379c00e62b65117
SHA3-384 hash: 27334b66591c56732f232f621546a4435088c91ba3ea5fe753673a7d7caec6ab0e2577b87aa1acc61bf66128252b8396
SHA1 hash: d3587e956388d93450eeda8c6ad710f10bd45ace
MD5 hash: 563fc1e7a09de5b32adaefd86487d9a1
humanhash: twelve-white-april-music
File name:Quotation.jar
Download: download sample
Signature STRRAT
File size:227'042 bytes
First seen:2026-07-08 09:45:06 UTC
Last seen:2026-07-09 02:11:01 UTC
File type:Java file jar
MIME type:application/java-archive
ssdeep 6144:f4ouZb7sy1893Rhig6AqeHpzuI+dbpk/Ezt:1uZI9HJitpzt
TLSH T1262423745152F3EE81AAD9B6C42B42E24B38C36D635A13D70597E7DA5C310B08EB8E1F
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
217.217.97.106:20908

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
217.217.97.106:20908 https://threatfox.abuse.ch/ioc/1846459/

Intelligence


File Origin
# of uploads :
16
# of downloads :
107
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
_5bfe96a9e46a3ec8a49b5ea3cb026f9049d2656dc1ec5de4b379c00e62b65117.zip
Verdict:
Suspicious activity
Analysis date:
2026-07-08 09:46:55 UTC
Tags:
rat strrat arch-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit
Result
Threat name:
Caesium Obfuscator, STRRAT
Detection:
malicious
Classification:
troj.expl.evad
Score:
92 / 100
Signature
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Java source code contains very large array initializations
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Unusual module load detection (module proxying)
Yara detected AllatoriJARObfuscator
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1939153 Sample: Quotation.jar Startdate: 08/07/2026 Architecture: WINDOWS Score: 92 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Yara detected Caesium Obfuscator 2->29 31 6 other signatures 2->31 8 cmd.exe 1 2->8         started        process3 process4 10 java.exe 4 8->10         started        12 conhost.exe 8->12         started        process5 14 java.exe 3 10->14         started        17 tasklist.exe 1 10->17         started        file6 23 stdout, ASCII 14->23 dropped 19 conhost.exe 14->19         started        21 conhost.exe 17->21         started        process7
Result
Malware family:
Score:
  10/10
Tags:
family:strrat discovery execution persistence stealer trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates processes with tasklist
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Family: STRRAT
Malware Config
C2 Extraction:
chukwunwikewetaego.ydns.eu:20908
127.0.0.1:0
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments