MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c9fd8ac684dcac825cdff69e6290cb2bbb0cb51cab82dccbe22aec52837120f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



STRRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash: 6c9fd8ac684dcac825cdff69e6290cb2bbb0cb51cab82dccbe22aec52837120f
SHA3-384 hash: 08f36af29d07d156a7f7dc1f172bc4e81116ef3ae811053e8b839db1ec6cfeb8b3c3d1cb694a10f39374129d1aa27fbc
SHA1 hash: f33050fd6d88a58b1d215edc23fd9a49c7cd75f5
MD5 hash: d9fc4b448a812c43a1a2ad130b6dc5bd
humanhash: nuts-avocado-alanine-william
File name:WT-260631RFQKINGTOOLCO.jar
Download: download sample
Signature STRRAT
File size:227'102 bytes
First seen:2026-07-08 20:15:07 UTC
Last seen:2026-07-09 00:01:38 UTC
File type:Java file jar
MIME type:application/java-archive
ssdeep 6144:RJ1UJAIVZURLX/28zJLLbMNuEUbbfz5fg23KpYb:RJTIsX/28tUQvbFf9WYb
TLSH T1162423EB7A10902EE6476DF83D978FE3CF78D87E54206A6B4F4C3D990494835A34D226
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
217.217.97.106:20908

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
217.217.97.106:20908 https://threatfox.abuse.ch/ioc/1846459/

Intelligence


File Origin
# of uploads :
2
# of downloads :
100
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
_6c9fd8ac684dcac825cdff69e6290cb2bbb0cb51cab82dccbe22aec52837120f.zip
Verdict:
Suspicious activity
Analysis date:
2026-07-08 20:16:57 UTC
Tags:
rat strrat arch-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File Type:
jar
First seen:
2026-07-08T14:48:00Z UTC
Last seen:
2026-07-10T18:15:00Z UTC
Hits:
~1000
Detections:
Trojan.Java.Agent.sb Trojan-Dropper.Win32.Dapato.sb Trojan-Downloader.Java.Agent.sb HEUR:Trojan.Java.Generic VHO:Trojan.Java.Agent.gen Backdoor.Java.StrRat.sb Backdoor.Java.Agent.sb UDS:DangerousObject.Multi.Generic HEUR:Trojan.Java.Agent.gen
Result
Threat name:
Caesium Obfuscator, STRRAT
Detection:
malicious
Classification:
troj.expl.evad
Score:
92 / 100
Signature
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Java source code contains very large array initializations
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Unusual module load detection (module proxying)
Yara detected AllatoriJARObfuscator
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1939527 Sample: WT-260631RFQKINGTOOLCO.jar Startdate: 08/07/2026 Architecture: WINDOWS Score: 92 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Yara detected Caesium Obfuscator 2->29 31 6 other signatures 2->31 8 cmd.exe 1 2->8         started        process3 process4 10 java.exe 4 8->10         started        12 conhost.exe 8->12         started        process5 14 java.exe 3 10->14         started        17 tasklist.exe 1 10->17         started        file6 23 stdout, ASCII 14->23 dropped 19 conhost.exe 14->19         started        21 conhost.exe 17->21         started        process7
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-08 20:15:58 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:strrat adware discovery execution persistence ransomware spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates processes with tasklist
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Family: STRRAT
Malware Config
C2 Extraction:
chukwunwikewetaego.ydns.eu:20908
127.0.0.1:0
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments