MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1
SHA3-384 hash: bd0d2e0dd7238cd7d31a60403be54e2485bab7cf1c4e04e2d6e5424cf1681fde4cc0bcfe43fc727dcb2e5ddc02c1659d
SHA1 hash: 205cd8bf3880b73cce3958b3c3b1454461328958
MD5 hash: 1c26ee72793f7e711ea2ea6b2722df2d
humanhash: tennis-xray-seventeen-east
File name:po.js
Download: download sample
Signature STRRAT
Create hunting rule
File size:1'589'060 bytes
First seen:2025-06-19 04:50:29 UTC
Last seen:2025-06-19 11:55:24 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:eQeF/rO6elDlqHKDJcR6GUS1oh1rnrS6cAOUzXLwJsj+PvxkpJTWWMxDz1tzoaCa:1C
TLSH T18C75BAC625A8790797F7F624C321D122AC34E8132DDB12D27DC43E9AAEB5C545DBEA30
Magika javascript
Reporter abuse_ch
Tags:js STRRAT


Avatar
abuse_ch
STRRAT C2:
162.19.161.205:9760

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.19.161.205:9760 https://threatfox.abuse.ch/ioc/1546468/

Intelligence

File Origin
# of uploads :
5
# of downloads :
653
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
YARA.obfuscated_eval.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-2309.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853e181e04cd8dcf13b1b9f
Tags:
autorun cryxos emotet java
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated obfuscated
Link:
https://www.filescan.io/uploads/685397213faf8fcd7d359108/reports/bc140fc8-f9c0-4cc5-a1f7-427491b4f72b/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718161
Signature
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS/JS script found (suspicious encoded strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718161 Sample: po.js Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 68 repo1.maven.org 2->68 70 objects.githubusercontent.com 2->70 72 3 other IPs or domains 2->72 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 10 other signatures 2->90 11 wscript.exe 1 2 2->11         started        15 notepad.exe 2->15         started        17 notepad.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 64 C:\Users\user\AppData\Roaming\ojbxonudq.txt, Zip 11->64 dropped 92 JScript performs obfuscated calls to suspicious functions 11->92 94 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->94 21 javaw.exe 22 11->21         started        signatures6 process7 dnsIp8 74 github.com 140.82.112.4, 443, 49691 GITHUBUS United States 21->74 76 objects.githubusercontent.com 185.199.109.133, 443, 49694 FASTLYUS Netherlands 21->76 78 dualstack.sonatype.map.fastly.net 199.232.196.209, 443, 49690, 49692 FASTLYUS United States 21->78 24 java.exe 1 9 21->24         started        process9 process10 26 java.exe 11 24->26         started        30 cmd.exe 1 24->30         started        33 conhost.exe 24->33         started        dnsIp11 80 162.19.161.205, 49699, 9760 CENTURYLINK-US-LEGACY-QWESTUS United States 26->80 82 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 26->82 66 C:\Users\user\...\jna301483228985091219.dll, PE32 26->66 dropped 35 cmd.exe 26->35         started        37 cmd.exe 26->37         started        39 cmd.exe 26->39         started        45 2 other processes 26->45 96 Uses schtasks.exe or at.exe to add and modify task schedules 30->96 41 conhost.exe 30->41         started        43 schtasks.exe 30->43         started        file12 signatures13 process14 process15 47 WMIC.exe 35->47         started        50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        54 WMIC.exe 37->54         started        56 conhost.exe 39->56         started        58 WMIC.exe 39->58         started        60 conhost.exe 45->60         started        62 WMIC.exe 45->62         started        signatures16 98 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 47->98
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1/
Threat name:
Script-JS.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-19 05:07:10 UTC
AV detection:
12 of 38 (31.58%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2mrvpy5s6iii6wlfu6sjedxtgcglx77evxn5fypzj4xm24svkqq._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat execution persistence stealer trojan
Link:
https://tria.ge/reports/250619-fgkmgsbl4s/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
STRRAT
Strrat family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
STRRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_STRRAT_javascripts_Malware
Create hunting rule
Author:daniyyell
Description:Detects obfuscated JavaScript code indicative of STRRAT malware.
Rule name:SUSP_Base64_Encoded_Hex_Encoded_Code_RID3420
Create hunting rule
Author:Florian Roth
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

STRRAT

Java Script (JS) js 7e991abf1d9790847acb2d3d249077998465dfff256ede970fca79766b92aaa1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562562/
  
Delivery method
Distributed via web download

Comments