MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28
SHA3-384 hash: d17e4731789eec2ec1634cb393a3faed46fb14361ba8b13355784cab7de854670e6a9939a7013a6116f69c48e3d65f3e
SHA1 hash: a4eeae720fb09d55eff6065f3cb26dfbf56a03f4
MD5 hash: dd7d73ac2b830fba8042d57e564f015c
humanhash: sodium-winner-connecticut-august
File name:???????? ???????.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:205'541 bytes
First seen:2026-03-11 15:15:08 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 3072:IYWWvAxTxB3NPbbbgjJeoMmnMjFz8QFktsr4zrY/g4S2Nz7w:JWWvETxB9/bg4oMTFMd4Tg
TLSH T1E914736E3F4B90B1E253A0334654D22A7D28A6EBD204614F1BFE5C5D9CB8C580B56FCB
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
41.216.188.74:6093

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
41.216.188.74:6093 https://threatfox.abuse.ch/ioc/1763395/

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
STRRAT
Details
Link:
https://research.acce.ciphertechsolutions.com/results/cb7d6dd7-aa3b-49f7-8cc5-368b13599acd/
Malware family:
strrat
Create hunting rule
ID:
1
File name:
_ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28.zip
Verdict:
Malicious activity
Analysis date:
2026-03-11 15:15:43 UTC
Tags:
java scan rat strrat
Link:
https://app.any.run/tasks/77696a3f-2d98-4d7e-aa0e-960c063d3c9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Strrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57070/
Detection(s):
Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

Java.Malware.CVE_2021_44228-9915819-0
Create hunting rule

TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

PUA.Java.Packer.Allatori-1
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b187175a439615ccbf624b
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69b187102000fc76c3d3e4fa/reports/a2be75cc-7bc9-4d5d-b178-18c4d9280748/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28
Verdict:
Malicious
File Type:
jar
Detections:
Backdoor.Java.StrRat.sb HEUR:Trojan.Java.Generic
Link:
https://opentip.kaspersky.com/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28/results?tab=lookup
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1882055
Signature
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys to launch java
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1882055 Sample: ________ _______.jar Startdate: 11/03/2026 Architecture: WINDOWS Score: 100 82 idcheck.duckdns.org 2->82 84 usaisraeliranwar.ydns.eu 2->84 86 5 other IPs or domains 2->86 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Multi AV Scanner detection for submitted file 2->108 112 7 other signatures 2->112 11 cmd.exe 2 2->11         started        14 javaw.exe 2->14         started        16 javaw.exe 2->16         started        18 2 other processes 2->18 signatures3 110 Uses dynamic DNS services 82->110 process4 signatures5 118 Uses schtasks.exe or at.exe to add and modify task schedules 11->118 120 Uses ping.exe to check the status of other devices and networks 11->120 122 Uses WMIC command to query system information (often done to detect virtual machines) 11->122 20 java.exe 23 11->20         started        24 conhost.exe 11->24         started        process6 dnsIp7 88 github.com 140.82.112.3, 443, 49716 GITHUBUS United States 20->88 90 release-assets.githubusercontent.com 185.199.109.133, 443, 49719 FASTLYUS Netherlands 20->90 92 repo1.maven.org.cdn.cloudflare.net 104.18.19.12, 443, 49715, 49717 CLOUDFLARENETUS United States 20->92 72 C:\Users\user\________ _______.jar, Zip 20->72 dropped 26 java.exe 2 11 20->26         started        file8 process9 file10 74 C:\Users\user\...\________ _______.jar, Zip 26->74 dropped 76 C:\Users\user\...\________ _______.jar, Zip 26->76 dropped 78 C:\ProgramData\...\________ _______.jar, Zip 26->78 dropped 124 Creates autostart registry keys to launch java 26->124 30 java.exe 11 26->30         started        35 cmd.exe 1 26->35         started        37 conhost.exe 26->37         started        signatures11 process12 dnsIp13 96 194.61.54.66, 51964 WELLWEBNL Russian Federation 30->96 98 usaisraeliranwar.ydns.eu 41.216.188.74, 49724, 6093 AS40676US South Africa 30->98 100 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 30->100 80 C:\Users\user\...\jna7843702550577367406.dll, PE32 30->80 dropped 102 Uses WMIC command to query system information (often done to detect virtual machines) 30->102 39 cmd.exe 30->39         started        42 cmd.exe 30->42         started        44 cmd.exe 1 30->44         started        50 7 other processes 30->50 46 conhost.exe 35->46         started        48 schtasks.exe 1 35->48         started        file14 signatures15 process16 signatures17 116 Uses WMIC command to query system information (often done to detect virtual machines) 39->116 52 WMIC.exe 39->52         started        55 conhost.exe 39->55         started        68 2 other processes 42->68 57 PING.EXE 44->57         started        60 conhost.exe 44->60         started        62 conhost.exe 50->62         started        64 WMIC.exe 50->64         started        66 conhost.exe 50->66         started        70 9 other processes 50->70 process18 dnsIp19 114 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 52->114 94 idcheck.duckdns.org 66.54.61.194 HPESUS United States 57->94 signatures20
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 15:15:30 UTC
File Type:
Binary (Archive)
Extracted files:
553
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnb6uu6tb2mns3dxhais7kjpnxaqtemkimmna5dt3in3nwnhl4ua._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat
Link:
https://tria.ge/reports/260311-sm4c1aaz6v/
Malware Config
C2 Extraction:
usaisraeliranwar.ydns.eu:6093
iranwarusa.ydns.eu:6093
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab43ea53d30e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ab43ea53d30e98d96c7738112fa92f6dc109918a4318d07473da1bb6d9a75f28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:STRRAT
Create hunting rule
Author:NDA0E
Description:Detects STRRAT config filename
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57070/

Comments