MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3
SHA3-384 hash: c52822bd072c11b4767956d177b2ea66f557ef7c777f2ac53eb617442e344db764b93247f4a95ad47f82b71a79b5dd58
SHA1 hash: 2b6b6e33e6892340d55d0770ae46b354e5b3be1b
MD5 hash: 9f86bbab6bc929a3a193ba3fea3c091c
humanhash: neptune-mexico-georgia-september
File name:FLT NO. TG 63528 BKK-Contract new 202603.PDF..jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:213'052 bytes
First seen:2026-04-01 10:20:12 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 6144:Q/grPoC3JZzHo1yb1ki/76VicfwybXbbhvrx1HGJsvLV4W:BJZjC7c6QcIybLbhvrTmgD
TLSH T11724F21FADD6E0B0E413E4B208A14B67565C21A8C5F9911F6AFD79868DF0D1CCB229CF
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:jar STRRAT


Avatar
abuse_ch
STRRAT C2:
185.38.142.5:5003

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.38.142.5:5003 https://threatfox.abuse.ch/ioc/1780014/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Malware family:
strrat
Create hunting rule
ID:
1
File name:
FLT NO. TG 63528 BKK-Contract new 202603.PDF..jar
Verdict:
Suspicious activity
Analysis date:
2026-04-01 10:21:49 UTC
Tags:
arch-doc rat strrat
Link:
https://app.any.run/tasks/21869b6f-bc51-4933-9a5a-9cb153311b11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Strrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/60030/
Detection(s):
Sanesecurity.Malware.27013.JsHeur.Obfs.UNOFFICIAL
Create hunting rule

TwinWave.EvilJAR.e_STRRAT_Shuffle.20240412.UNOFFICIAL
Create hunting rule

Java.Malware.CVE_2021_44228-9915819-0
Create hunting rule

PUA.Java.Packer.Allatori-1
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccf1696363ca5d27f07f61
Tags:
banload emotet java
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
banload CVE_2021_44228 strrat
Link:
https://www.filescan.io/uploads/69ccf167972c219c8d74d144/reports/a43c2b59-0c14-41ad-a27a-16e455901ec7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3
Verdict:
Malicious
File Type:
jar
First seen:
2026-03-31T07:09:00Z UTC
Last seen:
2026-04-02T12:25:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C Trojan-Downloader.Java.Agent.sb Trojan.Java.Agent.sb HEUR:Trojan.Java.Generic Trojan-Dropper.Win32.Dapato.sb Backdoor.Java.StrRat.sb Backdoor.Java.Agent.sb
Link:
https://opentip.kaspersky.com/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3/results?tab=lookup
Result
Threat name:
Caesium Obfuscator, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891984
Signature
Creates autostart registry keys to launch java
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected AllatoriJARObfuscator
Yara detected Caesium Obfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891984 Sample: FLT NO. TG 63528 BKK-Contra... Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 85 donny.freeddns.me 2->85 87 repo1.maven.org.cdn.cloudflare.net 2->87 89 4 other IPs or domains 2->89 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 8 other signatures 2->109 11 cmd.exe 2 2->11         started        15 javaw.exe 2->15         started        17 javaw.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 77 C:\cmdlinestart.log, ASCII 11->77 dropped 115 Uses schtasks.exe or at.exe to add and modify task schedules 11->115 117 Uses WMIC command to query system information (often done to detect virtual machines) 11->117 21 java.exe 23 11->21         started        25 conhost.exe 11->25         started        signatures6 process7 dnsIp8 91 github.com 140.82.112.3, 443, 49717 GITHUBUS United States 21->91 93 release-assets.githubusercontent.com 185.199.111.133, 443, 49721 FASTLYUS Netherlands 21->93 95 repo1.maven.org.cdn.cloudflare.net 104.18.19.12, 443, 49718, 49719 CLOUDFLARENETUS United States 21->95 73 FLT NO. TG 63528 B...new 202603.PDF..jar, Zip 21->73 dropped 27 java.exe 2 11 21->27         started        file9 process10 file11 79 FLT NO. TG 63528 B...new 202603.PDF..jar, Zip 27->79 dropped 81 FLT NO. TG 63528 B...new 202603.PDF..jar, Zip 27->81 dropped 83 FLT NO. TG 63528 B...new 202603.PDF..jar, Zip 27->83 dropped 119 Creates autostart registry keys to launch java 27->119 121 Creates autostart registry keys with suspicious names 27->121 31 java.exe 11 27->31         started        36 cmd.exe 1 27->36         started        38 conhost.exe 27->38         started        signatures12 process13 dnsIp14 97 donny.freeddns.me 185.38.142.5, 49728, 5003 NETSOLUTIONSNL Portugal 31->97 99 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 31->99 71 C:\Users\user\...\jna8387883313612724216.dll, PE32 31->71 dropped 101 Uses WMIC command to query system information (often done to detect virtual machines) 31->101 40 cmd.exe 1 31->40         started        43 cmd.exe 31->43         started        45 cmd.exe 31->45         started        51 2 other processes 31->51 47 conhost.exe 36->47         started        49 schtasks.exe 1 36->49         started        file15 signatures16 process17 signatures18 113 Uses WMIC command to query system information (often done to detect virtual machines) 40->113 53 WMIC.exe 1 40->53         started        56 conhost.exe 40->56         started        58 WMIC.exe 43->58         started        61 conhost.exe 43->61         started        63 conhost.exe 45->63         started        65 WMIC.exe 45->65         started        67 conhost.exe 51->67         started        69 WMIC.exe 51->69         started        process19 file20 111 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 53->111 75 stdout, ASCII 58->75 dropped signatures21
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3/
Verdict:
Malicious
Threat:
Family.STRRAT
Link:
https://tip.neiki.dev/file/c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3
Threat name:
ByteCode-JAVA.Exploit.Banload
Create hunting rule
Status:
Malicious
First seen:
2026-03-31 10:23:00 UTC
File Type:
Binary (Archive)
Extracted files:
81
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybhoz6qk4gyvvjaeerm67o4jrbcslu2y3qa6jaiqtfznj35amlbq._file
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat execution persistence stealer trojan
Link:
https://tria.ge/reports/260401-mc9t5ses6v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
STRRAT
Strrat family
Malware Config
C2 Extraction:
donny.freeddns.me:5003
donny.freeddns.me:5000
Malware family:
STRRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c04eecfa0ae1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:STRRAT
Create hunting rule
Author:NDA0E
Description:Detects STRRAT config filename
Rule name:strrat_jar_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60030/

Comments