MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14d6cb9a29e993ce5d69c8ca67ea84a6d71c408c6bccc7f1a3610d4b6b95ae0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SheetRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: 14d6cb9a29e993ce5d69c8ca67ea84a6d71c408c6bccc7f1a3610d4b6b95ae0a
SHA3-384 hash: fd536ba8836012a268b57b0fd642cf695ae1f7b18effb1418c3df704eacfdccda0bedf6898d8d327488556c9f18ba0eb
SHA1 hash: 9b20cf4a1170d059db992c1cc327db2e3a596f54
MD5 hash: a9d455bf907914a8e39cff601299c41a
humanhash: autumn-network-music-thirteen
File name:Packages.exe
Download: download sample
Signature SheetRAT
File size:76'679'340 bytes
First seen:2026-07-06 16:35:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (589 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:g22um44Hi+zg1nNHG3cv4JW4/KMYAMvJmiftzjPzcsZM2AWUQriXyL:g2Tm4vH9NYJo+sUifljLcs22/Z
TLSH T173F7338A6E22F03FF413D473E11856E9625AF194D7338FA6113E91DEE8F2B106B441A7
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70c8b0b272e2f0f1 (1 x Vidar, 1 x SheetRAT)
Reporter Alex_sev
Tags:electron exe infostealer SheetRat

Intelligence


File Origin
# of uploads :
1
# of downloads :
116
Origin country :
FI FI
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_14d6cb9a29e993ce5d69c8ca67ea84a6d71c408c6bccc7f1a3610d4b6b95ae0a.exe
Verdict:
Malicious activity
Analysis date:
2026-07-06 16:59:39 UTC
Tags:
evasion ip-check nodejs

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
shell sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto installer installer installer-heuristic microsoft_visual_cc nsis packed reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-15T00:25:00Z UTC
Last seen:
2026-07-08T11:57:00Z UTC
Hits:
~1000
Detections:
Trojan.NSIS.Agent.teuu NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Gathering data
Result
Malware family:
Score:
  10/10
Tags:
family:donutloader family:vidar botnet:30e82a36fe6be8301f209eb26300f90d adware credential_access defense_evasion discovery execution loader persistence ransomware spyware stealer trojan
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Detects DonutLoader
Family: DonutLoader
Family: Vidar
Windows security bypass
Malware Config
C2 Extraction:
https://5.75.217.106
https://telegram.me/af97ri
https://steamcommunity.com/profiles/76561198680197300
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:GenesisStealer_Installer_NSIS_MaaS_Template
Author:n3r
Description:GenesisStealer NSIS installer (MaaS template). Imphash-based broad detector - also catches ScarfaceStealer / RemusStealer / VoidStealer variants sharing the same installer shell.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments