MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
SHA3-384 hash: e86e1cb2c6346520a901a187e05497f4f796273b8d723511ebe634851bb1dbc5f05478b99b8848d3c000df667413c492
SHA1 hash: 5f7a07cb54e2b65e6f544fe260e5bfa44d9733f5
MD5 hash: 3fb8f3b0431e4153b2eb9a90a66558ac
humanhash: timing-three-nine-blue
File name:LithiumAim.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:799'744 bytes
First seen:2025-10-26 20:52:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 12288:zyaqSUrcF87ENQZ/LkIHi4T/svUAPkXxbgVsK423GL4QC+:zlDUX7ENQZwILTkvUAPkXdgVr4pzC
Threatray 3'011 similar samples on MalwareBazaar
TLSH T1DE056BC1B63DAC76A4B02D5798B0070C0FAF03B1852B9381B8F755EB5659DA286F07F2
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LithiumAim.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-26 20:49:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f5d5915-ff27-4049-8e1c-fb17967819d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34204/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe89fd6c859164aa64f5ec
Tags:
obfuscate xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a window
Using the Windows Management Instrumentation requests
Launching a service
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the Windows directory
Enabling the libraries to load when starting the app (AppInit_DLLs)
Сreating synchronization primitives
Loading a suspicious library
DNS request
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68fe8a18c85c5c569736a433/reports/b718edbe-921e-4c8f-956f-561a8a5214c5/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T18:01:00Z UTC
Last seen:
2025-10-27T19:00:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.Win32.Agent.gen HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.Crysan.gen Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Vimditator.sb
Link:
https://opentip.kaspersky.com/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25dc733d-124f-4afd-a8cc-85833f28e3a3
Result
Threat name:
Babadeda, SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802097
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Babadeda
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802097 Sample: LithiumAim.exe Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 7 other signatures 2->50 8 LithiumAim.exe 3 2->8         started        12 svchost.exe 1 1 2->12         started        15 OpenWith.exe 15 2->15         started        process3 dnsIp4 34 C:\Users\user\AppData\Local\...\Starter.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...36vDisplay.exe, PE32 8->36 dropped 52 Encrypted powershell cmdline option found 8->52 17 powershell.exe 23 8->17         started        20 NvDisplay.exe 1 8->20         started        22 Starter.exe 8 8->22         started        38 127.0.0.1 unknown unknown 12->38 file5 signatures6 process7 signatures8 40 Loading BitLocker PowerShell Module 17->40 24 WmiPrvSE.exe 17->24         started        26 conhost.exe 17->26         started        42 Queries memory information (via WMI often done to detect virtual machines) 20->42 28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        process9 process10 32 chcp.com 1 28->32         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/3fb8f3b0431e4153b2eb9a90a66558ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Crysan
Link:
https://tip.neiki.dev/file/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-10-26 20:52:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 38 (81.58%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyiuoxbid73qi26g7mmbwufooqh7hc4kiec4lz6godzvqyxsotqq._file
Verdict:
malicious
Label(s):
unc_loader_048
Create hunting rule
sheetrat
Create hunting rule
Similar samples:
048de3a8928baf0e340d1331f4b3d9b115c7c7a3f088459e9b2e2ed60847f164
SheetRAT
0c2bc77b457a5c275fa8420bdd7a9b4635a1246af0a7548da4c95705252456f2
SheetRAT
11728da41703cd625c9faf2c40ace993b543711504f2e8ad71146a72a340392f
SheetRAT
4366736110b59f833aacdac2c95f0f6de6ffa937fbdf332a442cb14c21838217
SheetRAT
44cbb9ba318ddc687dca3e0dfeba30db5469d50c9bbdbbfb5888efdd9889439e
SheetRAT
8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
SheetRAT
c23029f315f2d0063ffaef0cb651cfcf8e39bd4f9d77aefb6a5866d73bf096db
SheetRAT
c774a62fa56e4930e80406e63c6d93e84fc62d991575d9f53832229fc12a6aa5
SheetRAT
error
SheetRAT
+ 3'001 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251026-zn13lafm2x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4131ec2a-f177-4ea3-a369-415278654a34
Unpacked files
SH256 hash:
2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
MD5 hash:
3fb8f3b0431e4153b2eb9a90a66558ac
SHA1 hash:
5f7a07cb54e2b65e6f544fe260e5bfa44d9733f5
Link:
https://www.unpac.me/results/139dfc80-aeff-4ea7-9043-8906bcb09044/
SH256 hash:
1c8ad1ea6d7dfc9fe8bfd13de2fab8ac123fe2097025f03565d0e953c7e3f6ea
MD5 hash:
8c1cf9406e9bd3e841497d9bfe1fc12c
SHA1 hash:
cd367b7ff586478673bb842a75440a42cc252853
Link:
https://www.unpac.me/results/139dfc80-aeff-4ea7-9043-8906bcb09044/
SH256 hash:
8abccd1477ef2a25ec854d84ce8f582f070696cb7f3401eef6191d9804d67bbb
MD5 hash:
21f41bc952c885e17d34bba55b47c6db
SHA1 hash:
52ad04856b2b977ef450a1e98101bc597687719f
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/139dfc80-aeff-4ea7-9043-8906bcb09044/
Parent samples :
2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
f6e5b7494a3de248f15384fd8bb18e44fdea052e302781cfab613facf2a8a5d7
SH256 hash:
a8bad8c1503c70685af91294de65f6efc5f6bfebd290e2c04f6e4c5def4c46c8
MD5 hash:
bd07eaf6bfbc9be12e6bc474b01dc0de
SHA1 hash:
f525844d8ea0f0a8a586ea26d52c8baa2775ab11
Link:
https://www.unpac.me/results/139dfc80-aeff-4ea7-9043-8906bcb09044/
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e11475c281f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34204/

Comments