MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88
SHA3-384 hash: c92478884fbcb3b78e56bb0ba050dbedb0074426f7baedec3137c9ba65df4a3983c91f1e8b605f72f1a94cb40ead2e14
SHA1 hash: ef677052c8d8f0dc14d399074f64f0f504de055d
MD5 hash: dcb1b4246eb62bfd958e510da0c32d96
humanhash: orange-echo-virginia-fruit
File name:setup.bat
Download: download sample
Signature SheetRAT
Create hunting rule
File size:461'267 bytes
First seen:2025-12-15 19:53:04 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:xL3h3i5aBMWa2Utj2Y6KbF2tinCZPB/nipNHE2TL/iVPpPMvQdH9wo3dj6qdG9f7:P3i86r56KbF2Xr/UH1LqHMU9w/Okb
TLSH T156A4D022821D4E3F63A533EE54FA1E0A6EC44DC100721FD8E56C6E8A774FD172B692D9
Magika batch
Reporter burger
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
setup_modified_hack.rar
Verdict:
Malicious activity
Analysis date:
2025-12-15 19:47:45 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2d162cda-da17-4049-93d3-890626f03b6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45140/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6940672dcacd1005450d8460
Tags:
dropper shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the system32 directory
Launching a process
Launching cmd.exe command interpreter
Creating a file
Launching the process to interact with network services
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive findstr lolbin
Link:
https://www.filescan.io/uploads/6940672be126b9ff43811de1/reports/f8c611c6-41d4-40f1-9286-231ee33dab70/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-15T17:05:00Z UTC
Last seen:
2025-12-16T12:08:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan-Dropper.Win32.Dorifel.a.3 PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen HEUR:Backdoor.MSIL.Crysan.gen NetTool.PowerShellGet.HTTP.C&C RiskTool.Miner.UDP.C&C NetTool.PowerShellUA.HTTP.C&C
Link:
https://opentip.kaspersky.com/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88/results?tab=lookup
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1833402
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture screen (.Net source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Rundll32 Execution Without Parameters
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1833402 Sample: setup.bat Startdate: 15/12/2025 Architecture: WINDOWS Score: 100 45 keyauth.win 2->45 51 Found malware configuration 2->51 53 Yara detected SheetRat 2->53 55 .NET source code contains potential unpacker 2->55 57 8 other signatures 2->57 9 cmd.exe 3 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 1 1 2->14         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 69 Suspicious powershell command line found 9->69 19 cmd.exe 20 9->19         started        22 findstr.exe 1 9->22         started        24 powershell.exe 7 9->24         started        26 7 other processes 9->26 71 Changes security center settings (notifications, updates, antivirus, firewall) 12->71 47 127.0.0.1 unknown unknown 14->47 signatures6 process7 signatures8 59 Suspicious powershell command line found 19->59 28 20623.exe 1 19->28         started        31 powershell.exe 14 16 19->31         started        35 net.exe 1 19->35         started        39 25 other processes 19->39 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->61 63 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->63 65 Queries memory information (via WMI often done to detect virtual machines) 22->65 67 Powershell drops PE file 24->67 37 net1.exe 1 26->37         started        process9 dnsIp10 73 Multi AV Scanner detection for dropped file 28->73 75 Queries memory information (via WMI often done to detect virtual machines) 28->75 49 193.233.85.21, 4477, 49723, 49724 FREE-MPEIRU Russian Federation 31->49 43 C:\Users\user\AppData\Local\...\20623.exe, PE32 31->43 dropped 41 net1.exe 1 35->41         started        file11 signatures12 process13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88
Threat name:
Script-BAT.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2025-12-15 19:53:03 UTC
File Type:
Text
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgakoimicpnnxkslvvfkdyx6qjude5d6dsmj3oiqxez27ormpkea._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/251215-yl3mzagm2x/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SheetRAT

Batch (bat) bat 3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88

(this sample)

TORNADO

Executable exe c1abe0b35bbce86644dfb7a54934d8dfcf27e3d7f637f8394ae9b64b39222b6e

  
Dropping
SHA256 c1abe0b35bbce86644dfb7a54934d8dfcf27e3d7f637f8394ae9b64b39222b6e
  
Dropping
SHA256 5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
  
Dropping
SHA256 7019301e95e24e9a631f23a2d85a72c95e99ede6617c2cf9f7dfa0e7cb4b056c
Cape
Cape
https://www.capesandbox.com/analysis/45140/
  
Dropping
MD5 262fa23bf3749a430b5d6da959f6c44b
  
Dropping
MD5 3eb09496802aaab8b7351b574c30c23a

Comments