MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SheetRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21
SHA3-384 hash:	89c5149d23e7c45d536b0459cb6239ab6f5e2680cfcbad4d08aab305062355dce78e9777b1be0bd6d16184b7e2b6f87d
SHA1 hash:	da874ef58840ac3e0f0ae1b3b7286439339d570f
MD5 hash:	c652f61208b6195eaf6f034b97361474
humanhash:	fish-oven-asparagus-paris
File name:	jjsploit.exe
Download:	download sample
Signature	SheetRAT Create hunting rule
File size:	16'318'976 bytes
First seen:	2026-05-02 00:25:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f6baa5eaa8231d4fe8e922a2e6d240ea (66 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep	98304:MB5t8GxiuoaN5zNpYU+XNSY4/3pAePUN9tk:MBYGtt5zNaUyM/3KNP
Threatray	5 similar samples on MalwareBazaar
TLSH	T156F6336537DDD5F5CB9307BC2DD9CAA14AB3D0611F1293C72B600702AA51AE1377A38B
TrID	42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.8% (.EXE) Win64 Executable (generic) (6522/11/2) 13.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.6% (.EXE) Win32 Executable (generic) (4504/4/1) 5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	70e892f4ac886070 (1 x Formbook, 1 x QuasarRAT, 1 x SheetRAT)
Reporter	BastianHein
Tags:	exe SheetRat

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

2026-05-01_c652f61208b6195eaf6f034b97361474_elex_mimic_pay2key_wannacry.exe

Verdict:

Suspicious activity

Analysis date:

2026-05-02 00:27:09 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/8b38b2d5-a362-4843-b21b-956c1581b9f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64218/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Running batch commands

Creating a process with a hidden window

Launching a process

Moving a file to the %temp% subdirectory

Creating a process from a recently created file

Sending a custom TCP request

Replacing files

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Connecting to a non-recommended domain

Connection attempt

Reading critical registry keys

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context evasive fingerprint installer installer keylogger microsoft_visual_cc obfuscated overlay overlay packed stealer unsafe

Link:

https://www.filescan.io/uploads/69f54487df14f1cb2ac7fefb/reports/f606f340-1497-409f-ac7e-21b3bc98dad1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-01T09:10:00Z UTC

Last seen:

2026-05-03T12:04:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Coins.gen Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.Win32.SFX.gen Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Backdoor.MSIL.Agent.sb Trojan.Agent.TCP.C&C HEUR:Trojan.MSIL.Agent.gen Trojan.Win32.Shellcode.sb Trojan-PSW.MSIL.Agent.sb

Link:

https://opentip.kaspersky.com/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/24146ebc-f76b-42cd-a996-67098b1a95b7

Score:

89%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21

Threat name:

Win32.Trojan.Ravartar

Status:

Malicious

First seen:

2026-05-01 15:34:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i6vitssxllpdwxjlqcq7etryplzdmyo3t4b6acp56eqpfmz43qqq._file

Verdict:

malicious

Label(s):

donutloader

SheetRAT

error

SheetRAT

f58889f3394e62fd6b4aeae86630300650479faea431eb848c5040090399adc7

SheetRAT

fd86114e7b9f78a8ec58374a6a3dc901300ebceb7261694430cdbd2ddfec93b0

SheetRAT

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader defense_evasion discovery execution loader persistence spyware stealer

Link:

https://tria.ge/reports/260502-aqz6msfw71/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detects DonutLoader

Family: DonutLoader

Unpacked files

SH256 hash:

47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21

MD5 hash:

c652f61208b6195eaf6f034b97361474

SHA1 hash:

da874ef58840ac3e0f0ae1b3b7286439339d570f

Link:

https://www.unpac.me/results/e38a2ff2-fdfc-4fc8-9be8-f97945ba82ff/

SH256 hash:

383362188c773fdb241bfc8c745224b5f245f18d3e8e0bdf60bbabf767d88607

MD5 hash:

25bec8736088397f3505ca7cc284e224

SHA1 hash:

84bb8aee5b32dbfb03b94ad0c33d7cb9adb418ec

Link:

https://www.unpac.me/results/e38a2ff2-fdfc-4fc8-9be8-f97945ba82ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47aa89ca575ade3b5d2b80a1f24e387af23661db9f03e009fdf120f2b33cdc21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/64218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample