MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377
SHA3-384 hash: 0f1ca7c3379cc7ca3fac8b225b7d8b002013f39666dd9093a99abd807cbcbd6dfc8b355ddd775f37c3be12f0d4e55eb6
SHA1 hash: e694f557b2caf8c5e400d86d8945c904ecae8700
MD5 hash: 3b30cadbe6af076723bbb21744624413
humanhash: floor-black-harry-white
File name:SecuriteInfo.com.Trojan.DownLoad4.16832.14922.17094
Download: download sample
Signature SheetRAT
Create hunting rule
File size:56'736 bytes
First seen:2025-06-04 08:37:25 UTC
Last seen:2025-06-04 09:46:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:E5smMEH+pvZD1OblxiU+iZ1d6S9bwax8wPxX:tEHi1OblxiUvZv6cEG8gxX
TLSH T1FC436C0477D44D11EADFC6BDB3A592096274E3B35942C78B7CDA8CE026833C26792ED6
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
387
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36a5538f434122beeeb79506d31ce3be687557556d00fbf25c0d4637c812ec52
Verdict:
Malicious activity
Analysis date:
2025-05-28 13:32:48 UTC
Tags:
netreactor telegram evasion github ims-api generic ip-check
Link:
https://app.any.run/tasks/3297b1d6-7bfe-403d-af1f-f58d60e7ae29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7221/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.16832.14922.17094.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6840069507b5e8c1cfe4967c
Tags:
autorun virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 expired-cert invalid-signature obfuscated reconnaissance signed zero
Link:
https://www.filescan.io/uploads/68400608fd02ed5e05977262/reports/7624f722-8bdb-41b6-adee-b33774789c32/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a897ca52-c25b-49b0-9698-7d332690843d
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705671
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705671 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 93 mypopy.ddns.net 2->93 95 Found malware configuration 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Yara detected SheetRat 2->99 103 8 other signatures 2->103 12 SecuriteInfo.com.Trojan.DownLoad4.16832.14922.17094.exe 3 2->12         started        16 AntiSpwarecoreservice.exe 2 2->16         started        19 AntiSpwarecoreservice.exe 2->19         started        21 12 other processes 2->21 signatures3 101 Uses dynamic DNS services 93->101 process4 dnsIp5 87 C:\Users\user\...\AntiSpwarecoreservice.exe, PE32+ 12->87 dropped 89 SecuriteInfo.com.T...14922.17094.exe.log, CSV 12->89 dropped 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->121 123 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->123 125 Modifies the windows firewall 12->125 23 cmd.exe 1 12->23         started        26 cmd.exe 1 12->26         started        28 WmiPrvSE.exe 12->28         started        91 mypopy.ddns.net 105.97.89.151, 35678 ALGTEL-ASDZ Algeria 16->91 127 Multi AV Scanner detection for dropped file 16->127 30 AntiSpwarecoreservice.exe 1 16->30         started        32 cmd.exe 16->32         started        38 5 other processes 16->38 34 cmd.exe 19->34         started        36 cmd.exe 21->36         started        40 14 other processes 21->40 file6 signatures7 process8 signatures9 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->107 109 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 23->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 23->111 42 conhost.exe 23->42         started        45 schtasks.exe 1 26->45         started        47 conhost.exe 26->47         started        49 2 other processes 30->49 51 2 other processes 32->51 53 3 other processes 34->53 55 2 other processes 36->55 57 6 other processes 38->57 59 21 other processes 40->59 process10 signatures11 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->113 115 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->115 117 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 42->117 61 conhost.exe 49->61         started        63 schtasks.exe 1 49->63         started        65 Conhost.exe 51->65         started        67 AntiSpwarecoreservice.exe 53->67         started        69 Conhost.exe 55->69         started        71 Conhost.exe 55->71         started        73 Conhost.exe 59->73         started        75 Conhost.exe 59->75         started        process12 process13 77 cmd.exe 67->77         started        process14 79 conhost.exe 77->79         started        81 schtasks.exe 77->81         started        83 Conhost.exe 77->83         started        process15 85 Conhost.exe 79->85         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 00:18:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jek5v52w2aa37tqc6kgnomumzu7kpcgfaxvtuwvmiqv7y3lcwn3q._file
Result
Malware family:
sheetrat
Create hunting rule
Score:
  10/10
Tags:
family:sheetrat campaign:g1 trojan
Link:
https://tria.ge/reports/250604-kjn5xagr2s/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Sheetrat family
Sheetrat, NonEuclid rat
Malware Config
C2 Extraction:
mypopy.ddns.net:35678
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/80cfe274-665d-47bd-9a4f-13a4dfbade1a
Unpacked files
SH256 hash:
4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377
MD5 hash:
3b30cadbe6af076723bbb21744624413
SHA1 hash:
e694f557b2caf8c5e400d86d8945c904ecae8700
Link:
https://www.unpac.me/results/31b31a3b-1a07-4ed3-a30c-36c0bc985093/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SheetRAT

Executable exe 4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/7221/
  
URLhaus
https://urlhaus.abuse.ch/url/3557948/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments