MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SheetRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1
SHA3-384 hash:	4640ecfe1c0f178f8ada0c5ed7c8dbda2aafa61ddcd95a145cf6bd77ab9ea1dd54d6ec4a2a0f928627340296fd7369e8
SHA1 hash:	c4992d096a11ad8f7b4157c0817e09c10e5460e1
MD5 hash:	d3e043be6b577b2c25385f91c60427cd
humanhash:	bluebird-michigan-artist-angel
File name:	BootstrapperNew .exe
Download:	download sample
Signature	SheetRAT Create hunting rule
File size:	6'514'176 bytes
First seen:	2025-12-23 12:23:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	196608:l3d0ka20TDCam0wHLeDB+UrssFDx7a/jx:3I2QDCamtHLeDB+UrsaDx7ojx
Threatray	8 similar samples on MalwareBazaar
TLSH	T186663394A063C7E7D13F75B52A234F317DFF618C18EA7A1D89097FF01A21A8648E7819
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	burger
Tags:	exe SheetRat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder

Details

EvilCoder

extracted components, their filepaths, and possibly registry installation

Link:

https://research.acce.ciphertechsolutions.com/results/ec609411-5170-47d6-b58a-cea0a5460550/

Malware family:

n/a

ID:

File name:

BootstrapperNew.exe

Verdict:

No threats detected

Analysis date:

2025-12-23 12:23:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/715d081f-c460-4484-95cd-fe0fe463c91c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45849/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694a89d001c7b4a8fe54fc3f

Tags:

dropper packed spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer-heuristic packed reconnaissance tiny vbnet venomrat

Link:

https://www.filescan.io/uploads/694a89efa7163552ba042fdb/reports/1be9eefe-35ba-4663-9a67-5088c1003f49/overview

Verdict:

Malicious

Labled as:

Backdoor.Marte.VenomRAT.Generic

Link:

https://www.hybrid-analysis.com/sample/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-22T19:17:00Z UTC

Last seen:

2025-12-23T10:05:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Revenge.gen HEUR:Backdoor.MSIL.Crysan.gen PDM:Trojan-Dropper.Win32.Dorifel.a.3 PDM:Trojan.Win32.Generic Trojan.Win32.Vimditator.sb

Link:

https://opentip.kaspersky.com/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b30d44b2-8702-43a9-b77a-39b29b1eb939

Result

Threat name:

SheetRat

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1838191

Signature

.NET source code contains potential unpacker

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Yara detected Costura Assembly Loader

Yara detected SheetRat

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 64 Exe x64

Link:

https://app.malva.re/file/d3e043be6b577b2c25385f91c60427cd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1/

Verdict:

Malicious

Threat:

Family.SHEETRAT

Link:

https://tip.neiki.dev/file/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

Threat name:

ByteCode-MSIL.Backdoor.MarteVenomRAT

Status:

Malicious

First seen:

2025-12-23 12:23:25 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k67ghhhyjpvfn25sg46mahlfmoobls6cjoyklvc6ou2q4umcm6qq._file

Verdict:

malicious

Label(s):

unc_loader_063

SheetRAT

57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

SheetRAT

aa30d948e4f49cf82e268899427fcad2b5f0a49d231272ec5a7df08d4d8b8df0

SheetRAT

ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6

SheetRAT

error

SheetRAT

Result

Malware family:

sheetrat

Score:

10/10

Tags:

family:sheetrat execution persistence trojan

Link:

https://tria.ge/reports/251223-pvhjqaymgs/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Program Files directory

Checks computer location settings

Executes dropped EXE

Detects Sheetrat obfuscated V2.0 and higher

Modifies WinLogon for persistence

Sheetrat family

Sheetrat, NonEuclid rat

Malware Config

C2 Extraction:

ImTHEBEST-33138.portmap.host:33138

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/247eb229-5815-4b66-a812-c06b3f44cefc

Unpacked files

SH256 hash:

57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

MD5 hash:

d3e043be6b577b2c25385f91c60427cd

SHA1 hash:

c4992d096a11ad8f7b4157c0817e09c10e5460e1

Link:

https://www.unpac.me/results/19467a0d-0a04-4b4a-a0ee-c763b4c09d9b/

SH256 hash:

f06a9ae652e9d205f50893a56ab5ae830789cbfb427c26a729bb9916d51923ac

MD5 hash:

80edc0b1644c8db8eb39be2371d59a36

SHA1 hash:

3456f3f71a4f31fe67cc4e4ecec9dbf903218d58

Detections:

INDICATOR_EXE_Packed_Fody

Link:

https://www.unpac.me/results/19467a0d-0a04-4b4a-a0ee-c763b4c09d9b/

SH256 hash:

21ab8b24fb0e14bc1673639aecccd1aa4fdb903a43686be9083d46e2bf32da14

MD5 hash:

047f4544f53699b117ce522f5d09fab8

SHA1 hash:

44e610648bf9100247f8f15198f10a55696603f7

Link:

https://www.unpac.me/results/19467a0d-0a04-4b4a-a0ee-c763b4c09d9b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57be639cf84bea56ebb2373cc01d65639c15cbc24bb0a5d45e75350e518267a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45849/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample