MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
SHA3-384 hash: 59632024f54ab3525f31e6d67a909966f1797f553a02f67d8e9c25b5240ba54347cb063a35dc5d7e7e675c0ea5943212
SHA1 hash: 8188e9a6ebd71f8d8e880b17150218aadfa15664
MD5 hash: 3eb09496802aaab8b7351b574c30c23a
humanhash: violet-equal-kilo-crazy
File name:rate.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:312'832 bytes
First seen:2025-12-15 10:23:44 UTC
Last seen:2025-12-17 02:22:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:n/SNznlWXy14nPg8mkvx6hQ89oYaFRzcvbZSkIARKz:/SNznlZnQ87aFCVSksz
Threatray 10 similar samples on MalwareBazaar
TLSH T1F464A5253FA59E10D985243ECA7E3A09CB62E0F125026347370AF7A15D059EEDE6C3DB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
4
# of downloads :
93
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PostExploitTool
Details
Link:
https://research.acce.ciphertechsolutions.com/results/52cae9b5-cc05-47b5-939f-6391b5fcd9ce/
Malware family:
n/a
ID:
1
File name:
rate.exe
Verdict:
No threats detected
Analysis date:
2025-12-15 14:20:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b131748b-e174-4028-91cc-a6e5d9653774

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45059/
Detection(s):
Win.Packed.Lazy-10031917-0
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693fe83e039c1dfc733985fe
Tags:
micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Сreating synchronization primitives
Creating a process from a recently created file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.3
Link:
https://www.hybrid-analysis.com/sample/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-14T20:01:00Z UTC
Last seen:
2025-12-17T05:14:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.rnd Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Backdoor.MSIL.Crysan.gen Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e755c94-0fcd-4bb2-9242-e1918f94b545
Result
Threat name:
SheetRat, TORNADO Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832910
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Disable power options
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SheetRat
Yara detected TORNADO Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832910 Sample: rate.exe Startdate: 15/12/2025 Architecture: WINDOWS Score: 100 149 pool.hashvault.pro 2->149 151 ipapi.co 2->151 153 2 other IPs or domains 2->153 169 Suricata IDS alerts for network traffic 2->169 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 19 other signatures 2->175 13 rate.exe 4 2->13         started        17 chrome_updater.exe 2->17         started        19 svinopaz.exe 1 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 137 C:\Users\user\svinopaz.exe, PE32 13->137 dropped 139 C:\Users\user\svinopas.exe, PE32 13->139 dropped 141 C:\Users\user\AppData\Local\...\rate.exe.log, CSV 13->141 dropped 211 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->211 213 Obfuscated command line found 13->213 215 Creates an undocumented autostart registry key 13->215 229 3 other signatures 13->229 23 svinopas.exe 3 33 13->23         started        28 cmd.exe 1 13->28         started        30 cmd.exe 1 13->30         started        32 cmd.exe 1 13->32         started        143 C:\Windows\Temp\frbwvxmpxapp.sys, PE32+ 17->143 dropped 217 Multi AV Scanner detection for dropped file 17->217 219 Modifies the context of a thread in another process (thread injection) 17->219 221 Adds a directory exclusion to Windows Defender 17->221 231 2 other signatures 17->231 34 powershell.exe 17->34         started        36 cmd.exe 17->36         started        38 cmd.exe 17->38         started        40 10 other processes 17->40 223 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->223 225 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 19->225 227 Queries memory information (via WMI often done to detect virtual machines) 19->227 signatures6 process7 dnsIp8 155 193.233.175.123, 1566 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 23->155 157 95.181.212.171, 1566, 49713, 49715 OTKRU Russian Federation 23->157 159 94.156.102.130, 1566, 49716, 49717 NETERRA-ASBG Bulgaria 23->159 129 C:\Users\user\AppData\...\tmpDE04.tmp.exe, PE32 23->129 dropped 131 C:\Users\user\AppData\...\tmpDA98.tmp.exe, PE32+ 23->131 dropped 133 C:\Users\user\AppData\...\tmpC232.tmp.exe, PE32 23->133 dropped 135 12 other malicious files 23->135 dropped 177 Multi AV Scanner detection for dropped file 23->177 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->179 181 Found many strings related to Crypto-Wallets (likely being stolen) 23->181 193 4 other signatures 23->193 42 cmd.exe 23->42         started        45 cmd.exe 23->45         started        51 2 other processes 23->51 183 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 28->183 185 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->185 187 Suspicious powershell command line found 28->187 195 6 other signatures 28->195 47 conhost.exe 28->47         started        53 2 other processes 30->53 55 2 other processes 32->55 189 Loading BitLocker PowerShell Module 34->189 49 conhost.exe 34->49         started        161 pool.hashvault.pro 216.219.85.122 IS-AS-1US United States 36->161 191 Query firmware table information (likely to detect VMs) 36->191 57 2 other processes 38->57 59 9 other processes 40->59 file9 signatures10 process11 signatures12 197 Suspicious powershell command line found 42->197 61 powershell.exe 42->61         started        63 conhost.exe 42->63         started        65 powershell.exe 45->65         started        67 conhost.exe 45->67         started        199 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->199 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->201 203 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 47->203 205 Queries memory information (via WMI often done to detect virtual machines) 47->205 69 powershell.exe 51->69         started        71 powershell.exe 51->71         started        73 conhost.exe 51->73         started        75 conhost.exe 51->75         started        process13 process14 77 tmpB022.tmp.exe 61->77         started        82 Conhost.exe 61->82         started        84 tmpB246.tmp.exe 65->84         started        86 tmp8E7F.tmp.exe 69->86         started        88 tmp90C2.tmp.exe 71->88         started        dnsIp15 163 193.233.85.21 FREE-MPEIRU Russian Federation 77->163 165 icanhazip.com 104.16.184.241 CLOUDFLARENETUS United States 77->165 167 2 other IPs or domains 77->167 145 C:\Program Filesbehaviorgraphoogle\Chrome\...\xaitx.exe, PE32+ 77->145 dropped 233 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 77->233 235 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 77->235 237 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 77->237 253 4 other signatures 77->253 90 cmd.exe 77->90         started        93 cmd.exe 77->93         started        95 Conhost.exe 77->95         started        239 Tries to steal Mail credentials (via file / registry access) 84->239 241 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 84->241 243 Tries to harvest and steal browser information (history, passwords, etc) 84->243 97 Conhost.exe 84->97         started        147 C:\ProgramData\Chrome\chrome_updater.exe, PE32+ 86->147 dropped 245 Multi AV Scanner detection for dropped file 86->245 247 Uses powercfg.exe to modify the power settings 86->247 249 Adds a directory exclusion to Windows Defender 86->249 251 Modifies power options to not sleep / hibernate 86->251 99 powershell.exe 86->99         started        101 cmd.exe 86->101         started        103 cmd.exe 86->103         started        105 13 other processes 86->105 file16 signatures17 process18 signatures19 207 Tries to harvest and steal WLAN passwords 90->207 107 chcp.com 90->107         started        115 3 other processes 90->115 117 2 other processes 93->117 209 Loading BitLocker PowerShell Module 99->209 109 conhost.exe 99->109         started        111 Conhost.exe 99->111         started        119 3 other processes 101->119 121 2 other processes 103->121 113 conhost.exe 105->113         started        123 13 other processes 105->123 process20 process21 125 Conhost.exe 107->125         started        127 Conhost.exe 113->127         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.91 Win 32 Exe x86
Link:
https://app.malva.re/file/3eb09496802aaab8b7351b574c30c23a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b/
Verdict:
Malicious
Threat:
Family.SHEETRAT
Link:
https://tip.neiki.dev/file/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-12-15 02:50:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l227o3ru6oo4ojtbtmancrljmhbz4eqt3xzakb3ihqclgc6nmnvq._file
Verdict:
malicious
Label(s):
tornadostealer
Create hunting rule
unc_loader_055
Create hunting rule
Similar samples:
2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
SheetRAT
5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
SheetRAT
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
SheetRAT
8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
SheetRAT
error
SheetRAT
f6e5b7494a3de248f15384fd8bb18e44fdea052e302781cfab613facf2a8a5d7
SheetRAT
Result
Malware family:
sheetrat
Create hunting rule
Score:
  10/10
Tags:
family:sheetrat trojan
Link:
https://tria.ge/reports/251215-mtm2pscj31/
Behaviour
Detects Sheetrat obfuscated V2.0 and higher
Sheetrat family
Sheetrat, NonEuclid rat
Malware Config
C2 Extraction:
94.156.102.130:1566
95.181.212.171:1566
193.233.175.123:1566
Verdict:
Malicious
Tags:
Win.Packed.Lazy-10031917-0
YARA:
n/a
Link:
https://app.threat.zone/submission/085d5ab4-4625-4474-bcfc-050db45566f7
Unpacked files
SH256 hash:
5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b
MD5 hash:
3eb09496802aaab8b7351b574c30c23a
SHA1 hash:
8188e9a6ebd71f8d8e880b17150218aadfa15664
Link:
https://www.unpac.me/results/036e82a1-079f-46c9-a250-27842410f530/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5eb5f76e34f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SheetRAT

Batch (bat) bat 3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88

SheetRAT

Executable exe 5eb5f76e34f39dc726619b00d1456961c39e1213ddf20507683c04b30bcd636b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3661069/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45059/
  
Dropped by
SHA256 3980a7218813dadbaa4bad4aa1e2fe826832747e1c989db910b933afba2c7a88
  
Dropped by
MD5 dcb1b4246eb62bfd958e510da0c32d96
  
URLhaus
https://urlhaus.abuse.ch/url/3734445/

Comments