MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513
SHA3-384 hash: ca7bd8bc193aaa716191de33dd0266336ab8243e6d23d511f59c76db771f4c5e2d3c3622ef0311b7fdd1464dc65cf25d
SHA1 hash: 0d87867ba7ef0243d48b59c4ee0634e360114411
MD5 hash: 690faa0652530ebf2830b4bc8cf640fc
humanhash: colorado-texas-uniform-washington
File name:Superioty.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:280'064 bytes
First seen:2025-10-26 22:03:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 6144:BvwxRE2OnRMfxeneI4B0zX50Lon0XjgLdVxaB87ayJkWVK:MEP0xUR4B6XoedWMk0K
Threatray 1'249 similar samples on MalwareBazaar
TLSH T12D5423584BC38376E1ED5834C4237661463C82E7969727EBCEC1632DAFC66C782E3652
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Superioty.exe
Verdict:
Malicious activity
Analysis date:
2025-10-26 22:00:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9069923e-2dfe-4401-95c9-a3b70d3f2fbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34213/
Detection(s):
Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe9a993bdc93eb0564b4a7
Tags:
dropper virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Enabling the 'hidden' option for files in the %temp% directory
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the Windows directory
Launching a process
Enabling the libraries to load when starting the app (AppInit_DLLs)
Loading a suspicious library
Connection attempt to an infection source
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi loki packed
Link:
https://www.filescan.io/uploads/68fe9abb3a79800405f77d36/reports/0f8ddd17-6674-4e5b-ae7b-79b13324e139/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T18:58:00Z UTC
Last seen:
2025-10-27T19:00:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen HEUR:Backdoor.MSIL.Crysan.gen Trojan-Dropper.Win32.Delfea.sb Trojan-Dropper.Win32.Delf.eimp Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.Agent.UDP.C&C PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49aabbb3-80eb-497e-883f-e42d2c5344ec
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802109
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Found malware configuration
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/690faa0652530ebf2830b4bc8cf640fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513/
Verdict:
Malicious
Threat:
Trojan-Dropper.Win32.Delf
Link:
https://tip.neiki.dev/file/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513
Threat name:
Win32.Ransomware.Loki
Create hunting rule
Status:
Malicious
First seen:
2025-10-26 22:03:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcldunjxninhjyojt27apj7qqxjang72w4qhhnqtdyvtetcp6ujq._file
Verdict:
malicious
Label(s):
unc_loader_063
Create hunting rule
sheetrat
Create hunting rule
Similar samples:
0c2bc77b457a5c275fa8420bdd7a9b4635a1246af0a7548da4c95705252456f2
SheetRAT
11728da41703cd625c9faf2c40ace993b543711504f2e8ad71146a72a340392f
SheetRAT
44cbb9ba318ddc687dca3e0dfeba30db5469d50c9bbdbbfb5888efdd9889439e
SheetRAT
57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
SheetRAT
58345d31f1b03c27119c13ed054ac18146f76e203aa14fa4cce7fdb0bdf41b1d
SheetRAT
70f7f058d0d3d8f4f282537d00a2468973a6484651e4ac74c008e853ba28ef9a
SheetRAT
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
SheetRAT
b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
SheetRAT
c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
SheetRAT
error
SheetRAT
+ 1'239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251026-1ymhmawlgp/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1
YARA:
n/a
Link:
https://app.threat.zone/submission/7b7f78d3-f8a8-4e83-b3f0-e8549c951ab3
Unpacked files
SH256 hash:
80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513
MD5 hash:
690faa0652530ebf2830b4bc8cf640fc
SHA1 hash:
0d87867ba7ef0243d48b59c4ee0634e360114411
Link:
https://www.unpac.me/results/623920cc-7c18-4bf0-a71b-62b69724bbeb/
SH256 hash:
ef104442919afa9ad87be1fe2f4ec7252ee6aaa411d4d20bcec312d47c262903
MD5 hash:
ded505a99f50cec4d29cea28b4c12244
SHA1 hash:
d866b20396cfd6bbe405308ad43b2cf971204986
Link:
https://www.unpac.me/results/623920cc-7c18-4bf0-a71b-62b69724bbeb/
SH256 hash:
9da095b33159d207b1c6c38d719e9d0a07f86e7cb2c1845c2ca0c61e30a7ba43
MD5 hash:
ad78064a31ae533e276a00a900845305
SHA1 hash:
8ca2dbc95d01ef010cdf34c32ee51c66af329d2a
Link:
https://www.unpac.me/results/623920cc-7c18-4bf0-a71b-62b69724bbeb/
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80963a35376a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80963a35376a1a74e1c99ebe07a7f085d2069bfab72073b6131e2b324c4ff513

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34213/

Comments