MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SiriusRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
SHA3-384 hash: 2d10d7bdc196f30b1851429af829cb863110d9f853448b5253ce437c02c59e81b931a64a8c4a98cd00f22f6c7059fb6f
SHA1 hash: 94f3bb385ebbb704f34073f2e314cb1b038a1cde
MD5 hash: 1eeccf6e7075e71b68939eaab7cae8ce
humanhash: kansas-equal-kilo-vegan
File name:1eeccf6e7075e71b68939eaab7cae8ce.exe
Download: download sample
Signature SiriusRAT
Create hunting rule
File size:11'010'048 bytes
First seen:2026-06-04 13:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 49152:xtm2v2k7V9OoxXE7l2H1b8Em9PfILdYLugR4DOKXScDx5q6PvqvzTWL2miI3Gpnj:
Threatray 39 similar samples on MalwareBazaar
TLSH T19FB6383439FA501AB173EF9A8BE479EADA6FB7733B06645D1050038A4723981DEC153E
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SiriusRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3.exe
Verdict:
No threats detected
Analysis date:
2026-06-04 13:26:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/022c4046-9698-4bfb-97f3-29fc6bd1b09d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68985/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop34.488.14627.6683.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a217cfdf8676ad4d36103ce
Tags:
infosteal emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Launching a service
Creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-24T04:02:00Z UTC
Last seen:
2026-05-29T19:56:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Phemedrone.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Backdoor.Win32.Agent.gen Trojan-Banker.Win32.Express.sb Trojan-Spy.MSIL.KeyLogger.sb Trojan-PSW.Win32.Coins.sb
Link:
https://opentip.kaspersky.com/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9850b655-bb78-4ab0-b279-5e16ca7b9547
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923000
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.KeyLogger
Link:
https://tip.neiki.dev/file/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-05-24 08:56:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
29 of 36 (80.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7xz27obuvk5nnlruzn3z6bjct56ufv5tnthqtqubza2tgthe3bq._file
Verdict:
malicious
Label(s):
siriusrat
Create hunting rule
Similar samples:
1d0862222b7236ba62cc2ca44acef718f3422ceda9c5eced96f799287abc1d9a
SiriusRAT
435bceaf240dd7711542a723a6988b280948e77e9953614d981d653680de9f49
SiriusRAT
728e75ae848ac62aa705ed4e4c000dd3dfa2a4cf70a5adfbc56c5a9d2b017792
SiriusRAT
87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
SiriusRAT
d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
SiriusRAT
error
SiriusRAT
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/260604-qpl6dsgt8r/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Executes dropped EXE
Unpacked files
SH256 hash:
87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3
MD5 hash:
1eeccf6e7075e71b68939eaab7cae8ce
SHA1 hash:
94f3bb385ebbb704f34073f2e314cb1b038a1cde
Link:
https://www.unpac.me/results/3ec2be1f-fa6a-43b7-9179-0fd064c7e31a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87ef9d7dc1a555d6b571a65bbcf82914fbea16bd9b66784e140e41a99a6726c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68985/

Comments