MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
SHA3-384 hash: 6f7a306a2f6304f39a965f5fb36aba0dad066f23c9ee44b6c1905e200bf42c7b844445256cd4d83153b5d453f89a03d4
SHA1 hash: 7319bfc6465d3e280fb529b42be8a8ac71b1b54b
MD5 hash: 748c35680385bc6e24b1c6f34cd4bddc
humanhash: tennessee-mockingbird-muppet-autumn
File name:Xeno.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:876'032 bytes
First seen:2025-10-26 20:47:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 24576:t330eRj7Y8HNkG//Ca3PHe2oDG7cOXgXIEysAqBdZ1:bCa3PHe2oDG7cOXmM
Threatray 1'250 similar samples on MalwareBazaar
TLSH T198154BB588C151C8F853EF78909A80F47CD44EA46913833FEE972B558B27E68918379F
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Xeno.exe
Verdict:
Malicious activity
Analysis date:
2025-10-26 20:45:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e244896-13a8-42cb-8c52-c39bd9c6dc12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34203/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe88c33bdc93eb0564b12d
Tags:
obfuscate xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the Windows directory
Enabling the libraries to load when starting the app (AppInit_DLLs)
Loading a suspicious library
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Enabling autorun
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/68fe88ed3a79800405f77262/reports/44b9614d-d8e0-4545-a28e-996d92b3d0be/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T17:50:00Z UTC
Last seen:
2025-10-27T19:00:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.MSIL.Crysan.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.pef Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan-Dropper.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce180f2c-6d1b-4df3-bd3e-2b10940e759c
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802095
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802095 Sample: Xeno.exe Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 6 other signatures 2->37 7 Xeno.exe 3 2->7         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 25 C:\Users\user25vDisplay.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\Xeno.exe, PE32+ 7->27 dropped 39 Encrypted powershell cmdline option found 7->39 41 Drops PE files to the user root directory 7->41 14 powershell.exe 23 7->14         started        17 NvDisplay.exe 1 7->17         started        19 Xeno.exe 7->19         started        29 127.0.0.1 unknown unknown 11->29 file5 signatures6 process7 signatures8 43 Loading BitLocker PowerShell Module 14->43 21 WmiPrvSE.exe 14->21         started        23 conhost.exe 14->23         started        45 Queries memory information (via WMI often done to detect virtual machines) 17->45 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/748c35680385bc6e24b1c6f34cd4bddc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Crysan
Link:
https://tip.neiki.dev/file/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-10-26 20:47:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 38 (81.58%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5q3zrnfrfxa5bq5pct33hn3j7nmxtrmludrikageid4kg6j6xhq._file
Verdict:
malicious
Label(s):
sheetrat
Create hunting rule
Similar samples:
11728da41703cd625c9faf2c40ace993b543711504f2e8ad71146a72a340392f
SheetRAT
2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1
SheetRAT
4583381950d39798763f2d11ea1766b4f0da29acb2b3e41ea4889c74c820f33e
SheetRAT
58345d31f1b03c27119c13ed054ac18146f76e203aa14fa4cce7fdb0bdf41b1d
SheetRAT
6da10c1ff6b4b9bfdab1147083a03b4937846a3bc96f233c2024aa487e0fac15
SheetRAT
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
SheetRAT
9967e313faf2ba6e1de18e7a4a8d7134cca1701f51e41d913a93370577a583ab
SheetRAT
c23029f315f2d0063ffaef0cb651cfcf8e39bd4f9d77aefb6a5866d73bf096db
SheetRAT
error
SheetRAT
+ 1'240 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251026-zk6tnsex5d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aeb2447d-bba0-4ae6-812a-9e9073978c5d
Unpacked files
SH256 hash:
8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf
MD5 hash:
748c35680385bc6e24b1c6f34cd4bddc
SHA1 hash:
7319bfc6465d3e280fb529b42be8a8ac71b1b54b
Link:
https://www.unpac.me/results/d9959c4c-746a-41b3-a7fb-7d27e20ea7f6/
SH256 hash:
a8bad8c1503c70685af91294de65f6efc5f6bfebd290e2c04f6e4c5def4c46c8
MD5 hash:
bd07eaf6bfbc9be12e6bc474b01dc0de
SHA1 hash:
f525844d8ea0f0a8a586ea26d52c8baa2775ab11
Link:
https://www.unpac.me/results/d9959c4c-746a-41b3-a7fb-7d27e20ea7f6/
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f61bcc5a589/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34203/

Comments