MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6
SHA3-384 hash: 1fe0ccfe6c9c50997f115fbc77508048cb101302b5b5f0399a7aa8d5cf78ea48b796e388238943d541d38a4793bda15f
SHA1 hash: 2667399290d894af886f0e5a4501f70045af5080
MD5 hash: 5ea519b65653e2d0821b23e4b00e0d09
humanhash: india-wolfram-lion-ten
File name:Neverlose.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:854'528 bytes
First seen:2025-10-26 19:57:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:VA4cfa5nzSWnN1XuuITfKVKEolWcYFEcNFhJeV2aK+P9spcdT1z5w53a7s0Yfgbh:Ozy5nz3nvWTfKVRFEcPHGr63BMYIBCi
Threatray 1'246 similar samples on MalwareBazaar
TLSH T13A05E4042B944D00D1843AFD8DFA6A15C71EADED3A02674B3706F2692D72DEDDE2D2C6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter burger
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neverlose.exe
Verdict:
No threats detected
Analysis date:
2025-10-26 19:55:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/605080c2-55be-483c-96d1-2c4516699047

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34199/
Detection(s):
Win.Packed.Lazy-10031917-0
Create hunting rule

Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe7ce43bdc93eb0564ac3c
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the Program Files directory
Launching a process
Creating a file in the Windows directory
Enabling the libraries to load when starting the app (AppInit_DLLs)
Сreating synchronization primitives
Creating a process from a recently created file
Loading a suspicious library
Connection attempt to an infection source
Searching for synchronization primitives
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated reconnaissance
Link:
https://www.filescan.io/uploads/68fe7d6d3a79800405f76b5c/reports/85235df7-54ff-4d6b-b73a-466a5547a797/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.3
Link:
https://www.hybrid-analysis.com/sample/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T10:37:00Z UTC
Last seen:
2025-10-27T19:00:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.MSIL.Crysan.gen Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df81f618-53d5-49a7-a7de-bc17867986e6
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802090
Signature
.NET source code contains potential unpacker
Allows loading of unsigned dll using appinit_dll
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Drops large PE files
Drops PE files to the user root directory
Found malware configuration
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802090 Sample: Neverlose.exe Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 40 unit-identical.gl.at.ply.gg 2->40 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected SheetRat 2->48 50 11 other signatures 2->50 8 Neverlose.exe 1 5 2->8         started        12 xdwdiscord.exe 1 2->12         started        14 xdwdtesting.exe 1 2->14         started        16 xdwdiscord.exe 2->16         started        signatures3 process4 file5 38 C:\Users\user\xdwdiscord.exe, PE32 8->38 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Obfuscated command line found 8->64 66 Creates an undocumented autostart registry key 8->66 68 8 other signatures 8->68 18 xdwdiscord.exe 2 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        26 2 other processes 8->26 signatures6 process7 dnsIp8 42 unit-identical.gl.at.ply.gg 147.185.221.16, 53366 SALSGIVERUS United States 18->42 52 Antivirus detection for dropped file 18->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->56 60 2 other signatures 18->60 58 Uses schtasks.exe or at.exe to add and modify task schedules 22->58 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 schtasks.exe 1 24->32         started        34 conhost.exe 26->34         started        36 schtasks.exe 1 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.91 Win 32 Exe x86
Link:
https://app.malva.re/file/5ea519b65653e2d0821b23e4b00e0d09
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Crysan
Link:
https://tip.neiki.dev/file/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-10-26 19:56:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvqzlhzb7qahrsb7odmgy63g25niduefickytkhsqynj2xfqepta._file
Verdict:
malicious
Label(s):
sheetrat
Create hunting rule
Similar samples:
048de3a8928baf0e340d1331f4b3d9b115c7c7a3f088459e9b2e2ed60847f164
SheetRAT
0c2bc77b457a5c275fa8420bdd7a9b4635a1246af0a7548da4c95705252456f2
SheetRAT
11728da41703cd625c9faf2c40ace993b543711504f2e8ad71146a72a340392f
SheetRAT
263748ae9265e9f849e734991c1e48affdd629cb01644c3276ee14a4841b8f7d
SheetRAT
6b42326c8c8e747d00504e9072e9e742f53c9861d0d377a6b8f6e412c3518725
SheetRAT
6da10c1ff6b4b9bfdab1147083a03b4937846a3bc96f233c2024aa487e0fac15
SheetRAT
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
SheetRAT
9967e313faf2ba6e1de18e7a4a8d7134cca1701f51e41d913a93370577a583ab
SheetRAT
c23029f315f2d0063ffaef0cb651cfcf8e39bd4f9d77aefb6a5866d73bf096db
SheetRAT
error
SheetRAT
+ 1'236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251026-yplhvsep8w/
Verdict:
Malicious
Tags:
Win.Packed.Lazy-10031917-0
YARA:
n/a
Link:
https://app.threat.zone/submission/aa0a5cf1-6884-4cda-ab25-824923a8de5e
Unpacked files
SH256 hash:
ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6
MD5 hash:
5ea519b65653e2d0821b23e4b00e0d09
SHA1 hash:
2667399290d894af886f0e5a4501f70045af5080
Link:
https://www.unpac.me/results/81b7fe03-a5ca-4c24-a721-051fc74fdeab/
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad61959f21fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34199/

Comments