MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
SHA3-384 hash: 18d3b131f254c506c2fffceaed911af476d6890fbfd0e6d110cc4431b71254c5649547792974db499c28eddcc0d13b4c
SHA1 hash: 2b13c0933849ee116578b9d03437eb12d0d2b2bc
MD5 hash: 8d8a0f8bed06b5ddfdfddd6c587b5b4a
humanhash: paris-comet-apart-oklahoma
File name:af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
Download: download sample
Signature SheetRAT
Create hunting rule
File size:25'383'120 bytes
First seen:2026-02-02 19:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (43 x BlankGrabber, 22 x Efimer, 18 x PythonStealer)
ssdeep 393216:DmiffmmkQAYvp31o0UcAv1mHk3nXbxkXgjsvLfqZn21U3sB1aK41pHsMRq1bYew:6Afmm+WknFbx+UCfq81pB1CrRub
Threatray 2'640 similar samples on MalwareBazaar
TLSH T1284733AAB634C8EAE42B03F66644249257B3B8314BE1DDCB1AB13214FF577A61D3D710
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Neiki
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/4610f8fe-60c1-4c7b-98f8-f0860e239f1b/
Malware family:
n/a
ID:
1
File name:
Nursultan.exe
Verdict:
Malicious activity
Analysis date:
2026-02-02 19:45:59 UTC
Tags:
auto generic python
Link:
https://app.any.run/tasks/ca3992a7-bdc3-4831-beb2-19246e15911b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51338/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Creating a file in the system32 directory
Launching cmd.exe command interpreter
Moving a file to the Program Files subdirectory
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Searching for the window
Creating a file in the Windows directory
Enabling the libraries to load when starting the app (AppInit_DLLs)
Launching a process
Creating a service
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay packed pyinstaller virus
Link:
https://www.filescan.io/uploads/698100b5930564ff3c84d823/reports/34251fa1-d690-496e-955a-963ef22f0d7e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-02T16:53:00Z UTC
Last seen:
2026-02-03T05:14:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.Exnet.gen Trojan.Win32.Tasker.bjhr PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Stealer.gen
Link:
https://opentip.kaspersky.com/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288/results?tab=lookup
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8d8a0f8bed06b5ddfdfddd6c587b5b4a
Gathering data
Verdict:
Malicious
Threat:
Family.SHEETRAT
Link:
https://tip.neiki.dev/file/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-02 19:46:26 UTC
File Type:
PE+ (Exe)
Extracted files:
466
AV detection:
15 of 37 (40.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5mas5xbrxnzgmab764ouapkltskikliuzwgtje2s55lxsi4gkea._file
Verdict:
malicious
Label(s):
unc_loader_063
Create hunting rule
sheetrat
Create hunting rule
Similar samples:
039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
SheetRAT
57f763fdaa0603e290d1a8611f5b7f3bcb7feccf0c4f87792b0a5e3bf37ec6e9
SheetRAT
5b29bbc8792f90df6030bfc594c99e36b26ce4fcf4eec76bd9a2fd7a933f9977
SheetRAT
aa32d0e1e89a6522ed3e924cb3cba375dc0fcfe48c9fe15ad5309534b91826b9
SheetRAT
b847c47d4a5924064755207423d38c13658b43d4c395cdd2f63e7079520541be
SheetRAT
c9b63c60856549aae39912cf06040cbd7c4ee29d86235482e8352c3d3544cf24
SheetRAT
d345048a87d3fe88da67b8997e62d9f48b0cf1a753a0646c830a563f5d6d01e9
SheetRAT
d9b87f411bc9ddece377b50ce64c48fd644a18e2ce7fb76b1d34ee16bcb9e376
SheetRAT
dc6e7a0cea257a69ba2e5a01d81e6e279c3638043af130ef6bac4666f5572db0
SheetRAT
e450b7efc8b429b618d2d22a074a3dd55c07b451eef315e0e20be7d9054ef18c
SheetRAT
error
SheetRAT
+ 2'630 additional samples on MalwareBazaar
Result
Malware family:
sheetrat
Create hunting rule
Score:
  10/10
Tags:
family:sheetrat execution persistence privilege_escalation pyinstaller trojan
Link:
https://tria.ge/reports/260202-yl61dsbt4g/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: AppInit DLLs
Detects Sheetrat obfuscated V2.0 and higher
Modifies WinLogon for persistence
Sheetrat family
Sheetrat, NonEuclid rat
Malware Config
C2 Extraction:
94.156.35.155:7777
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af580976e18d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.threat.rip/file/af580976e18ddb933001ffb8ea01ea5ce4a42968a66c69a49a977abbc91c3288
Cape
Cape
https://www.capesandbox.com/analysis/51338/

Comments