MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
SHA3-384 hash: 229c6faff6d47d148282ceefb894461beae85fcb67d05db4eba7251bde7185e43ff5e8bf19c59028e45d3a33aae2ef54
SHA1 hash: 42649f4fc65b7f7242098fbacd6ee1941b4906e4
MD5 hash: 8aa0b149c43becca3815bf1636ba140a
humanhash: comet-hot-winter-bravo
File name:BootstrapperNew.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:7'425'024 bytes
First seen:2025-10-13 18:51:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 196608:2jaBqkSIIlY1iP9a5NcINcgjq3GdCnMK2rICJj4:2jrkSbY139coq3ZMHt0
Threatray 1'046 similar samples on MalwareBazaar
TLSH T1D976120DFE86ED01DD0A3D7B8FD992204B7278D5AE51D20A3048BEF98B6637609D167C
TrID 38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.2% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:exe RUS SheetRat tcp-cloudpub-ru


Avatar
iamaachum
https://www.youtube.com/watch?v=c7ZfwDZq6NM => https://mega.nz/file/pQNjRIAR#5dcjpiK6o8yFNzZoULsBEdHUGFtAFje9IL6rHqdSp1E

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BootstrapperNew.exe
Verdict:
Malicious activity
Analysis date:
2025-10-13 18:55:16 UTC
Tags:
anti-evasion auto-sch sheet rat
Link:
https://app.any.run/tasks/a4aeeb80-26fc-4541-9e6b-40cd49c4f5af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32582/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ed4a8104e22ce9acd99a2e
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68ed4a7d71883144ef34d53f/reports/0803ca26-a13b-426b-92e0-3ee9611fa42e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-13T14:40:00Z UTC
Last seen:
2025-10-13T16:40:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Backdoor.MSIL.Mason.sb Trojan-Dropper.Win32.Delfea.sb Trojan-Dropper.Win32.Delf.eimp Trojan-Dropper.Win32.Agent.sb Trojan-Dropper.Win32.Agent.gen HEUR:Trojan.Win64.Convagent.gen Trojan.Win64.Agent.smdlnf HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Xdwd.gen HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb324752-4f53-489f-a507-9ae67d134217
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794335
Signature
.NET source code contains potential unpacker
Allows loading of unsigned dll using appinit_dll
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Drops large PE files
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794335 Sample: BootstrapperNew.exe Startdate: 13/10/2025 Architecture: WINDOWS Score: 100 71 tcp.cloudpub.ru 2->71 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 Antivirus detection for dropped file 2->85 87 15 other signatures 2->87 10 BootstrapperNew.exe 3 2->10         started        13 xdwdMicrosoft Cortana.exe 2 2->13         started        signatures3 process4 file5 67 C:\Users\user\AppData\...\cloudpud test.exe, PE32 10->67 dropped 69 C:\Users\user\...\BootstrapperNew (1).exe, PE32+ 10->69 dropped 15 cloudpud test.exe 3 5 10->15         started        20 BootstrapperNew (1).exe 17 10->20         started        22 xdwdMicrosoft Teams Host.exe 13->22         started        24 cmd.exe 13->24         started        process6 dnsIp7 73 tcp.cloudpub.ru 87.242.106.13, 40132, 49685, 49686 MASTERHOST-ASMoscowRussiaRU Russian Federation 15->73 65 C:\Users\...\xdwdMicrosoft Teams Host.exe, PE32 15->65 dropped 75 Creates an undocumented autostart registry key 15->75 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->77 79 Allows loading of unsigned dll using appinit_dll 15->79 26 cmd.exe 1 15->26         started        29 cmd.exe 15->29         started        31 cmd.exe 15->31         started        41 30 other processes 15->41 33 cmd.exe 22->33         started        35 cmd.exe 22->35         started        37 schtasks.exe 24->37         started        39 conhost.exe 24->39         started        file8 signatures9 process10 signatures11 89 Uses schtasks.exe or at.exe to add and modify task schedules 26->89 51 2 other processes 26->51 43 conhost.exe 29->43         started        45 schtasks.exe 29->45         started        53 3 other processes 31->53 55 2 other processes 33->55 57 2 other processes 35->57 47 Conhost.exe 37->47         started        49 schtasks.exe 41->49         started        59 50 other processes 41->59 process12 process13 61 Conhost.exe 43->61         started        63 Conhost.exe 49->63         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable Fody/Costura Packer Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.15 SOS: 0.16 SOS: 0.18 SOS: 0.19 SOS: 0.21 SOS: 0.22 SOS: 0.23 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.28 SOS: 0.31 SOS: 0.37 SOS: 0.82 Win 32 Exe x86
Link:
https://app.malva.re/file/8aa0b149c43becca3815bf1636ba140a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20/
Verdict:
Malicious
Threat:
Trojan-Dropper.Win32.Delf
Link:
https://tip.neiki.dev/file/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
Threat name:
Win32.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-10-13 18:53:33 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwhzvgpxdgoga4yxx34dlo4smbnu7g6dkcvda4omvr766j2gvmqa._file
Verdict:
malicious
Label(s):
sheetrat
Create hunting rule
Similar samples:
11728da41703cd625c9faf2c40ace993b543711504f2e8ad71146a72a340392f
SheetRAT
1e143733e31bfe1015f4674770f569088937586c8e0d4984cacd7aa2484fd3f1
SheetRAT
4583381950d39798763f2d11ea1766b4f0da29acb2b3e41ea4889c74c820f33e
SheetRAT
5852461a118cae4b43ba916592999c3c19b2b35324edd86cf3de4d014378413f
SheetRAT
6da10c1ff6b4b9bfdab1147083a03b4937846a3bc96f233c2024aa487e0fac15
SheetRAT
7684676bd21e55282b28ec2988c4c038c830af74546218be53da8d761981b955
SheetRAT
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
SheetRAT
9967e313faf2ba6e1de18e7a4a8d7134cca1701f51e41d913a93370577a583ab
SheetRAT
c23029f315f2d0063ffaef0cb651cfcf8e39bd4f9d77aefb6a5866d73bf096db
SheetRAT
error
SheetRAT
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/251013-xjdemahq7v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: AppInit DLLs
Modifies WinLogon for persistence
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0081ee8e-93f2-4fc3-965e-b2497d3872cb
Unpacked files
SH256 hash:
b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
MD5 hash:
8aa0b149c43becca3815bf1636ba140a
SHA1 hash:
42649f4fc65b7f7242098fbacd6ee1941b4906e4
Link:
https://www.unpac.me/results/e17b1805-9865-4b28-88df-8e6906ad68ed/
SH256 hash:
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
MD5 hash:
16e5a492c9c6ae34c59683be9c51fa31
SHA1 hash:
97031b41f5c56f371c28ae0d62a2df7d585adaba
Link:
https://www.unpac.me/results/e17b1805-9865-4b28-88df-8e6906ad68ed/
SH256 hash:
5bcc68604c4c4add6d592e0455156024e52ff10f9f06daa1f543b005d7c2a53f
MD5 hash:
1974506038c5934399de3c2f6c7544de
SHA1 hash:
2178c758de77c465014f96262caa4059ba7d996e
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/e17b1805-9865-4b28-88df-8e6906ad68ed/
Parent samples :
f69011241df7a117e2d1e9c6c3dce12343fc25a6415fcb2581b9e9da22debc4e
5bcc68604c4c4add6d592e0455156024e52ff10f9f06daa1f543b005d7c2a53f
a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
596ff27b44adef1e930afcc123950b24e3c3fb37fc46a860f7ab9059c584f25c
adfe883f52bd263a45dbfa0e7b8c06d9cf16cc5688a233589fb53e1e19a5f6c8
90e4da6d22fab412d9b77d1733d09ba4063bcf83838400a62b9584f963272dee
b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
SH256 hash:
1e143733e31bfe1015f4674770f569088937586c8e0d4984cacd7aa2484fd3f1
MD5 hash:
c31d6cbdf634c79d9d06685890934ba7
SHA1 hash:
b9817fb0f14a2b2fc5f8378ff41ad06ab99a989d
Link:
https://www.unpac.me/results/e17b1805-9865-4b28-88df-8e6906ad68ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SheetRAT

Executable exe b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20

(this sample)

SheetRAT

Executable exe 1e143733e31bfe1015f4674770f569088937586c8e0d4984cacd7aa2484fd3f1

  
Link
https://tria.ge/251013-xe9l9ssqv8/behavioral3
  
Delivery method
Distributed via web download
  
Dropping
SHA256 1e143733e31bfe1015f4674770f569088937586c8e0d4984cacd7aa2484fd3f1
  
Dropping
MD5 c31d6cbdf634c79d9d06685890934ba7
Cape
Cape
https://www.capesandbox.com/analysis/32582/

Comments