MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
SHA3-384 hash: 9a53a024069d0627edd51789cb305e2b1ab1bf972ffe2e7032dabe921517f915e273c24d161685c4644b333b34dd1247
SHA1 hash: 05e87dde530141661320f41ea2554e0a02e4c015
MD5 hash: 7f7edf1d0fc333a67f67559219b90671
humanhash: timing-virginia-london-saturn
File name:Extreme Injector v3.exe
Download: download sample
Signature SheetRAT
Create hunting rule
File size:16'844'800 bytes
First seen:2025-08-29 21:36:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 393216:akCCkNsgsNvShEYkxXn+DrDA64u1q584hzWfZwlRcmUitHunGRBGQsaw:akCCZjNvrYk03Dr1q55hzWfZwsP1GR49
Threatray 15 similar samples on MalwareBazaar
TLSH T110073349F3E3D981E28639F3D144E2F70E20D8491F619E308764AB788F9D539A45FA8D
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe SheetRat stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://gofile.io/d/SDhfEM
Verdict:
Malicious activity
Analysis date:
2025-08-27 17:37:49 UTC
Tags:
httpdebugger tool fileshare advancedinstaller arch-exec python evasion anti-evasion
Link:
https://app.any.run/tasks/a1ee5b18-52f7-4e80-8cca-8861eb078c8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24170/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b21d793e988eb6ab82f424
Tags:
shell sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed reconnaissance vbnet
Link:
https://www.filescan.io/uploads/68b21d7639a6221faa75a63f/reports/d328b84d-b344-4fbb-9156-cab3bc537490/overview
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.MSIL.Donut.gen BSS:Trojan.Win32.ImSKP.am BSS:Trojan.Win32.Generic.nblk HEUR:Trojan.Python.Pytr.ch HEUR:Trojan.Python.Pytr.bi BSS:Trojan.Win32.Generic BSS:Exploit.Win32.Generic.nblk Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.Python.Agent.gen HEUR:Trojan-Dropper.MSIL.FrauDrop.gen HEUR:Trojan.Python.Tpyc.g BSS:Worm.Win32.BSS.ScreenLock not-a-virus:VHO:RiskTool.MSIL.Generic not-a-virus:VHO:RiskTool.MSIL.Convagent.gen not-a-virus:VHO:RiskTool.MSIL.Injecter.gen not-a-virus:RiskTool.MSIL.Injector.v
Link:
https://opentip.kaspersky.com/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf/results?tab=lookup
Malware family:
Extreme Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e93b15be-6def-4e30-bec5-d626dd0f523d
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1767951
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1767951 Sample: Extreme Injector v3.exe Startdate: 29/08/2025 Architecture: WINDOWS Score: 100 80 api.telegram.org 2->80 82 ip-api.com 2->82 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Bypasses PowerShell execution policy 2->94 98 3 other signatures 2->98 10 Extreme Injector v3.exe 1 6 2->10         started        14 steam.exe 2->14         started        16 steam.exe 2->16         started        signatures3 96 Uses the Telegram API (likely for C&C communication) 80->96 process4 file5 72 C:\Users\user\...xtreme Injector v3 .exe, PE32 10->72 dropped 74 C:\ProgramData\steam.exe, PE32 10->74 dropped 76 C:\ProgramData\Rust.exe, PE32+ 10->76 dropped 78 C:\Users\user\...xtreme Injector v3.exe.log, CSV 10->78 dropped 112 Adds a directory exclusion to Windows Defender 10->112 18 Rust.exe 10->18         started        22 steam.exe 1 10->22         started        24 powershell.exe 23 10->24         started        26 3 other processes 10->26 signatures6 process7 file8 64 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 18->64 dropped 66 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 18->66 dropped 68 C:\Users\user\AppData\...\win32event.pyd, PE32+ 18->68 dropped 70 40 other malicious files 18->70 dropped 100 Multi AV Scanner detection for dropped file 18->100 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->102 104 Found pyInstaller with non standard icon 18->104 106 Potentially malicious time measurement code found 18->106 28 Rust.exe 18->28         started        108 Queries memory information (via WMI often done to detect virtual machines) 22->108 110 Loading BitLocker PowerShell Module 24->110 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        signatures9 process10 dnsIp11 84 ip-api.com 208.95.112.1, 49724, 49725, 80 TUT-ASUS United States 28->84 86 api.telegram.org 149.154.167.220, 443, 49726, 49727 TELEGRAMRU United Kingdom 28->86 88 127.0.0.1 unknown unknown 28->88 114 Tries to harvest and steal browser information (history, passwords, etc) 28->114 38 cmd.exe 28->38         started        40 cmd.exe 28->40         started        42 cmd.exe 28->42         started        44 2 other processes 28->44 signatures12 process13 process14 46 conhost.exe 38->46         started        48 WMIC.exe 38->48         started        50 conhost.exe 40->50         started        52 WMIC.exe 40->52         started        54 conhost.exe 42->54         started        56 WMIC.exe 42->56         started        58 conhost.exe 44->58         started        60 conhost.exe 44->60         started        62 WMIC.exe 44->62         started       
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/7f7edf1d0fc333a67f67559219b90671
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf/
Verdict:
Malicious
Threat:
Trojan.MSIL.Injector
Link:
https://tip.neiki.dev/file/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
Threat name:
Win32.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-29 21:36:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxg5p2fbpaahnye7uxywgvqd5udrtgqprjmv46wvyceyq7k2js7q._file
Verdict:
malicious
Label(s):
sheetrat
Create hunting rule
Similar samples:
13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05
SheetRAT
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
SheetRAT
7f2345635dd1b580bfce11006c4b0143e4c6c84f8a5039e8c92c6e27a05e829a
SheetRAT
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
SheetRAT
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
SheetRAT
error
SheetRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/250829-1ga39scq7v/
Behaviour
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
UPX packed file
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0
YARA:
n/a
Link:
https://app.threat.zone/submission/79817b84-8808-437a-bf3f-1b11a1c9f242
Unpacked files
SH256 hash:
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
MD5 hash:
7f7edf1d0fc333a67f67559219b90671
SHA1 hash:
05e87dde530141661320f41ea2554e0a02e4c015
Link:
https://www.unpac.me/results/286e4021-58bc-47f0-a6b8-f8cafa08d6c8/
SH256 hash:
61dcaa75270b7441aa15f7a84ac7e90c4fb709ba20c69ebff6ce6b1d7a7a3442
MD5 hash:
04e427780897721d1b6ed910b1f484ff
SHA1 hash:
3ad63068c02ba68f6be763a9f23970a2c313367f
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/286e4021-58bc-47f0-a6b8-f8cafa08d6c8/
SH256 hash:
4a27e4e30e230a416cd84e7a3f57b035ae74e8a4609b023700c177f978fab2ff
MD5 hash:
bed09d232cb3d021e3e9370d6a7bde62
SHA1 hash:
549f06a51f4602a537593ccc64ee573fe1c984d7
Link:
https://www.unpac.me/results/286e4021-58bc-47f0-a6b8-f8cafa08d6c8/
SH256 hash:
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
MD5 hash:
ec801a7d4b72a288ec6c207bb9ff0131
SHA1 hash:
32eec2ae1f9e201516fa7fcdc16c4928f7997561
Detections:
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Goliath
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/286e4021-58bc-47f0-a6b8-f8cafa08d6c8/
Parent samples :
c332bac5bfa6b4e806dbe65ff8b4041c7d931e6709349218f361437e1ae52c2f
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
709f5ad2bad14a2c881948f0ddb7b7f67e1b91ef981541f735c6a90e34c566fb
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
Malware family:
Alcatraz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdcdd7e8a178/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24170/

Comments