MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SheetRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf
SHA3-384 hash: c85660de515c17cfb6b7d758b01ca5da07fb6a4ea6db8cd7bca77d03892d8c3e0b305f07eaaa6fb5d8ab7b17773f4774
SHA1 hash: 5183b3fe69a736e811778f2916fcfd4d5929ebdb
MD5 hash: ba04713af22865ad21620edc767923d7
humanhash: washington-sink-minnesota-eight
File name:SecuriteInfo.com.Trojan.DownLoad4.16832.1149.21526
Download: download sample
Signature SheetRAT
Create hunting rule
File size:195'840 bytes
First seen:2025-06-04 08:38:37 UTC
Last seen:2025-06-04 09:47:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:SREHOpZHbL1pc8YMz4i8bAJ6O+Rf1raJ6Yoo8MgOb6xb57YEGka1P1fb:SvpZHA8YgfP87aJmvMnbK57CTT
Threatray 11 similar samples on MalwareBazaar
TLSH T1CC14F1807B991932DA2F49BDA7A682096270C133AF42D30F7CCD5CE612833D69B55DDB
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SheetRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7228/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.16832.1149.21526.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6840076407b5e8c1cfe496e5
Tags:
autorun shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the Windows directory
Launching a process
Enabling the libraries to load when starting the app (AppInit_DLLs)
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Searching for synchronization primitives
Unauthorized injection to a recently created process
Enabling autorun
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 expired-cert invalid-signature obfuscated packed packed packer_detected reconnaissance signed zero
Link:
https://www.filescan.io/uploads/6840063efd02ed5e059772c1/reports/f73062c4-571d-470e-93ff-929323bef382/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdddf786-6d29-471c-917d-12f387112ddd
Result
Threat name:
SheetRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705674
Signature
.NET source code contains potential unpacker
Allows loading of unsigned dll using appinit_dll
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Found malware configuration
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SheetRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705674 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 90 mypopy.ddns.net 2->90 94 Found malware configuration 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 102 9 other signatures 2->102 10 SecuriteInfo.com.Trojan.DownLoad4.16832.1149.21526.exe 1 4 2->10         started        14 xdwdAntiSpwarecoreservice.exe 2 2->14         started        17 xdwdAntiSpwarecoreservice.exe 2->17         started        19 14 other processes 2->19 signatures3 100 Uses dynamic DNS services 90->100 process4 dnsIp5 84 C:\Windows\xdwd.dll, PE32+ 10->84 dropped 86 C:\Users\...\xdwdAntiSpwarecoreservice.exe, PE32+ 10->86 dropped 88 SecuriteInfo.com.T....1149.21526.exe.log, CSV 10->88 dropped 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->118 120 Creates an undocumented autostart registry key 10->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->122 128 2 other signatures 10->128 21 cmd.exe 1 10->21         started        24 cmd.exe 1 10->24         started        26 WmiPrvSE.exe 10->26         started        92 mypopy.ddns.net 105.97.89.151, 35678 ALGTEL-ASDZ Algeria 14->92 124 Multi AV Scanner detection for dropped file 14->124 126 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->126 36 4 other processes 14->36 28 cmd.exe 17->28         started        30 Conhost.exe 17->30         started        32 cmd.exe 19->32         started        34 cmd.exe 19->34         started        38 19 other processes 19->38 file6 signatures7 process8 signatures9 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->106 108 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->108 110 Uses schtasks.exe or at.exe to add and modify task schedules 21->110 40 conhost.exe 21->40         started        43 schtasks.exe 1 24->43         started        45 conhost.exe 24->45         started        47 conhost.exe 28->47         started        49 Conhost.exe 28->49         started        51 4 other processes 32->51 53 2 other processes 34->53 55 4 other processes 36->55 57 29 other processes 38->57 process10 signatures11 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->114 116 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 40->116 59 Conhost.exe 47->59         started        62 Conhost.exe 51->62         started        64 Conhost.exe 51->64         started        66 Conhost.exe 53->66         started        74 3 other processes 53->74 68 schtasks.exe 57->68         started        70 conhost.exe 57->70         started        72 schtasks.exe 57->72         started        76 8 other processes 57->76 process12 signatures13 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->132 134 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 59->134 78 Conhost.exe 62->78         started        80 Conhost.exe 66->80         started        82 Conhost.exe 68->82         started        process14
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 08:39:28 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tzqdk7pg3rx4id7qlwe5yboo3ynz4wht6jiehooeuuaco3hplpq._file
Verdict:
malicious
Label(s):
balkanrat
Create hunting rule
Similar samples:
26fd65f096bf2b904f775c7d895ff9c07b46baa9e997f2a414ee16fe8b4a2427
SheetRAT
331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
SheetRAT
4915daf756d001bfce02f28cd7328ccd3ea788c505eb3a5aac442bfc6d62b377
SheetRAT
9237c96106e436a571f4cd425bff6e375f8c33bdfe31fe26611a5b9ad9b1e774
SheetRAT
d24cf525214c3b9a331d03c99693d22cfd5e1af5da5b3f310dce9814876d2fbb
SheetRAT
e200874f8b157dee0137b88d2773dd4666f56acd558a7bb453dbc72e95605b9c
SheetRAT
ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf
SheetRAT
error
SheetRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
sheetrat
Create hunting rule
Score:
  10/10
Tags:
family:sheetrat campaign:nigger traped persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250604-kj3y3atpx7/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: AppInit DLLs
Sheetrat family
Sheetrat, NonEuclid rat
Malware Config
C2 Extraction:
mypopy.ddns.net:35678
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/770a8c7d-118a-4ae2-a68e-fd4ecd2f5574
Unpacked files
SH256 hash:
ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf
MD5 hash:
ba04713af22865ad21620edc767923d7
SHA1 hash:
5183b3fe69a736e811778f2916fcfd4d5929ebdb
Link:
https://www.unpac.me/results/d20457a1-52a5-4c4c-9623-8a2860997444/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SheetRAT

Executable exe ecf301abef36e37e207f82ec4ee02e76f0dcf2c79f92821dce2528013b677adf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3557938/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7228/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments