Malware analysis https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6 Malicious activity

Add for printing

URL:	https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6
Full analysis:	https://app.any.run/tasks/1a12d2f5-397f-4824-9240-7d456f4c9c34
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	September 07, 2024, 18:30:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github xor-url generic sheetrat rat
Indicators:
MD5:	7D3D838275EB4ED4E3856939CA4FF2C2
SHA1:	A9E2FF467617F70983C16246A5D319C89BFDC220
SHA256:	6E7A13C6A0854AEDA7BBCCA27B5AAB52672238C3BF174E6DC8EB708DFA7C0931
SSDEEP:	3:N8tEdJEwCFkO9JOGRJAKIRKvs2zRgFT3n:2uPpgOGXvIRKfzG5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SHEETRAT has been detected (YARA)
  - Server.exe (PID: 7648)
- XORed URL has been found (YARA)
  - Server.exe (PID: 7648)
SUSPICIOUS
- Drops 7-zip archiver for unpacking
  - firefox.exe (PID: 2456)
  - 7Zip-2408-x64.exe (PID: 3144)
- Executable content was dropped or overwritten
  - 7Zip-2408-x64.exe (PID: 3144)
  - 7zG.exe (PID: 7404)
  - Server.exe (PID: 7648)
- Creates/Modifies COM task schedule object
  - 7Zip-2408-x64.exe (PID: 3144)
- Creates a software uninstall entry
  - 7Zip-2408-x64.exe (PID: 3144)
- The process creates files with name similar to system file names
  - 7zG.exe (PID: 7404)
- Process drops legitimate windows executable
  - 7zG.exe (PID: 7404)
- Drops a system driver (possible attempt to evade defenses)
  - 7zG.exe (PID: 7404)
- Reads security settings of Internet Explorer
  - Server.exe (PID: 7648)
INFO
- Executable content was dropped or overwritten
  - firefox.exe (PID: 2456)
- Application launched itself
  - firefox.exe (PID: 5072)
  - firefox.exe (PID: 2456)
- The process uses the downloaded file
  - firefox.exe (PID: 2456)
  - WinRAR.exe (PID: 7736)
  - Server.exe (PID: 7648)
- Checks supported languages
  - 7Zip-2408-x64.exe (PID: 3144)
  - 7zG.exe (PID: 5212)
  - 7zG.exe (PID: 7404)
  - Server.exe (PID: 7648)
- Reads the computer name
  - 7Zip-2408-x64.exe (PID: 3144)
  - 7zG.exe (PID: 5212)
  - 7zG.exe (PID: 7404)
  - Server.exe (PID: 7648)
- Creates files in the program directory
  - 7Zip-2408-x64.exe (PID: 3144)
- Manual execution by a user
  - 7zG.exe (PID: 5212)
  - WinRAR.exe (PID: 7736)
  - 7zG.exe (PID: 7404)
  - Server.exe (PID: 7648)
- Reads the machine GUID from the registry
  - Server.exe (PID: 7648)
- Create files in a temporary directory
  - Server.exe (PID: 7648)
- Creates files or folders in the user directory
  - Server.exe (PID: 7648)
- Sends debugging messages
  - Server.exe (PID: 7648)
- Disables trace logs
  - Server.exe (PID: 7648)
- Checks proxy server information
  - Server.exe (PID: 7648)
- Reads the software policy settings
  - Server.exe (PID: 7648)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(7648) Server.exe

Decrypted-URLs (1)http://marketdedamoroza.webhop.me/index.html

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2928 -prefsLen 26706 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430b87ac-b30e-4b5c-b333-5483a1dece14} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19292c6e850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2080

"C:\Users\admin\Downloads\7Zip-2408-x64.exe"

C:\Users\admin\Downloads\7Zip-2408-x64.exe

—

firefox.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip Installer

Exit code:

3221226540

Version:

24.08

Modules

Images
c:\users\admin\downloads\7zip-2408-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2228

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac974cc-d66c-4cf9-84b0-4486e9b8457e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 192971f74d0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2456

"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3144

"C:\Users\admin\Downloads\7Zip-2408-x64.exe"

C:\Users\admin\Downloads\7Zip-2408-x64.exe

firefox.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7-Zip Installer

Exit code:

Version:

24.08

Modules

Images
c:\users\admin\downloads\7zip-2408-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

4444

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240213221259 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ab9857-09d1-4272-af2d-c54b1b17d45e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19281081110 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

5072

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6"

C:\Program Files\Mozilla Firefox\firefox.exe

—

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll

5212

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\admin\Downloads\RAT\" -an -ai#7zMap1705:308:7zEvent20929

C:\Program Files\7-Zip\7zG.exe

—

explorer.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip GUI

Exit code:

255

Version:

24.08

Modules

Images
c:\program files\7-zip\7zg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

5548

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7140 -childID 7 -isForBrowser -prefsHandle 7132 -prefMapHandle 7128 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b69b26b9-f32d-43ad-a6ed-14ae932710ae} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 1929701ef50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6152

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5256 -prefMapHandle 5252 -prefsLen 36339 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf23a7c1-fd9f-450b-87fb-b9bf5526dc9e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19295e7c910 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

Add for printing

Total events

16 695

Read events

16 653

Write events

Delete events

Modification events


(PID) Process:	(2456) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(2456) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:	write	Name:	Path64
Value: C:\Program Files\7-Zip\
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:	write	Name:	Path
Value: C:\Program Files\7-Zip\
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:	write	Name:	Path64
Value: C:\Program Files\7-Zip\
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:	write	Name:	Path
Value: C:\Program Files\7-Zip\
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Apartment
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Apartment
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:	write	Name:	{23170F69-40C1-278A-1000-000100020000}
Value: 7-Zip Shell Extension
(PID) Process:	(3144) 7Zip-2408-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:	write	Name:	{23170F69-40C1-278A-1000-000100020000}
Value: 7-Zip Shell Extension

Add for printing

Executable files

Suspicious files

206

Text files

140

Unknown types

Dropped files

PID	Process	Filename		Type
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		binary
		MD5:E9F183C76C9E7BCE1ED9E95E6F36388B	SHA256:553F8FA016F94B28F8A8147C69AD279E4244EEF07B1E2802FB9763816CF8EF2E
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journal		binary
		MD5:0867F03008CAD53A30A0778CFCD45AF3	SHA256:FC4D320C4479DFAEBF2EDD56ABDB13CE06EC0864975E177FDDAF691EA22EF7CD
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.bin		binary
		MD5:141EA06B3B21E0B3C2C928058F8299AF	SHA256:87C218F6655C7A50B2B16118054E1C30950D22FC5466E9834E7002440FC78B72
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmp		dbf
		MD5:C78F36BF78A74A5C37232FA18305FA6E	SHA256:319C730AC6614FDCE611894E281CBE1B5E1A304DCD812D6B642D3BE978E82EEC
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db-journal		binary
		MD5:806AC179F783F91795BFF03FB45904E8	SHA256:81E4D0DCD2F985A9B164E3E2B0678BB086B00A3FE70665780878FE4A997A16C1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

116

DNS requests

142

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2456	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
2456	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
2456	firefox.exe	POST	200	184.24.77.50:80	http://r11.o.lencr.org/	unknown	—	—	unknown
2456	firefox.exe	POST	200	184.24.77.50:80	http://r11.o.lencr.org/	unknown	—	—	unknown
2456	firefox.exe	POST	200	142.250.185.163:80	http://o.pki.goog/s/wr3/XjA	unknown	—	—	unknown
2456	firefox.exe	POST	200	104.18.38.233:80	http://ocsp.sectigo.com/	unknown	—	—	unknown
2456	firefox.exe	POST	200	184.24.77.46:80	http://r10.o.lencr.org/	unknown	—	—	unknown
2456	firefox.exe	POST	200	184.24.77.46:80	http://r10.o.lencr.org/	unknown	—	—	unknown
2456	firefox.exe	POST	200	184.24.77.46:80	http://r10.o.lencr.org/	unknown	—	—	unknown
2456	firefox.exe	POST	200	184.24.77.46:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7072	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6160	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2456	firefox.exe	216.58.212.170:443	safebrowsing.googleapis.com	—	—	whitelisted
2456	firefox.exe	34.107.243.93:443	push.services.mozilla.com	—	—	whitelisted
2456	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
2456	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	—	—	whitelisted
2456	firefox.exe	140.82.121.4:443	github.com	GITHUB	US	shared
2456	firefox.exe	34.36.165.17:443	tiles-cdn.prod.ads.prod.webservices.mozgcp.net	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 52.191.219.104 20.73.194.208	whitelisted
google.com	172.217.16.206	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
github.com	140.82.121.4	shared
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191 2600:1901:0:92a9::	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

Process	Message
Server.exe	SQLiteVersion: 3.8.11.1 \| 2015-07-29 20:00:57 cf538e2783e468bbc25e7cb2a9ee64d3e0e80b2f \| INTEROP_CODEC INTEROP_EXTENSION_FUNCTIONS INTEROP_VIRTUAL_TABLE NET_40 PRELOAD_NATIVE_LIBRARY THROW_ON_DISPOSED TRACE TRACE_PRELOAD TRACE_SHARED TRACE_WARNING USE_PREPARE_V2 WINDOWS

General Info

https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6

7D3D838275EB4ED4E3856939CA4FF2C2

A9E2FF467617F70983C16246A5D319C89BFDC220

6E7A13C6A0854AEDA7BBCCA27B5AAB52672238C3BF174E6DC8EB708DFA7C0931

3:N8tEdJEwCFkO9JOGRJAKIRKvs2zRgFT3n:2uPpgOGXvIRKfzG5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SHEETRAT has been detected (YARA)

XORed URL has been found (YARA)

SUSPICIOUS

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

Creates/Modifies COM task schedule object

Creates a software uninstall entry

The process creates files with name similar to system file names

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Reads security settings of Internet Explorer

INFO

Executable content was dropped or overwritten

Application launched itself

The process uses the downloaded file

Checks supported languages

Reads the computer name

Creates files in the program directory

Manual execution by a user

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Sends debugging messages

Disables trace logs

Checks proxy server information

Reads the software policy settings

Malware configuration

xor-url

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings