MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RatonRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 33 File information Comments

SHA256 hash:	10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8
SHA3-384 hash:	a5ae1ba795362dd1ff8c3805bda2f1dea07c004c8e363721e37cb105a8a2caf833000553a526819af6b6ccdf3da8fe49
SHA1 hash:	9f46f8d8dddeb761dcf96058b3a31688b5fdf552
MD5 hash:	d60a896d12160161fa29fabc2c4abc7d
humanhash:	colorado-delta-red-delta
File name:	file
Download:	download sample
Signature	RatonRAT Create hunting rule
File size:	3'672'064 bytes
First seen:	2026-02-25 02:58:44 UTC
Last seen:	2026-02-25 03:00:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	49152:7lm9N8DfgVUBsHjkmiGWU5+5WeLGpMZ7iKPyg0asWfTSwgW:LfgVUyHjkDGjYQeqpgm4NfTSu
Threatray	20 similar samples on MalwareBazaar
TLSH	T18706CF017BE5DE1BE1AF57B2B4B247100771EC95A792EB0A1D9036EC1CB3740AD1A39B
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 ratonrat

Bitsight

url: http://130.12.180.43/files/1773787694/RMnsgES.exe

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-02-25 02:58:02 UTC

Tags:

auto-reg evasion rat pulsar crypto-regex auto-sch

Link:

https://app.any.run/tasks/60c69799-8b73-4a60-93aa-e61da4e2591a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54515/

Detection(s):

Win.Packed.Adwarex-9851111-0

Win.Packed.Bulz-9891112-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699e6586c950ab5d9ab15630

Tags:

vmdetect autorun emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm base64 bitmap cmd crypt crypter cscript evasive expand explorer findstr fingerprint lolbin netsh net_reactor obfuscated packed packed packed pnputil privilege reconnaissance regasm rundll32 schtasks stego update wscript xpack

Link:

https://www.filescan.io/uploads/699e658397feb4afd6587881/reports/21f8edc6-9e41-40ca-8a0c-239799071965/overview

Verdict:

Malicious

Labled as:

Adware.Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Agent.sb HEUR:Trojan.Win32.Generic Backdoor.MSIL.Crysan.d Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6446720c-daf5-4fc7-8583-0c79c49aec17

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

Verdict:

inconclusive

YARA:

17 match(es)

Tags:

.Net Executable Fody/Costura Packer Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.18 SOS: 0.19 SOS: 0.28 Win 32 Exe x86

Link:

https://app.malva.re/file/d60a896d12160161fa29fabc2c4abc7d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2026-02-25 02:59:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ccvc7rhg7f6brhamwqhrpzi56y6dbg7hcxvmx7d6nfjzjruvjh4a._file

Verdict:

malicious

Label(s):

kamikakabot

ratonrat

RatonRAT

4da90557bd724fee747a693df7fe07c2c6c6f7ed9a07a252ff498942d33c6343

RatonRAT

a445045da51ff7a5890ddbcbefb2310e3c09c3ecece751bc8a8479453daf3476

RatonRAT

b6bb5d5959909551517f75e8309b7044b20bf28b89da2ae413757a69bc109559

RatonRAT

ba977e14aa3aa2b2bb40cfc3c548f9feb2ace0b3ea51932bf1d6bb8fad6d2d5d

RatonRAT

c7eb8fd4518fa19a689921f9f49221a7ed2314f5bec6e16f1f7e68a0f4baff3a

RatonRAT

cdf5cf7dd8c1d0ef1deeee94a6a4951553edd1ffa5c10752db881c76d501fa1d

RatonRAT

error

RatonRAT

+ 10 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion execution persistence

Link:

https://tria.ge/reports/260225-dgvfksdz7c/

Behaviour

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Executes dropped EXE

Unpacked files

SH256 hash:

10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

MD5 hash:

d60a896d12160161fa29fabc2c4abc7d

SHA1 hash:

9f46f8d8dddeb761dcf96058b3a31688b5fdf552

Link:

https://www.unpac.me/results/b7bc4af7-0137-4a53-b8a8-301f7515a48d/

SH256 hash:

0e6378bb5cb662486a2ebd39b48da2206284f72c8ca4bd7af9d76a4a9cea440c

MD5 hash:

aa11883b4324f55e61af7aab6a8b09a8

SHA1 hash:

aa08110506d1bf18dcc5ba5bd563f09923667f14

Link:

https://www.unpac.me/results/b7bc4af7-0137-4a53-b8a8-301f7515a48d/

SH256 hash:

30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95

MD5 hash:

e14bf49aa22e8b4b13cee211f9c246dd

SHA1 hash:

67a52a50875b6072355d725cd38dd69a592f6480

Link:

https://www.unpac.me/results/b7bc4af7-0137-4a53-b8a8-301f7515a48d/

SH256 hash:

1967ccf4989db0dd0ce6e4d2d81ef2b6877053e7b86a01dcaa61d7a559348c4b

MD5 hash:

bbb5409f1f85591bd123593ad29ae9e2

SHA1 hash:

55e9ac4b6282133d00916b815186ee13fa2c156d

Detections:

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/b7bc4af7-0137-4a53-b8a8-301f7515a48d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Qemu_Description Create hunting rule

Rule name:	Check_Qemu_DeviceMap Create hunting rule

Rule name:	Check_VBox_Description Create hunting rule

Rule name:	Check_VBox_DeviceMap Create hunting rule

Rule name:	Check_VBox_Guest_Additions Create hunting rule

Rule name:	Check_VmTools Create hunting rule

Rule name:	Check_VMWare_DeviceMap Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RatonRAT

exe 10aa2fc4e6f97c189c0cb40f17e51df63c309be715eacbfc7e695394c69549f8

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/54515/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample