MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RatonRAT

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 4 File information Comments

SHA256 hash:	27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a
SHA3-384 hash:	81665234d493edd5e3843a4350240c720a9d43ca55e8049755ca346b879163ae820b2bdf3ee5facc37f10859a64964aa
SHA1 hash:	a9480a9b3d2104a4e691d8bffd08887547acc96d
MD5 hash:	9acee8f765d44e0406dd74c4a5f79d72
humanhash:	sodium-glucose-eighteen-hot
File name:	xx.exe
Download:	download sample
Signature	RatonRAT Create hunting rule
File size:	130'560 bytes
First seen:	2026-06-29 21:50:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'041 x Formbook, 12'353 x SnakeKeylogger)
ssdeep	3072:eaqLcViyrX7JWLRjgn8707fcRVleIWYkR2j9sG4CUT3mywvCR2D:jqLco0XFWSn87MfcRVleIvkR2RsXhao2
Threatray	63 similar samples on MalwareBazaar
TLSH	T1CDD31216331C80A9E8A677BB87711A419232B62E42D72FB42A55884DCB76B60C130FE7
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe ratonrat

abuse_ch

RatonRAT C2:
158.160.75.185:40644

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
158.160.75.185:40644	https://threatfox.abuse.ch/ioc/1840159/

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Lime

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4a2ec7ba-d010-4a2e-8248-4419d0a9f710/

Malware family:

n/a

ID:

File name:

xx.exe

Verdict:

Malicious activity

Analysis date:

2026-06-29 21:02:27 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/790591b8-5494-4006-a110-61d1aac9da10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72404/

Detection(s):

Win.Packed.Razy-7334624-0

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a42dd6286bc95245bfab6ac

Tags:

packed micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

Connection attempt to an infection source

Forced shutdown of a system process

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult dropper limecrypter nanocorerat packed packed

Link:

https://www.filescan.io/uploads/6a42e8b04c7fec20f3af78a0/reports/81931dc1-4d37-4901-9fc8-d6bef40f58f5/overview

Verdict:

Malicious

Labled as:

IL:Trojan.NanoCore

Link:

https://www.hybrid-analysis.com/sample/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-06-29T18:09:00Z UTC

Last seen:

2026-06-29T18:37:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Azorult.gen Backdoor.MSIL.Crysan.d HEUR:Trojan.Win32.Generic Trojan.Win32.Inject.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c937c73-8686-4402-b920-810c4ba5b29f

Result

Threat name:

RatonRAT

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1935278

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential Privilege Escalation using Task Scheduler highest RunLevel

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Raton RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a/

Verdict:

Malicious

Threat:

Trojan-PSW.MSIL.Inject

Link:

https://tip.neiki.dev/file/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2026-06-29 21:02:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e7cg2wgixjesb4snf4eridmti47z5qki3v7ej4zgbfi25c23kqfa._file

Verdict:

malicious

Label(s):

ratonrat

RatonRAT

37b5b05b16bd471e6395cafe355c8abab118fe4693baa7e869036238c220812d

RatonRAT

7ff17ae0309f554a8569e55e283e9e1a19437174df959bb9cc8d90b19ebf800a

RatonRAT

9af387891a8a7c8c13b6f03bd684cdf8f2debb86cedc4ebee1ce59acdde2d7de

RatonRAT

b6a06f9799e05b4b4404a73f227da838ec9ba0e4cc6de376b04807897e55ddc6

RatonRAT

error

RatonRAT

+ 53 additional samples on MalwareBazaar

Result

Malware family:

ratonrat

Score:

10/10

Tags:

family:ratonrat discovery execution persistence stealer

Link:

https://tria.ge/reports/260629-1qa5maf12v/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Detects RatonRAT payload

Family: RatonRAT

Malware Config

C2 Extraction:

portbuddy.dev:40644

Unpacked files

SH256 hash:

27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a

MD5 hash:

9acee8f765d44e0406dd74c4a5f79d72

SHA1 hash:

a9480a9b3d2104a4e691d8bffd08887547acc96d

Link:

https://www.unpac.me/results/8817ec04-1cd3-4964-98be-314f3c52f8ab/

SH256 hash:

7ff17ae0309f554a8569e55e283e9e1a19437174df959bb9cc8d90b19ebf800a

MD5 hash:

5042b3aa7196657eed48fcb84580be40

SHA1 hash:

5f1b0e4875740cac9dcf024dfc14b80d45706f56

Link:

https://www.unpac.me/results/8817ec04-1cd3-4964-98be-314f3c52f8ab/

SH256 hash:

371ca1a72900910a1c242c78063179e57473f85040056b3cc0710a7493b3dfdb

MD5 hash:

29071d3e0e978d7d6b97cbeacb9ed606

SHA1 hash:

373e60b7ab6ac9fb35046d946c7694cd36bf72d9

Link:

https://www.unpac.me/results/8817ec04-1cd3-4964-98be-314f3c52f8ab/

SH256 hash:

389e938d4b8ca4924897de2f0c9ba0f0f3d2c49d47db50009383bdd252e89040

MD5 hash:

016204ed15c723215c151b218371a2d7

SHA1 hash:

b26af636668c9468ee1cae6a06079052a3e99b5b

Link:

https://www.unpac.me/results/8817ec04-1cd3-4964-98be-314f3c52f8ab/

SH256 hash:

30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95

MD5 hash:

e14bf49aa22e8b4b13cee211f9c246dd

SHA1 hash:

67a52a50875b6072355d725cd38dd69a592f6480

Link:

https://www.unpac.me/results/8817ec04-1cd3-4964-98be-314f3c52f8ab/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/27c46d58c8ba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27c46d58c8ba4920f24d2f09140d93473f9ec148dd7e44f3260951ae8b5b540a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_NyanXCat_CSharpLoader Create hunting rule
Author:	ditekSHen
Description:	Detects .NET executables utilizing NyanX-CAT C# Loader

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/72404/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample