MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e739748aecf8018fdb73f4d5abf6ca7335e5972eb1b85525eaf86f4a2c471f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RatonRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 10 File information Comments

SHA256 hash: 9e739748aecf8018fdb73f4d5abf6ca7335e5972eb1b85525eaf86f4a2c471f7
SHA3-384 hash: df469c3973fd2ef518a823d33060ae7c416d4e7a1d6ac408e536c98898fc7fa03a9a13e34e02697dafeef52bba965885
SHA1 hash: 4afd3f4c10077b95b123f3eec079ce66257e2642
MD5 hash: 5d1ddfd84a62919bfd7ec721349ddc70
humanhash: snake-black-idaho-india
File name:Xeno.exe
Download: download sample
Signature RatonRAT
File size:264'704 bytes
First seen:2026-07-06 03:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 3072:RgTMWwBgAX4tnGrFPGOsSbPKfQCvrfXqeXA/4yIg9vkNPNu6H6xCYOihUE265AJn:RgoWogAXpBO8bwtvgvkNFNaxmpEgJ1V
TLSH T1B4444B06B3A85179E2BFCA79C9A14841EB727C568B71E6CF074179790E72BC09E38713
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe ratonrat


Avatar
abuse_ch
RatonRAT C2:
45.151.91.20:20891

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.151.91.20:20891 https://threatfox.abuse.ch/ioc/1845342/

Intelligence


File Origin
# of uploads :
1
# of downloads :
145
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Xeno.exe
Verdict:
Malicious activity
Analysis date:
2026-07-05 14:40:40 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
dropper packed micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 dcrat dotnet dropper lolbin obfuscated overlay reconnaissance reconnaissance schtasks stealer xworm
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-05T11:46:00Z UTC
Last seen:
2026-07-08T00:04:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen HEUR:Trojan-PSW.MSIL.Coins.gen Backdoor.MSIL.Crysan.d
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Trojan.XWorm
Status:
Malicious
First seen:
2026-07-05 14:40:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ratonrat
Result
Malware family:
ratonrat
Score:
  10/10
Tags:
family:ratonrat costura packer stealer
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Costura .NET executable packer
Checks computer location settings
Executes dropped EXE
Detects RatonRAT payload
Family: RatonRAT
Malware Config
C2 Extraction:
fin.xzbvc.xyz:20891
Unpacked files
SH256 hash:
9e739748aecf8018fdb73f4d5abf6ca7335e5972eb1b85525eaf86f4a2c471f7
MD5 hash:
5d1ddfd84a62919bfd7ec721349ddc70
SHA1 hash:
4afd3f4c10077b95b123f3eec079ce66257e2642
SH256 hash:
6f53edd38c6981a755b87a9a089f978a17fb29295ff5975152abb9d66e798aab
MD5 hash:
f0e9ce0e774396ec3eb8da7eaaad01f1
SHA1 hash:
f7cf4a7fa24aab439c19a7203f0ef5d29c46051e
SH256 hash:
30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95
MD5 hash:
e14bf49aa22e8b4b13cee211f9c246dd
SHA1 hash:
67a52a50875b6072355d725cd38dd69a592f6480
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:telebot_framework
Author:vietdx.mb
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments