MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RatonRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
SHA3-384 hash: 07c58d2b8586b00d3dec13c7d2b77791b43c7dd62ac4c7d39fa039cd0387d310215b6c7e83490ad058d10f72c2fc2824
SHA1 hash: 3547058ef258a9ca337278ab9a2c85209a684436
MD5 hash: 5bdca154877c274f2c4ca7623b04c52e
humanhash: iowa-salami-pluto-glucose
File name:ratonClient.exe
Download: download sample
Signature RatonRAT
Create hunting rule
File size:1'933'824 bytes
First seen:2026-04-13 15:26:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'861 x AgentTesla, 19'793 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 24576:YGD8CrmiaunV5vQ2ue52wWLt3QA2cWAnOEvSrtv94TP0lRRkxYcxMNnyFoBOkA6M:xiGWU5+5WD1sclR0BxMsaRw4QyOD
Threatray 20 similar samples on MalwareBazaar
TLSH T1B695F11C33F98A08F2AF0BF4E97185564771FE178C62DB6D59E579DE00B2F48A610B22
TrID 49.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
29.3% (.EXE) InstallShield setup (43053/19/16)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win64 Executable (generic) (6522/11/2)
3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe ratonrat


Avatar
abuse_ch
RatonRAT C2:
40.233.123.172:8848

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
40.233.123.172:8848 https://threatfox.abuse.ch/ioc/1785230/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ratonClient.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 15:10:09 UTC
Tags:
raton rat auto-reg
Link:
https://app.any.run/tasks/986e6381-57fd-40b3-b47b-158d7c9ec8fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61409/
Detection(s):
Win.Packed.Adwarex-9851111-0
Create hunting rule

Win.Packed.Bulz-9891112-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dd075045787c53e539525c
Tags:
vmdetect autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a file
Launching a process
Creating a process from a recently created file
Loading a suspicious library
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 bitmap cmd cscript evasive explorer findstr fingerprint fingerprint lolbin netsh obfuscated packed packed pnputil privilege reconnaissance regasm rundll32 schtasks stego update vbnet venomrat wscript
Link:
https://www.filescan.io/uploads/69dd0b68d920e19044fa1c35/reports/1d6d00e4-c01e-494d-be19-dd62f23922d9/overview
Verdict:
Malicious
Labled as:
MSIL.PasswordStealerA.Generic
Link:
https://www.hybrid-analysis.com/sample/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-13T12:14:00Z UTC
Last seen:
2026-04-14T15:10:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.Win32.Generic Backdoor.MSIL.Crysan.d Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4e3c6c1-8892-4f29-a62d-c874d172dc49
Result
Threat name:
RatonRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897502
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raton RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897502 Sample: ratonClient.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 47 angel0chek.duckdns.org 2->47 49 ipwhois.app 2->49 51 bg.microsoft.map.fastly.net 2->51 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 65 12 other signatures 2->65 10 ratonClient.exe 30 2->10         started        14 ratonClient.exe 2 2->14         started        signatures3 63 Uses dynamic DNS services 47->63 process4 file5 39 C:\Users\user\AppData\...\ratonClient.exe, PE32 10->39 dropped 41 cleanup_mqwi0mi88b...rXQqdqtmFfdZRsf.bat, DOS 10->41 dropped 43 C:\Users\...\ratonClient.exe:Zone.Identifier, ASCII 10->43 dropped 45 22 other files (1 malicious) 10->45 dropped 75 Self deletion via cmd or bat file 10->75 16 cmd.exe 1 10->16         started        signatures6 process7 process8 18 ratonClient.exe 15 4 16->18         started        22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 2 other processes 16->26 dnsIp9 53 angel0chek.duckdns.org 40.233.123.172, 49716, 49730, 49731 LILLY-ASUS United States 18->53 55 ipwhois.app 172.67.70.190, 443, 49718 CLOUDFLARENETUS United States 18->55 67 Multi AV Scanner detection for dropped file 18->67 69 Suspicious powershell command line found 18->69 71 Protects its processes via BreakOnTermination flag 18->71 73 3 other signatures 18->73 28 powershell.exe 23 18->28         started        31 schtasks.exe 1 18->31         started        signatures10 process11 signatures12 77 Loading BitLocker PowerShell Module 28->77 33 WmiPrvSE.exe 28->33         started        35 conhost.exe 28->35         started        37 conhost.exe 31->37         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Crysan
Link:
https://tip.neiki.dev/file/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 15:10:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufrmgvbrklgzyjkpucev5fimhnoi5c4qf6ymaj2j6lipldhskxqq._file
Verdict:
malicious
Label(s):
ratonrat
Create hunting rule
Similar samples:
18d915d49dc0502363f9a515f53d1e6a98ecd40f2a65e191b87f604e74b13982
RatonRAT
21fb5e039247e3b506be23d5a6b370dd5ca6a84d7ce77fd09e97a3af770909b7
RatonRAT
2b6ed5e201539bd8a9d407080e38cb9e50091395f4d077f21c0a3c6c4475a1b7
RatonRAT
4fbecfc9618c481a7ce291dd54179b997fc1ce6959fb6e0212cc696a6418a3c8
RatonRAT
a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
RatonRAT
error
RatonRAT
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260413-sv25xabs5r/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1
MD5 hash:
5bdca154877c274f2c4ca7623b04c52e
SHA1 hash:
3547058ef258a9ca337278ab9a2c85209a684436
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
5e01e9641f6435d4deb37b317c957c1b7e5006415e23c6d626773ff61f980056
MD5 hash:
318e2272555c7d07be484a5563bc19c2
SHA1 hash:
b183fffd28ba541b5887c70da2ec7bb816880600
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
2e1cd7c81542a44700a31045d33456dfa3c2b6f77b2ffbd62570c046a65b250b
MD5 hash:
8d4beb9f11ef651c56da7fb905a95875
SHA1 hash:
eb1aa38b2c22a4456cb02103cd3ee7603939a4ef
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
b58a822e5bdfca93ec38bc481bc00a5ad38cfe4103526421ab28d346791a2a09
MD5 hash:
86c5cf90b1d2847b7df60ce79c2145d6
SHA1 hash:
084c6ec381d1125dc02cee5b97cf7f468f48976a
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
6bf97a2837c894f10012c2889c064ed07b698581296839035f663dfd82bcd3b4
MD5 hash:
41741d072f1db7f9bd854f5ae3d1c5dc
SHA1 hash:
0ee05639220264482a0fd8133371c2cb7820f4b6
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
7796a9ec97a1ff29e682855839845da9fe26b6ddcc34addbb514cd73e7a9f02a
MD5 hash:
f6940019dad6c782bcb645c2f7d52db5
SHA1 hash:
1bbe492757bf99840d923fdd44c6a3f34b336cf7
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
ffcd25c34cece8d53c72a40a22f1293e95a5b9f3d3138490ca991756a64d4e72
MD5 hash:
c2bba9dcac71d52b54760ed4494dbe54
SHA1 hash:
3aec6713fb5735c9e4b5a7ce812eaecf8864f49a
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
5dca4b3b7f1f2abdd2f94d3a056e4c414605da248612f02a0d2ab38083aa8ef8
MD5 hash:
e90ac3063409ef6876e26422dc61d0eb
SHA1 hash:
3cd158d0f9a4f9a78a7ae56ecb0df0360a413181
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
2f1725d05b424f154f931a3c96a14318d48da2297c12fb33b384786a9a70f717
MD5 hash:
f6aa556b07dcfb7d3105e1eab11f8162
SHA1 hash:
44a66ea7c6d0e456006515226a03a31862f5b52a
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
3c8359bb74c6dabd2ec8ba561ffa163f24859ff5aef724fb5794073e2e883a02
MD5 hash:
c1b78af3d6402be8f259dbbe9250e7fb
SHA1 hash:
98e2c38597c50390852801d46ff342889c7351ae
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
fa71da27809cb67bb1232cd5f089e8cfe6c02b3517305c2bdf827b0f05242231
MD5 hash:
4644723c383423c52a943c5fd2579490
SHA1 hash:
9cc63874ef9aa53b82bba6b006094ea8ec8a8f4b
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
db4f07306bbddcc664051ee53db6f37f343f01bab6da7276cf1b600adcdfdf72
MD5 hash:
eb03b793d6b1097db7140fb35b180d1a
SHA1 hash:
a0217992399a54f32eb7b2bbfdfc9386bbf9bab9
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
fae06a2e756e6332df98f16991a0183bd61fbe83a015d83d4518461c120977a7
MD5 hash:
1494a1cde33c013757b4f397a727d372
SHA1 hash:
c384672f7c7946637f9684e36b406a28f5f8f7ed
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
82a92cb6b9001e013c653c65e4ae460346770ec7512856879e63018d9cafc41a
MD5 hash:
115137414b41a26d6e73738cd94c036c
SHA1 hash:
e9e87ec6227bc9d8a971d2aa687dcd4e392a8d43
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/436ec775-274d-430c-a713-8907dc1259da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a162c3543152/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a162c3543152cd9c254fa0895e950c3b5c8e8b902fb0c02749f2d0f58cf255e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Qemu_Description
Create hunting rule
Rule name:Check_Qemu_DeviceMap
Create hunting rule
Rule name:Check_VBox_Description
Create hunting rule
Rule name:Check_VBox_DeviceMap
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:Check_VMWare_DeviceMap
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61409/

Comments