MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1153f654601bc77fd5839d463e0088ca38e28ebfddf556ebe511e0fb3dbf6f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RatonRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 32 File information Comments

SHA256 hash: d1153f654601bc77fd5839d463e0088ca38e28ebfddf556ebe511e0fb3dbf6f7
SHA3-384 hash: 4648ec824c27641524583b1e57f2feb52e3ba26ada67859fa85ccb24f9cd8fa5df2070ea9ba54691b8895699fd89ff4b
SHA1 hash: a53ac82ede685aee92859257ffed32adcb9d9d80
MD5 hash: 3182b26d6f0c92fa635eae44bd4e4476
humanhash: batman-freddie-winter-nebraska
File name:fornoodler.exe
Download: download sample
Signature RatonRAT
File size:3'695'616 bytes
First seen:2026-04-21 15:04:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 49152:fmu4tq0WgVUlsHjkmiGWU5+5WeLGpMZ7iKPNgo9sT:0q0WgVUuHjkDGjYQeqpgmltT
Threatray 42 similar samples on MalwareBazaar
TLSH T17306CF407BD0CE1BE1AF87B6B4F2061057B5EC15A796E70B2D90BAAC1CB37445E1839B
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe ratonrat


Avatar
abuse_ch
RatonRAT C2:
193.161.193.99:34671

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.161.193.99:34671 https://threatfox.abuse.ch/ioc/1531740/

Intelligence


File Origin
# of uploads :
1
# of downloads :
134
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
fornoodler.exe
Verdict:
Malicious activity
Analysis date:
2026-04-20 17:14:24 UTC
Tags:
raton rat auto-reg stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
vmdetect autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a file
Launching a process
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 base64 expand lolbin net_reactor njrat njrat obfuscated packed packed rat reconnaissance remote
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-20T14:41:00Z UTC
Last seen:
2026-04-22T01:49:00Z UTC
Hits:
~100
Detections:
Backdoor.MSIL.Crysan.d Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agent.gen not-a-virus:PSWTool.MSIL.BroPass.sb
Result
Threat name:
RatonRAT
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raton RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1902009 Sample: fornoodler.exe Startdate: 21/04/2026 Architecture: WINDOWS Score: 100 54 burb-34671.portmap.host 2->54 56 ip-api.com 2->56 58 bg.microsoft.map.fastly.net 2->58 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Antivirus detection for URL or domain 2->72 74 12 other signatures 2->74 10 fornoodler.exe 6 2->10         started        14 fornoodler.exe 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\fornoodler.exe, PE32 10->46 dropped 48 cleanup_CdRHanfEUq...vncjSywT9YWayzn.bat, DOS 10->48 dropped 50 C:\Users\...\fornoodler.exe:Zone.Identifier, ASCII 10->50 dropped 52 C:\Users\user\AppData\...\fornoodler.exe.log, CSV 10->52 dropped 84 Self deletion via cmd or bat file 10->84 16 cmd.exe 1 10->16         started        19 conhost.exe 10->19         started        21 WmiPrvSE.exe 10->21         started        signatures6 process7 signatures8 64 Uses shutdown.exe to shutdown or reboot the system 16->64 23 fornoodler.exe 14 14 16->23         started        27 conhost.exe 16->27         started        29 timeout.exe 1 16->29         started        31 2 other processes 16->31 process9 dnsIp10 60 burb-34671.portmap.host 193.161.193.99, 34671, 49716, 49724 BITREE-ASRU Russian Federation 23->60 62 ip-api.com 208.95.112.1, 49722, 49726, 49727 TUT-ASUS United States 23->62 76 Antivirus detection for dropped file 23->76 78 Multi AV Scanner detection for dropped file 23->78 80 Suspicious powershell command line found 23->80 82 5 other signatures 23->82 33 powershell.exe 23 23->33         started        36 cmd.exe 23->36         started        38 schtasks.exe 1 23->38         started        signatures11 process12 signatures13 66 Loading BitLocker PowerShell Module 33->66 40 conhost.exe 36->40         started        42 shutdown.exe 36->42         started        44 conhost.exe 38->44         started        process14
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Status:
Malicious
First seen:
2026-04-20 17:14:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Result
Malware family:
ratonrat
Score:
  10/10
Tags:
family:ratonrat defense_evasion execution persistence spyware stealer
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects RatonRAT payload
Family: RatonRAT
Unpacked files
SH256 hash:
d1153f654601bc77fd5839d463e0088ca38e28ebfddf556ebe511e0fb3dbf6f7
MD5 hash:
3182b26d6f0c92fa635eae44bd4e4476
SHA1 hash:
a53ac82ede685aee92859257ffed32adcb9d9d80
SH256 hash:
60426a771350692f050d68b56e0e6b6353b178d265c1ab8015e35729f3762085
MD5 hash:
f4abeb6ad4a51ea192e2e2d99b051750
SHA1 hash:
fbe45466b4c4b82f41ca690b3c71089e5fb5cc0b
SH256 hash:
30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95
MD5 hash:
e14bf49aa22e8b4b13cee211f9c246dd
SHA1 hash:
67a52a50875b6072355d725cd38dd69a592f6480
SH256 hash:
e809495c34524a4bbf57de1ca2d57ee2f254f61b11f9a460085841a4f5890926
MD5 hash:
92d3ad1f8c1c7eed7e34cd1191fb5402
SHA1 hash:
31a2840e7ee40b8db77297a66a495129e1b653b3
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Qemu_Description
Rule name:Check_Qemu_DeviceMap
Rule name:Check_VBox_Description
Rule name:Check_VBox_DeviceMap
Rule name:Check_VBox_Guest_Additions
Rule name:Check_VmTools
Rule name:Check_VMWare_DeviceMap
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_Redline_Stealer_V2
Author:Varp0s
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Rule name:INDICATOR_EXE_Packed_Fody
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:Jupyter_infostealer
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Macos_Infostealer_Wallets_8e469ea0
Author:Elastic Security
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:Njrat
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments