MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddf39cc82dff3cd3cb7060d175e1bfe6b282be5165d0d7c2e3948389ff07ec26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RatonRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments

SHA256 hash: ddf39cc82dff3cd3cb7060d175e1bfe6b282be5165d0d7c2e3948389ff07ec26
SHA3-384 hash: 6a88aa791a823362f43aa7960b1e701d1f6f55aaa3bfed5825ce8bba970cf10bfb8ceaf6eced29ae53bd7a25d18fedef
SHA1 hash: e0f91ac444fd33c6b831a171f0be27b55e9f9497
MD5 hash: 59fc88763b9e27e3dff6992b0f9fa8d9
humanhash: five-sink-magazine-freddie
File name:dreamyware.exe
Download: download sample
Signature RatonRAT
File size:94'720 bytes
First seen:2026-03-22 11:10:25 UTC
Last seen:2026-03-22 11:17:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'045 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 1536:fTiJJeZCMLbQUxKxNulTsqa4tsi5+/GuGFjlbbKpKCZbszxD:f2JYLLf4qAX4tnQKFjlbbKXZb2xD
Threatray 52 similar samples on MalwareBazaar
TLSH T1E4936A0033FC6926FABF8B7C5CB464554B3279276D32E64E9C8A609C1A71385DA20F77
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe ratonrat


Avatar
abuse_ch
RatonRAT C2:
194.31.223.177:25163

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.31.223.177:25163 https://threatfox.abuse.ch/ioc/1773698/

Intelligence


File Origin
# of uploads :
2
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
dreamyware.exe
Verdict:
No threats detected
Analysis date:
2026-03-22 10:52:25 UTC
Tags:
auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
autorun dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a file
Launching a process
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat base64 dcrat lolbin obfuscated reconnaissance schtasks stormkitty unsafe
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-22T07:55:00Z UTC
Last seen:
2026-03-22T14:33:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.Crysan.d PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb
Result
Threat name:
Bitcoin Clipper, RatonRAT
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Bitcoin Clipper
Yara detected Costura Assembly Loader
Yara detected Raton RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1887302 Sample: dreamyware.exe Startdate: 22/03/2026 Architecture: WINDOWS Score: 100 47 ip-api.com 2->47 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 9 other signatures 2->59 10 dreamyware.exe 6 2->10         started        14 dreamyware.exe 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\dreamyware.exe, PE32 10->39 dropped 41 cleanup_wNj0InoENS...UlLNjMcCjAr0b63.bat, DOS 10->41 dropped 43 C:\Users\...\dreamyware.exe:Zone.Identifier, ASCII 10->43 dropped 45 C:\Users\user\AppData\...\dreamyware.exe.log, CSV 10->45 dropped 69 Self deletion via cmd or bat file 10->69 16 cmd.exe 1 10->16         started        signatures6 process7 process8 18 dreamyware.exe 14 2 16->18         started        22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 3 other processes 16->26 dnsIp9 49 194.31.223.177, 25163, 49689 INTERNETPB-ASCZ unknown 18->49 51 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 18->51 61 Multi AV Scanner detection for dropped file 18->61 63 Suspicious powershell command line found 18->63 65 Protects its processes via BreakOnTermination flag 18->65 67 5 other signatures 18->67 28 powershell.exe 23 18->28         started        31 schtasks.exe 1 18->31         started        signatures10 process11 signatures12 71 Loading BitLocker PowerShell Module 28->71 33 WmiPrvSE.exe 28->33         started        35 conhost.exe 28->35         started        37 conhost.exe 31->37         started        process13
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Status:
Malicious
First seen:
2026-03-22 10:52:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Looks up external IP address via web service
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
ddf39cc82dff3cd3cb7060d175e1bfe6b282be5165d0d7c2e3948389ff07ec26
MD5 hash:
59fc88763b9e27e3dff6992b0f9fa8d9
SHA1 hash:
e0f91ac444fd33c6b831a171f0be27b55e9f9497
SH256 hash:
5e3db054a9570651bd3a23e0468b032f2ebc8ee748fdfd966ec9e4999871c268
MD5 hash:
6582bc7c5b1856fc6a16a4623deb7aa3
SHA1 hash:
9c92b9ccc5807fa42eab7d20436c274a6e6cfa61
SH256 hash:
30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95
MD5 hash:
e14bf49aa22e8b4b13cee211f9c246dd
SHA1 hash:
67a52a50875b6072355d725cd38dd69a592f6480
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments