MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
SHA3-384 hash: 1c5e77a013c6d24b592882e80dd6b5da3edf361eb2f5a5b5e71197365acb242c76196449839ab311a2223ed669cb494d
SHA1 hash: 868c67c34c890e038e1ba06ba6bd5cce7c59360b
MD5 hash: 4e5636a99d96a3738fe5496b7a625142
humanhash: robert-kitten-sweet-south
File name:ratonClient.exe
Download: download sample
File size:87'040 bytes
First seen:2026-02-22 10:57:16 UTC
Last seen:2026-02-22 11:22:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 1536:IC0lB4H00wz0epKV1Tsqa4tsi5lRjTnwCbTtlbe4CUBoJWs3:IxlB4HWzPC1AX4tndnwCbTtlbezUB6WW
Threatray 9 similar samples on MalwareBazaar
TLSH T1BA835A0433EC1119F6BF4BBD99B460410AB77A17AE71E74D4D86609C0CB2B81AE24F7B
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter petrovic
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
RO RO
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ratonClient.exe
Verdict:
Malicious activity
Analysis date:
2026-02-21 22:35:50 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/8aac2f2c-2db2-42a6-ae27-49ba08439d6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54045/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader49.34723.16049.10923.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699ae1478fffa866e3b07142
Tags:
autorun dropper virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 lolbin obfuscated reconnaissance schtasks stormkitty
Link:
https://www.filescan.io/uploads/699ae14497feb4afd651b9a9/reports/4791d722-bdcd-45aa-b824-0d321e8490dd/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
Verdict:
Malicious
File Type:
exe x32
Detections:
PDM:Trojan.Win32.Generic HEUR:Exploit.MSIL.BypassUAC.gen
Link:
https://opentip.kaspersky.com/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1f3a2e4-f139-4aa2-bd8e-7b35c72026fe
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Fody/Costura Packer Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.18 SOS: 0.19 SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/4e5636a99d96a3738fe5496b7a625142
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5/
Verdict:
Malicious
Threat:
Exploit.MSIL.BypassUAC
Link:
https://tip.neiki.dev/file/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-02-22 10:58:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ype2prz4tdsgibbwdr63aaejcp7k3upqckfyffzk25376w4u6sq._file
Verdict:
malicious
Label(s):
ratonrat
Create hunting rule
Similar samples:
3a4a5d05c6e0da095521631b3d00a5f2a032e86427d7ea5ed6dc6410e4ebc919
5a44e5b17566cb4f3f5e3b494953536388eb61f2aab0bad1f0e0be3974ff3cd2
7a7de01481722db7530391f19fffd16fa6fc7b358833aa1e86d22fbc99cce1a1
7da7034e44451497d95f76aacfb0a6a78ea8c7c4f20668e627e6a00375d2eae5
ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
error
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260222-m2xk4sg13f/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Unpacked files
SH256 hash:
ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5
MD5 hash:
4e5636a99d96a3738fe5496b7a625142
SHA1 hash:
868c67c34c890e038e1ba06ba6bd5cce7c59360b
Link:
https://www.unpac.me/results/7796f2d6-d051-439b-8661-4786f104b7ca/
SH256 hash:
30fc8808c22b5073ca2c691784369a36dbdb855aa1b9e50c909225c5562b0e95
MD5 hash:
e14bf49aa22e8b4b13cee211f9c246dd
SHA1 hash:
67a52a50875b6072355d725cd38dd69a592f6480
Link:
https://www.unpac.me/results/7796f2d6-d051-439b-8661-4786f104b7ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/ee1e4d3e39e4c7232021b0e3ed8004489ff56e8f80945c14b956bbbffadca7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54045/

Comments