MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RatonRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
SHA3-384 hash: 8310cfee3584d97bf532f641bc29aeffdb136ae941f1947afd18b6b7ee92f27554b995c145971a883fed39ae0c1f75fb
SHA1 hash: cebb2587f1cef462c79f00eeda481ffc65167ed4
MD5 hash: c9ae300b092acc6e7dff9efb8c160d2d
humanhash: september-beryllium-yankee-oxygen
File name:syron.exe
Download: download sample
Signature RatonRAT
Create hunting rule
File size:606'208 bytes
First seen:2026-04-09 03:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 12288:jlBR3374rIkzE7tnXknXQaBFJi4RkTAJ0MK86WoLb66OPfD9piID3l:FL4kkA7lXkXDDuAOFhWSApi4
Threatray 4 similar samples on MalwareBazaar
TLSH T1BDD41214B3FD3A15FBBE8F7E19F050480F72B6934E20D24C8E8694AD1575B829924FA7
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe ratonrat


Avatar
abuse_ch
RatonRAT C2:
158.160.75.185:40441

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
158.160.75.185:40441 https://threatfox.abuse.ch/ioc/1783172/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
syron.exe
Verdict:
No threats detected
Analysis date:
2026-04-09 02:17:08 UTC
Tags:
auto-sch
Link:
https://app.any.run/tasks/5b6e8604-789f-4539-b268-58ea4eee4fd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60882/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader49.34723.418.1789.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d70c2366ab6d001dd07641
Tags:
autorun dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a file
Launching a process
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat base64 dcrat lolbin obfuscated obfuscated packed reconnaissance schtasks stack_pickle unsafe
Link:
https://www.filescan.io/uploads/69d718b1799d5bf325f39312/reports/6619ccfd-4bb3-4d5d-ba44-771b49523309/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-08T23:29:00Z UTC
Last seen:
2026-04-09T00:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/10dc7d8f-c6f8-463e-97f2-22311cb245b7
Result
Threat name:
Bitcoin Clipper, RatonRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895646
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Bitcoin Clipper
Yara detected Costura Assembly Loader
Yara detected Raton RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1895646 Sample: syron.exe Startdate: 09/04/2026 Architecture: WINDOWS Score: 100 47 portbuddy.dev 2->47 49 ipwhois.app 2->49 51 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Antivirus detection for URL or domain 2->63 65 9 other signatures 2->65 10 syron.exe 6 2->10         started        14 syron.exe 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\...\syron.exe, PE32 10->39 dropped 41 cleanup_BTXayHjQsq...BVPa3CKTJ1C63Go.bat, DOS 10->41 dropped 43 C:\Users\user\...\syron.exe:Zone.Identifier, ASCII 10->43 dropped 45 C:\Users\user\AppData\Local\...\syron.exe.log, CSV 10->45 dropped 75 Self deletion via cmd or bat file 10->75 16 cmd.exe 1 10->16         started        signatures6 process7 process8 18 syron.exe 15 4 16->18         started        22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 2 other processes 16->26 dnsIp9 53 portbuddy.dev 158.160.75.185, 40441, 49715 DNIC-ASBLK-00721-00726US Venezuela 18->53 55 8.8.8.8 GOOGLEUS United States 18->55 57 ipwhois.app 104.26.6.74, 443, 49725 CLOUDFLARENETUS United States 18->57 67 Multi AV Scanner detection for dropped file 18->67 69 Suspicious powershell command line found 18->69 71 Protects its processes via BreakOnTermination flag 18->71 73 5 other signatures 18->73 28 powershell.exe 23 18->28         started        31 schtasks.exe 1 18->31         started        signatures10 process11 signatures12 77 Loading BitLocker PowerShell Module 28->77 33 WmiPrvSE.exe 28->33         started        35 conhost.exe 28->35         started        37 conhost.exe 31->37         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-04-09 02:17:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qhktqshb3a5ruyzm2xteskuhgj3bgbbxjer3cb7yr5x7l6p33vq._file
Verdict:
malicious
Label(s):
ratonrat
Create hunting rule
kamikakabot
Create hunting rule
Similar samples:
95ca1ad664de98c14a5d157e6bb7d5bc395fd859b59f1842047a937b984e987b
RatonRAT
error
RatonRAT
f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
RatonRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260409-dpe1vsax8v/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb
MD5 hash:
c9ae300b092acc6e7dff9efb8c160d2d
SHA1 hash:
cebb2587f1cef462c79f00eeda481ffc65167ed4
Link:
https://www.unpac.me/results/12639d44-0107-46f8-84d7-365518e2bcc0/
SH256 hash:
2b611070f296baafdafb2136ce69b8d398297ee4ad6a8f5ded2d298eab6a7c42
MD5 hash:
949dd5b2648e5f3df559d5b46710cfac
SHA1 hash:
02e842a44884ddc6a52a7aa76661485c940c1bb9
Link:
https://www.unpac.me/results/12639d44-0107-46f8-84d7-365518e2bcc0/
SH256 hash:
d8ee0fc96ce8de2e37bc8fdc051da7c1852b9a510270e663ba17281de23f049b
MD5 hash:
f8d5274e3368aa40cc0fd5798d19c783
SHA1 hash:
87f87d8c2b468fb87d82c3f5a849936c08d7a67c
Link:
https://www.unpac.me/results/12639d44-0107-46f8-84d7-365518e2bcc0/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/12639d44-0107-46f8-84d7-365518e2bcc0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f40ea9c2470e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f40ea9c2470ec1d8d31966af3249543993b09821ba491d883fc47b7fafcfdeeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60882/

Comments