MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5
SHA3-384 hash: b9d975ff35abc16c36246199c86232c689a237ec94644c1cf27fcecf7ae42c0515800896cc62094a46b341949276de0c
SHA1 hash: 5fd747c16e2cda2039bea2211aa7e6ab55681fff
MD5 hash: 06fdf0544a0518b3057f7d00577bf05c
humanhash: steak-blossom-happy-ack
File name:06fdf0544a0518b3057f7d00577bf05c.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'615'872 bytes
First seen:2025-10-02 08:45:08 UTC
Last seen:2025-10-02 21:00:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1201007f24fe8ef3e37fc185993eed2 (4 x ValleyRAT)
ssdeep 12288:Ir5SeJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:ItSSdCN/j2GLl3iFSE33b9
Threatray 212 similar samples on MalwareBazaar
TLSH T1727523A4E9E5F655E55BC3790399DF215600FDFCE626844385826BEB63BCBECC032062
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
108.187.7.84:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
108.187.7.84:443 https://threatfox.abuse.ch/ioc/1605621/

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06fdf0544a0518b3057f7d00577bf05c.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 08:50:14 UTC
Tags:
payload m0yv valley winos rat silverfox valleyrat upx
Link:
https://app.any.run/tasks/516c4d2b-dbec-4ae4-9153-dc7c45f26dbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29904/
Detection(s):
SecuriteInfo.com.Win32.Expiro-3.UNOFFICIAL
Create hunting rule

Win.Virus.Expiro-9936998-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de3bd9c21e799f5cd4549b
Tags:
emotet expiro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying a system executable file
Launching a service
Connection attempt
Launching a process
Sending a custom TCP request
Searching for synchronization primitives
Loading a system driver
Connection attempt to an infection source
Creating a file in the system32 subdirectories
Modifying an executable file
Setting a keyboard event handler
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun for a service
Query of malicious DNS domain
Infecting executable files
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expiro mingw overlay packed packed packed upx virus
Link:
https://www.filescan.io/uploads/68de3bd7674d5fd6aa136dd9/reports/9dcda28b-173a-4d1e-b8da-cad6e2767764/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-27T10:26:00Z UTC
Last seen:
2025-10-03T01:06:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6df915ab-e4f2-42a7-977c-7899266283cc
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787958
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Suricata IDS alerts for network traffic
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1787958 Sample: S4YFGeAuMw.exe Startdate: 02/10/2025 Architecture: WINDOWS Score: 100 27 zlenh.biz 2->27 29 yunalwv.biz 2->29 31 37 other IPs or domains 2->31 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus detection for dropped file 2->49 51 5 other signatures 2->51 6 S4YFGeAuMw.exe 3 2 2->6         started        11 armsvc.exe 1 2->11         started        13 elevation_service.exe 2->13         started        15 19 other processes 2->15 signatures3 process4 dnsIp5 33 108.187.7.84, 443, 49692, 49709 LEASEWEB-USA-LAX-11US United States 6->33 35 yunalwv.biz 104.156.155.94, 49730, 49741, 49751 SRCACCESSUS United States 6->35 43 13 other IPs or domains 6->43 17 C:\Windows\System32\wbengine.exe, PE32+ 6->17 dropped 19 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 6->19 dropped 21 C:\Windows\System32\vds.exe, PE32+ 6->21 dropped 25 114 other malicious files 6->25 dropped 53 Drops executable to a common third party application directory 6->53 55 Installs a global keyboard hook 6->55 57 Infects executable files (exe, dll, sys, html) 6->57 37 parkingpage.namecheap.com 91.195.240.19, 49707, 49708, 80 SEDO-ASDE Germany 11->37 39 lpuegx.biz 176.100.243.135, 80 MASTERBIT-ASRU Russian Federation 11->39 41 172.233.219.123, 49744, 80 AKAMAI-ASN1EU United States 11->41 23 C:\Windows\System32\sppsvc.exe, PE32+ 11->23 dropped 59 Found direct / indirect Syscall (likely to bypass EDR) 13->59 61 Creates files inside the volume driver (system volume information) 15->61 63 Contains functionality to behave differently if execute on a Russian/Kazak computer 15->63 file6 signatures7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5/
Verdict:
Malicious
Threat:
Virus.Win64.Moiva
Link:
https://tip.neiki.dev/file/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5
Threat name:
Win64.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2025-09-28 00:44:14 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oz4cttuxhvp4qs5it7aedze3svhjakwwhowe5ium5uihzs4bqlcq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
expiro
Create hunting rule
Similar samples:
0a1d5fc8da6db14afc66ac764bb4448bea7e2b49088805b6f013a5b2f44e3418
ValleyRAT
7a1ce8bd54ceec847363d5841cc5016d7fe8226d3ff07be023f42f7336ccd594
ValleyRAT
85ca361774e85369bc191c5b57736abcec4ba69512703979f0b5e217b213b333
ValleyRAT
b7fc85c1e68221a10c9c9cc8c321f1a2cce8be9914cf5033a382d6634dbb0aa6
ValleyRAT
bcd6cf9ae14f189191f56ddd643585681fd65271ff7f0c6a4ba9000a316d3001
ValleyRAT
error
ValleyRAT
+ 202 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery ransomware spyware stealer upx
Link:
https://tria.ge/reports/251002-kn9meayyes/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Enumerates connected drives
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
Win.Virus.Expiro-9936998-0 ProcessKiller Expiro
YARA:
n/a
Link:
https://app.threat.zone/submission/f5f43234-8e55-4e88-ac7d-9ea908106c35
Unpacked files
SH256 hash:
767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5
MD5 hash:
06fdf0544a0518b3057f7d00577bf05c
SHA1 hash:
5fd747c16e2cda2039bea2211aa7e6ab55681fff
Link:
https://www.unpac.me/results/7ec2a4a6-e9a3-48f3-9628-99c68de9a8d6/
SH256 hash:
6e2e87a39283c67b3e110e0ddcf3952b2207880ae226782c4a48416c0916d22e
MD5 hash:
d04806e1b25005b7d5540544cca1c3ae
SHA1 hash:
e738b8e71c4938366057244104d7f34db215e815
Link:
https://www.unpac.me/results/7ec2a4a6-e9a3-48f3-9628-99c68de9a8d6/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/767829ce973d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/767829ce973d5fc84ba89fc041e49b954e902ad63bac4ea28ced107ccb8182c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_3055c14a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29904/

Comments