MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8
SHA3-384 hash: 20436611bfa3098e894c8bb17db64e1863a85abf9194ae3b1f309d152b94ef6981e6e04da86ac8e73aa16c90e290e367
SHA1 hash: 8897062c5dba378814b535e8675b818c07273781
MD5 hash: 71aab4d8dcc18cc41d2b830cae5d69db
humanhash: shade-bakerloo-edward-oklahoma
File name:protected.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:3'181'056 bytes
First seen:2026-04-23 15:42:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed52c9f1202d1769494680ae08ab4000 (1 x ValleyRAT)
ssdeep 98304:DSLW39LVkP4pvR+OFniHlunLt7bdAYXEs6hQVsnL:mK39LTpZ+OFnb1dAYr6hQVsn
TLSH T196E533182B9290DEEE0444F629F72404F70103FDAC51EE591BA99983DF151BE4FA72DD
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Ling
Tags:exe SilverFox Trojan/SilverFox.wos[dll] ValleyRAT


Avatar
CNGaoLing
Trojan/SilverFox.wos[dll]
IOC (IP 137.220.155.65)

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
protected.exe
Verdict:
Malicious activity
Analysis date:
2026-04-23 15:38:39 UTC
Tags:
themida payload silverfox backdoor valleyrat rat winos
Link:
https://app.any.run/tasks/47c00a6d-da3e-4fc9-ad14-586724781b3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63361/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ea3df151cce3ff702f691e
Tags:
corrupt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive microsoft_visual_cc obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/69ea3e228a82359247aeb276/reports/129c87d4-554b-42e9-8bb5-743ed7c46b32/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-23T10:26:00Z UTC
Last seen:
2026-04-25T06:56:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic Trojan-Spy.Win32.Stealer.sb Backdoor.Win32.Xkcp.a Trojan-Spy.Win32.KeyLogger.sba PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.cod Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dc160fd-03ca-4dd6-8de4-a2fcad03631d
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/71aab4d8dcc18cc41d2b830cae5d69db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-04-23 15:42:48 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2wvyzxth4zkwcz2n4ww4p6n7zya7vyrapaptol7afc7dxcubhua._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor bootkit defense_evasion discovery persistence trojan
Link:
https://tria.ge/reports/260423-s56k3shx6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects ValleyRAT payload
Family: ValleyRat
Malware Config
C2 Extraction:
windowas.com:6666
Unpacked files
SH256 hash:
06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8
MD5 hash:
71aab4d8dcc18cc41d2b830cae5d69db
SHA1 hash:
8897062c5dba378814b535e8675b818c07273781
Link:
https://www.unpac.me/results/46214c22-bf37-4574-b690-f851f6f3133a/
SH256 hash:
86ffd39f8c53924a25935a4e1667487c2a63c7c8313e4d4f6bb13a9ac742db3b
MD5 hash:
021ec3cc05e073e136aa1d19e199b77c
SHA1 hash:
f386c2997fd05878ee3bb9638550deed6e2cf296
Link:
https://www.unpac.me/results/46214c22-bf37-4574-b690-f851f6f3133a/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06ad5c66f33f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 06ad5c66f33f32ab0b3a6f2d6e3fcdfe700fd71103c0f9b97f0145f1dc5409e8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/63361/

Comments