MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 38 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
SHA3-384 hash: edb49113f12901ea71de5d8f8e29d2c46de1761eb22ddacbb090ebeba88d4e34e46f1e83abfb6e8ee83a3538edea1b92
SHA1 hash: 610f306919f2da9ce9cfd92ae9d4f5ff2dbfb65c
MD5 hash: 35d7d76835e8644f8650efb4e8995af6
humanhash: cat-romeo-eighteen-south
File name:x06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7d.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:22'374'912 bytes
First seen:2026-01-23 10:35:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5195a86117f20c0c491365082d1dd4b (1 x ValleyRAT)
ssdeep 393216:ulmZTSwpmex006UOoP8EpWzxsmeulUrGhn6YrIN/MsmST:uEAD064P8EpWzxsmeuOrGhn6YrIN/MsL
Threatray 1 similar samples on MalwareBazaar
TLSH T1B437AE0BF9A541D8D0BBC13C89675712FAB1B8454B3057CB2B50A3A92F73BE49D7A390
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 4864a4c079ccd628 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
119.28.195.39:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
119.28.195.39:6666 https://threatfox.abuse.ch/ioc/1736101/

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
x06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4.exe
Verdict:
Suspicious activity
Analysis date:
2026-01-23 10:12:22 UTC
Tags:
python arch-exec arch-doc golang
Link:
https://app.any.run/tasks/93eef2b7-6130-43f1-abbe-145aa6131f9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49887/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69734988f3cf908ba507a401
Tags:
malware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 crypto expired-cert fingerprint golang packed
Link:
https://www.filescan.io/uploads/69734ef9abc6d3ca6dec4087/reports/bd0b4809-9063-489b-99d8-1564baefe3a5/overview
Verdict:
Malicious
Labled as:
WinGo_HackTool_Fscan_AGen_R_trojan
Link:
https://www.hybrid-analysis.com/sample/06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-21T02:31:00Z UTC
Last seen:
2026-01-23T09:51:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Backdoor.Win32.Agentb.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Shellcode.lbv
Link:
https://opentip.kaspersky.com/06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4/results?tab=lookup
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1856271
Signature
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1856271 Sample: x06fbe6ea88df54d1d4e2e50cac... Startdate: 23/01/2026 Architecture: WINDOWS Score: 92 39 Suricata IDS alerts for network traffic 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected ValleyRAT 2->43 45 3 other signatures 2->45 7 x06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7d.exe 12 2->7         started        11 python.exe 2->11         started        process3 file4 27 C:\Users\Public\python\...\python.exe, PE32+ 7->27 dropped 29 C:\Users\Public\python\python.exe, PE32 7->29 dropped 31 C:\Users\Public\python\...\vcruntime140.dll, PE32+ 7->31 dropped 33 4 other files (none is malicious) 7->33 dropped 53 Queries temperature or sensor information (via WMI often done to detect virtual machines) 7->53 13 cmd.exe 1 7->13         started        15 conhost.exe 7->15         started        17 python.exe 1 11->17         started        signatures5 process6 process7 19 python.exe 2 18 13->19         started        23 WerFault.exe 21 17->23         started        25 python.exe 14 17->25         started        dnsIp8 35 119.28.195.39, 49723, 49731, 49740 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 19->35 37 223.5.5.5, 443, 49720, 49726 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC China 19->37 47 Disables UAC (registry) 19->47 49 Unusual module load detection (module proxying) 19->49 51 Disable UAC(promptonsecuredesktop) 19->51 signatures9
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 64 Exe x64
Link:
https://app.malva.re/file/35d7d76835e8644f8650efb4e8995af6
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-21 08:07:17 UTC
File Type:
PE+ (Exe)
Extracted files:
133
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a356n2ui35kndvhc4ugkydceq5giutrofz62wyrzhdzy72tq3t2a._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
ValleyRAT
error
ValleyRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion persistence ransomware trojan
Link:
https://tria.ge/reports/260123-mm1n8ah14h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Checks whether UAC is enabled
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
UAC bypass
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06fbe6ea88df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CHM_File_Executes_JS_Via_PowerShell
Create hunting rule
Author:daniyyell
Description:Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49887/

Comments