MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85
SHA3-384 hash: 04d2bf6c6447345de763190ba2cad3552b14efe1e57a1b55dfac766702347045bffe7248f2b56d04c7ebadf35a1c3e6b
SHA1 hash: 3112db7b9bac17e6282dff1a320a99f09ff6c274
MD5 hash: 8a527df7abb2b6420ffe11d389c5ca8d
humanhash: november-river-quebec-kilo
File name:8A527DF7ABB2B6420FFE11D389C5CA8D.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:179'712 bytes
First seen:2026-03-15 07:50:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fdc6eb8758a17a36d2a26d07a088b984 (1 x ValleyRAT)
ssdeep 3072:oAFKOIneiYz8ubhR23hxqHhYa2uUkgEXhwgiuAg0Ful5h/68rQJE:fBYu/Kq12ugkNAOFQ
TLSH T124047B417482C076DA7F1634087ADA656A3D79214FB09EFFB7D44E3E4F302C1AA31A66
TrID 38.2% (.EXE) Win64 Executable (generic) (6522/11/2)
26.4% (.EXE) Win32 Executable (generic) (4504/4/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.7% (.EXE) Generic Win/DOS Executable (2002/3)
11.7% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:dll RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
103.236.63.138:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.236.63.138:6666 https://threatfox.abuse.ch/ioc/1766826/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57516/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.44314554.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b664c393b644ca466a3e42
Tags:
n/a
Gathering data
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85
Verdict:
Malicious
File Type:
dll x32
Detections:
Trojan.Win32.Inject.sb Trojan.Win32.DLLhijack.sb Backdoor.Win32.Xkcp.a Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.chi Backdoor.Agent.TCP.C&C Trojan.Win32.RegistryStorage.sb
Link:
https://opentip.kaspersky.com/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bb465556-d696-4aa4-a888-484f80836d49
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1883942
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1883942 Sample: mefp7Grnl6.dll Startdate: 15/03/2026 Architecture: WINDOWS Score: 100 24 chi9kt2j.sched.sma.tdnsstic1.cn 2->24 26 cik07-cos.7moor-fs2.com.cdn.dnsv1.com.cn 2->26 28 cik07-cos.7moor-fs2.com 2->28 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 8 loaddll32.exe 1 1 2->8         started        signatures3 process4 signatures5 42 Contains functionality to inject threads in other processes 8->42 44 Contains functionality to capture and log keystrokes 8->44 46 Contains functionality to inject code into remote processes 8->46 48 Unusual module load detection (module proxying) 8->48 11 rundll32.exe 2 8->11         started        15 rundll32.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 2 other processes 8->19 process6 dnsIp7 32 103.236.63.138, 49695, 49696, 49698 GAMELOFTLIMITED-AS-APGameloftLimitedHK China 11->32 50 Contains functionality to inject threads in other processes 11->50 52 Contains functionality to capture and log keystrokes 11->52 54 System process connects to network (likely due to code injection or exploit) 15->54 21 rundll32.exe 2 17->21         started        signatures8 process9 dnsIp10 30 chi9kt2j.sched.sma.tdnsstic1.cn 122.188.44.51, 443, 49693, 49694 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 21->30
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-11 01:23:00 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbnvvmc6jeatahyjcll7uura4iwh65bb3nd554kiiark77zuxkcq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/260315-jpeyrae19q/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Badlisted process makes network request
Unpacked files
SH256 hash:
085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85
MD5 hash:
8a527df7abb2b6420ffe11d389c5ca8d
SHA1 hash:
3112db7b9bac17e6282dff1a320a99f09ff6c274
Link:
https://www.unpac.me/results/5dee3050-14fa-4ef5-9cf8-10c8893c16c9/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/085b5ab05e49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/085b5ab05e4901301f0912d7fa5220e22c7f7421db47def1484022afff34ba85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:win_winos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.winos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57516/

Comments