MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
SHA3-384 hash: 9d0a15fe99002d878766f4ac192368f910c79dfb2578983b6a31e2946ec0e3c738ca2288b68dc5b7406b1023acf53dda
SHA1 hash: 605f2f4a957ad5d84f13d414bededed5d3944772
MD5 hash: 1d36df07e1135357885d203669b4bf34
humanhash: alabama-diet-music-magnesium
File name:1d36df07e1135357885d203669b4bf34.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:133'632 bytes
First seen:2026-01-14 19:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f4c92a36f0eb35d81a44e3422e1082b (8 x ValleyRAT)
ssdeep 3072:wJvr9PP8JYCBwsioRTwQJvMB2OgtEYdZUbdFz56U1e6wN:wJv5UJYU40TwkMB2OgtEsZK9+N
Threatray 532 similar samples on MalwareBazaar
TLSH T1CBD36C4733A460F5D4A7C378C9A25A06E7B378661731A7CF13A4866A6F137D0AD3A331
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
47.237.82.191:9521

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
47.237.82.191:9521 https://threatfox.abuse.ch/ioc/1732274/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
ValleyFall
Details
Link:
https://research.acce.ciphertechsolutions.com/results/fa32a489-db6c-40cb-a31c-7db7e869a34d/
Malware family:
n/a
ID:
1
File name:
_08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f.exe
Verdict:
Malicious activity
Analysis date:
2026-01-14 19:47:07 UTC
Tags:
valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/6ee11643-2db0-4f13-8115-de5402dd5909

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48927/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6967f265ef906a21abcd52bf
Tags:
emotet spam
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc zusy
Link:
https://www.filescan.io/uploads/6967f25f32bf4f14bb10c436/reports/cd66ac47-7774-4f19-9542-2e86aa9baed3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-11T13:23:00Z UTC
Last seen:
2026-01-11T13:54:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C HEUR:Backdoor.Win32.Farfli.gen
Link:
https://opentip.kaspersky.com/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/600dc5ba-dfa9-4aad-b531-aa024346b28d
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1850884
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1d36df07e1135357885d203669b4bf34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
Threat name:
Win64.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-01-11 15:58:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdu4dalskgdalv6ycaoqmyu2z7ourxzdleidxdkv357etc3zqbhq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
ValleyRAT
0cd80013e985579e47dcfbe81c7f0cad493320cc657de594145052f84f0102bc
ValleyRAT
37fe2d07d360b2e7d66f1dcbc8aed5794528c0614c943c77214df166cb503a5d
ValleyRAT
6289a938482427ac4fb7219db139d5f2060cc8de76c12431d122739ae51ce0ed
ValleyRAT
7963914b6101338d708fb1ca341aa42ea3d7858bb145bcc37da83d804ac0f664
ValleyRAT
ac2bee2bfba8b7603ead6033f90b0ce727390e66be62c0fe7c9c8b5a4aa4fce0
ValleyRAT
error
ValleyRAT
+ 522 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor
Link:
https://tria.ge/reports/260114-ygn9sadv3c/
Behaviour
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
47.237.82.191:9521
127.0.0.1:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5e9fe7a-881f-4fd8-b95c-e12f484d6f92
Unpacked files
SH256 hash:
08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f
MD5 hash:
1d36df07e1135357885d203669b4bf34
SHA1 hash:
605f2f4a957ad5d84f13d414bededed5d3944772
Link:
https://www.unpac.me/results/063b74a8-7622-449d-9443-4c1b451c5858/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08e9c1817251/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08e9c18172518605d7d8101d06629acfdd48df2359103b8d55df7e498b79804f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48927/

Comments