MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ValleyRAT
Vendor detections: 12
| SHA256 hash: | 08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747 |
|---|---|
| SHA3-384 hash: | 2f3c7174e983d6f17d0aa4ab424f49037e684f0ea90f2e58502abca2420ab9ea4ad7297e9922ad3ad7f114d68c123f04 |
| SHA1 hash: | d652abe1a678dab8f418fe31c47002f2a40a6a3e |
| MD5 hash: | 80cfb32b29b00d05415b4990da151da7 |
| humanhash: | maryland-whiskey-seven-paris |
| File name: | AISafeSDK64.dll |
| Download: | download sample |
| Signature | ValleyRAT |
| File size: | 4'653'056 bytes |
| First seen: | 2026-03-02 22:45:16 UTC |
| Last seen: | 2026-03-02 23:23:37 UTC |
| File type: | |
| MIME type: | application/x-dosexec |
| imphash | 8000ea7ef9a9a4dcbab815cb57b2ccc6 (1 x ValleyRAT) |
| ssdeep | 98304:3zcsiSENObk/iHnUbdnePIbCs80H45tDyILBlMY/VSMsyXcfo+ocyRPA6s:viFsbk+gEWSi45cqwZyF+LyRPLs |
| TLSH | T1452633E4F4F86B32C89FC67572A34A8DBF953F3A8BAD85512B092819CC73B540935316 |
| TrID | 33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| Reporter | |
| Tags: | dll exe RAT ValleyRAT |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 154.92.16.22:22311 | https://threatfox.abuse.ch/ioc/1757046/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
251
Origin country :
NLVendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
AISafeSDK64.dll
Verdict:
Malicious activity
Analysis date:
2026-03-02 22:31:26 UTC
Tags:
uac valleyrat rat silverfox winos
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Verdict:
Clean
Score:
84.2%
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
DNS request
Launching a process
Connection attempt
Loading a system driver
Setting a prohibition to launch some applications
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Prohibiting to launch files
Firewall traversal
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed vmprotect
Verdict:
Malicious
Labled as:
Tedy.Generic
Verdict:
Malicious
File Type:
dll x64
Detections:
Trojan-Spy.Win32.Stealer.sb Backdoor.Xkcp.TCP.ServerRequest Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Backdoor.Win32.Xkcp.cek Trojan-Spy.Win32.KeyLogger.sba Backdoor.Win32.Agent.sb Backdoor.Agent.TCP.C&C HEUR:HackTool.Win64.UACme.gen Backdoor.Win32.Xkcp.a
Malware family:
UACMe
Verdict:
Malicious
Result
Threat name:
Metasploit
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Suricata IDS alerts for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Threat name:
Win64.Trojan.Etset
Status:
Malicious
First seen:
2026-03-02 09:22:00 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Executes dropped EXE
Unpacked files
SH256 hash:
08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747
MD5 hash:
80cfb32b29b00d05415b4990da151da7
SHA1 hash:
d652abe1a678dab8f418fe31c47002f2a40a6a3e
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.