MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash: 08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747
SHA3-384 hash: 2f3c7174e983d6f17d0aa4ab424f49037e684f0ea90f2e58502abca2420ab9ea4ad7297e9922ad3ad7f114d68c123f04
SHA1 hash: d652abe1a678dab8f418fe31c47002f2a40a6a3e
MD5 hash: 80cfb32b29b00d05415b4990da151da7
humanhash: maryland-whiskey-seven-paris
File name:AISafeSDK64.dll
Download: download sample
Signature ValleyRAT
File size:4'653'056 bytes
First seen:2026-03-02 22:45:16 UTC
Last seen:2026-03-02 23:23:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8000ea7ef9a9a4dcbab815cb57b2ccc6 (1 x ValleyRAT)
ssdeep 98304:3zcsiSENObk/iHnUbdnePIbCs80H45tDyILBlMY/VSMsyXcfo+ocyRPA6s:viFsbk+gEWSi45cqwZyF+LyRPLs
TLSH T1452633E4F4F86B32C89FC67572A34A8DBF953F3A8BAD85512B092819CC73B540935316
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:dll exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
154.92.16.22:22311

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.92.16.22:22311 https://threatfox.abuse.ch/ioc/1757046/

Intelligence


File Origin
# of uploads :
2
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
AISafeSDK64.dll
Verdict:
Malicious activity
Analysis date:
2026-03-02 22:31:26 UTC
Tags:
uac valleyrat rat silverfox winos

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
DNS request
Launching a process
Connection attempt
Loading a system driver
Setting a prohibition to launch some applications
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Prohibiting to launch files
Firewall traversal
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed vmprotect
Verdict:
Malicious
File Type:
dll x64
Detections:
Trojan-Spy.Win32.Stealer.sb Backdoor.Xkcp.TCP.ServerRequest Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Backdoor.Win32.Xkcp.cek Trojan-Spy.Win32.KeyLogger.sba Backdoor.Win32.Agent.sb Backdoor.Agent.TCP.C&C HEUR:HackTool.Win64.UACme.gen Backdoor.Win32.Xkcp.a
Result
Threat name:
Metasploit
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Suricata IDS alerts for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1877187 Sample: AISafeSDK64.dll.exe Startdate: 02/03/2026 Architecture: WINDOWS Score: 100 61 shed.dual-low.part-0012.t-0009.t-msedge.net 2->61 63 part-0012.t-0009.t-msedge.net 2->63 65 3 other IPs or domains 2->65 69 Suricata IDS alerts for network traffic 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 3 other signatures 2->75 10 loaddll64.exe 1 2->10         started        signatures3 process4 signatures5 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->83 85 Tries to evade analysis by execution special instruction (VM detection) 10->85 87 Tries to detect debuggers (CloseHandle check) 10->87 89 2 other signatures 10->89 13 rundll32.exe 1 10->13         started        17 cmd.exe 1 10->17         started        19 rundll32.exe 10->19         started        21 2 other processes 10->21 process6 file7 59 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 13->59 dropped 91 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->91 93 Tries to detect debuggers (CloseHandle check) 13->93 95 Hides threads from debuggers 13->95 23 cmd.exe 1 13->23         started        25 rundll32.exe 17->25         started        28 cmd.exe 19->28         started        30 cmd.exe 21->30         started        signatures8 process9 signatures10 32 setup.exe 2 23->32         started        36 conhost.exe 23->36         started        77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->77 79 Tries to detect debuggers (CloseHandle check) 25->79 81 Hides threads from debuggers 25->81 38 cmd.exe 25->38         started        40 setup.exe 1 28->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 setup.exe 30->46         started        process11 file12 53 C:\ProgramDatabehaviorgrapholden\Run_70449622.exe, PE32+ 32->53 dropped 67 Multi AV Scanner detection for dropped file 32->67 48 setup.exe 1 38->48         started        51 conhost.exe 38->51         started        55 C:\ProgramDatabehaviorgrapholden\Run_89551879.exe, PE32+ 40->55 dropped signatures13 process14 file15 57 C:\ProgramDatabehaviorgrapholden\Run_86737970.exe, PE32+ 48->57 dropped
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Trojan.Etset
Status:
Malicious
First seen:
2026-03-02 09:22:00 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Executes dropped EXE
Unpacked files
SH256 hash:
08f8a286b6cd9ab0291e3b0e5f5d2fdce22024acc167634de0ad83bcb47a5747
MD5 hash:
80cfb32b29b00d05415b4990da151da7
SHA1 hash:
d652abe1a678dab8f418fe31c47002f2a40a6a3e
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments