MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
SHA3-384 hash: a3fcf62d267396bb1aede7e336c3dfd03a8ac7de9681abcfc63e4bc791f0bcd19c3abdc3f224470f731ac0e18535d45f
SHA1 hash: 5727fb415243210a2384263e8e5ad7c5e108749a
MD5 hash: a5541b69ae11ef1a4c030d3fd1f1a6b2
humanhash: solar-delta-butter-blossom
File name:Lets_Inst.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:94'622'720 bytes
First seen:2025-06-07 17:52:53 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:vSkUAKb5HdbId+SuxEQk9itrNzzhDyg+sIp+ujM1j/tjSDsg52iBew+d496DLJHT:v7UA1+Sbl61zBy+koR/tjSDRwu+dqE
TLSH T1A528332275C68835D22F27769CB5EE1D0A767D22333305EBF7A87DAA50709C39370A52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter GDHJDSYDH1
Tags:anti-vm dllHijack dropper msi SilverFox ValleyRAT


Avatar
GDHJDSYDH1
Downloaded from: https://td.tozwl.cn/
C2: 1.32.250.69:6180
Family: ValleyRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68447ce58bd5d68a12e65934
Tags:
spawn blic hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm base64 cmd evasive expired-cert fingerprint fingerprint lolbin msiexec remote short-lived-cert wix
Link:
https://www.filescan.io/uploads/68447c9fe336a33801e51ed2/reports/b136e792-f797-41ac-b26a-225a7de7c546/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708990
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Creates multiple autostart registry keys
Disable UAC(promptonsecuredesktop)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: WScript or CScript Dropper
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708990 Sample: Lets_Inst.msi Startdate: 07/06/2025 Architecture: WINDOWS Score: 100 132 2025.ip138.com.wswebpic.com 2->132 134 www10.smartname.com 2->134 136 4 other IPs or domains 2->136 174 Antivirus detection for dropped file 2->174 176 Multi AV Scanner detection for dropped file 2->176 178 Multi AV Scanner detection for submitted file 2->178 180 8 other signatures 2->180 11 msiexec.exe 41 104 2->11         started        14 msiexec.exe 12 2->14         started        16 fhbmini.exe 2->16         started        19 11 other processes 2->19 signatures3 process4 dnsIp5 106 C:\Windows\Installer\MSI6F05.tmp, PE32 11->106 dropped 108 C:\Windows\Installer\MSI6EE5.tmp, PE32 11->108 dropped 110 C:\Windows\Installer\MSI6E77.tmp, PE32 11->110 dropped 118 33 other malicious files 11->118 dropped 22 msiexec.exe 1 23 11->22         started        26 msiexec.exe 1 11->26         started        28 msiexec.exe 11->28         started        112 C:\Users\user\AppData\Local\...\MSI3982.tmp, PE32 14->112 dropped 114 C:\Users\user\AppData\Local\...\MSI38B6.tmp, PE32 14->114 dropped 116 C:\Users\user\AppData\Local\...\MSI3896.tmp, PE32 14->116 dropped 120 4 other malicious files 14->120 dropped 148 Creates an undocumented autostart registry key 16->148 150 Creates multiple autostart registry keys 16->150 152 Adds extensions / path to Windows Defender exclusion list 16->152 30 powershell.exe 16->30         started        32 powershell.exe 16->32         started        34 fhbmini.exe 16->34         started        138 127.0.0.1 unknown unknown 19->138 154 Creates files in the system32 config directory 19->154 156 Changes security center settings (notifications, updates, antivirus, firewall) 19->156 158 Reads the Security eventlog 19->158 160 Reads the System eventlog 19->160 36 TIM.exe 19->36         started        39 MpCmdRun.exe 19->39         started        41 4 other processes 19->41 file6 signatures7 process8 dnsIp9 96 C:\Users\Public\Documents\wavelet_3_8.dll, PE32 22->96 dropped 98 C:\Users\Public\Documents\libcef.dll, PE32 22->98 dropped 100 C:\Users\Public\Documents\ins.ini, PE32 22->100 dropped 104 12 other malicious files 22->104 dropped 182 Adds a directory exclusion to Windows Defender 22->182 43 WsTaskLoad.exe 22->43         started        45 powershell.exe 23 22->45         started        48 powershell.exe 23 22->48         started        50 powershell.exe 2 23 22->50         started        102 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 26->102 dropped 184 Loading BitLocker PowerShell Module 30->184 52 conhost.exe 30->52         started        54 conhost.exe 32->54         started        140 www10.smartname.com 15.197.204.56, 49729, 80 TANDEMUS United States 36->140 142 update.purecodec.com 192.157.56.139, 49728, 49730, 80 SERVER-MANIACA Canada 36->142 56 wscript.exe 36->56         started        58 conhost.exe 39->58         started        60 WallPaper.exe 41->60         started        file10 signatures11 process12 signatures13 62 TaskLoad.exe 43->62         started        186 Loading BitLocker PowerShell Module 45->186 67 conhost.exe 45->67         started        69 WmiPrvSE.exe 45->69         started        71 conhost.exe 48->71         started        73 conhost.exe 50->73         started        188 Windows Scripting host queries suspicious COM object (likely to drop second stage) 56->188 75 cmd.exe 56->75         started        process14 dnsIp15 144 2025.ip138.com.wswebpic.com 138.113.128.20, 49723, 80 FR-INRIA-SOPHIAINRIASophia-AntipolisEU United States 62->144 146 heheedz.xin 1.32.250.69, 49724, 49725, 49727 BCPL-SGBGPNETGlobalASNSG Singapore 62->146 122 C:\Users\user\AppData\Roaming\...\libmini.dll, PE32 62->122 dropped 124 C:\Users\user\AppData\Roaming\...\fhbmini.exe, PE32 62->124 dropped 126 C:\Users\user\AppData\Roaming\...\dll1.dll, PE32 62->126 dropped 130 32 other malicious files 62->130 dropped 162 Adds extensions / path to Windows Defender exclusion list 62->162 164 Disables UAC (registry) 62->164 166 Disable Windows Defender real time protection (registry) 62->166 168 Disable UAC(promptonsecuredesktop) 62->168 77 powershell.exe 62->77         started        80 powershell.exe 62->80         started        82 TaskLoad.exe 62->82         started        128 C:\ProgramData\libcef.dll, PE32 75->128 dropped 170 Uses ping.exe to sleep 75->170 172 Uses ping.exe to check the status of other devices and networks 75->172 84 conhost.exe 75->84         started        86 Agghosts.exe 75->86         started        88 PING.EXE 75->88         started        90 4 other processes 75->90 file16 signatures17 process18 signatures19 190 Loading BitLocker PowerShell Module 77->190 92 conhost.exe 77->92         started        94 conhost.exe 80->94         started        process20
Score:
78%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-07 17:47:40 UTC
File Type:
Binary (Archive)
Extracted files:
44816
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=behda33i75ovycwng2l4t2h3rzc7zfbgixlp66xkzrh6uylu5fua._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250607-wgkv9at1cv/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c155e544-8829-48c0-a29a-7b59bc789b1d
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968

(this sample)

ValleyRAT

zip a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb

  
Link
https://tria.ge/250607-v9theshm5w
  
Delivery method
Distributed via web download
  
Dropping
SHA256 a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb
  
Dropping
MD5 00992abb769475dc07597d8e6a900907
  
Dropping
SHA256 ce5ca2d486882d70edd74af8a6db179edebab36f1fdf062eea954ba5b10fdeb7
  
Dropping
MD5 52dd9a560f8723b34cfb08cccc503e1a
  
Dropping
SHA256 1bfc8846c40fd97b3a6f1420c715fa03a53726c5f583b1918e3aeb1348ca1623
  
Dropping
MD5 5f3ffdcf4931a970a4959cb3ed9df393

Comments