MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead
SHA3-384 hash:	c801f961e143842b40e0366665b6534a1ff6cc6bd4dd0fa02584a8f284a94e3e7fc1c1e4c3fc5202d48debcebe5d0a6b
SHA1 hash:	25b4a84a7a1a578c62359624fc16981ab6c26ba7
MD5 hash:	849b7a482b1183c5f2490e3faf1f67a4
humanhash:	minnesota-december-mobile-delta
File name:	ChromceSetcup.msi
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	81'808'896 bytes
First seen:	2025-09-23 16:08:41 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	1572864:YwUhgbdA09z/3vOISo+IAAiCQW5CJplxIIKV92xxxRe3c2j4t:YN0A09D+o+IAApQuaK3+xRgcw4
TLSH	T17B083321B26739A4D61FA7BFE0A85FC884317DE17317D96B23387BB14AB164761B1803
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	GDHJDSYDH1
Tags:	backdoor dropper injector msi SilverFox ValleyRAT

GDHJDSYDH1

C2:
103.235.46.115:443
27.124.10.61:5178

Intelligence

File Origin

# of uploads :

1

# of downloads :

100

Origin country :

US

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d2c34fa8481b7a76abd804

Tags:

virus spawn blic

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

cmd lolbin obfuscated remote threat wix

Link:

https://www.filescan.io/uploads/68d2c7bcc24f53840f2eff77/reports/0b488fae-822f-44cc-9f73-9e36754853d8/overview

Verdict:

Suspicious

Link:

https://www.hybrid-analysis.com/sample/0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

msi

First seen:

2025-09-23T13:06:00Z UTC

Last seen:

2025-09-23T13:06:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Agent.sb BSS:Trojan.Win32.Generic Trojan.Win32.Agent.xcagep Trojan.Win32.Agent.sb HEUR:Trojan.OLE2.Alien.gen

Link:

https://opentip.kaspersky.com/0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

ARCHIVE

Link:

https://malprob.io/report/0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

Gathering data

Verdict:

Malicious

Threat:

Trojan.Win64.Agent

Link:

https://tip.neiki.dev/file/0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

Threat name:

Win64.Trojan.Astraea

Status:

Malicious

First seen:

2025-09-23 15:57:06 UTC

File Type:

Binary (Archive)

Extracted files:

5565

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=blwmwfbzsu3sth2idcwy7rvpwqecmhpt5ime74qh7zu42mj5z2wq._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery persistence privilege_escalation

Link:

https://tria.ge/reports/250923-tpeyvstlx4/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Loads dropped DLL

Enumerates connected drives

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0bfa0abd-d67d-44c1-975d-df94c1f5fa11

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0aeccb143995/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

msi 0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

(this sample)

zip 70ab8b20d6ad347a3cc27f49d99987dd2ea4164f6e3d7cb2e113d0a68063a1c0

anyrun

any.run

https://app.any.run/tasks/7ae48d8b-4a2a-42a9-ae2f-9b6a761eeeab

Link

https://tria.ge/250923-thfxkstsav/behavioral1

Delivery method

Distributed via web download

Dropping

SHA256 70ab8b20d6ad347a3cc27f49d99987dd2ea4164f6e3d7cb2e113d0a68063a1c0

Dropping

MD5 9948d9e8d7807d275342edc0a777cf0a

Dropping

SHA256 28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f

Dropping

MD5 a8aa086c1e1e6dba37ed0e80892a9d05

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample