MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37
SHA3-384 hash: 36d8bbbd0fea289db49f52e3864c78cdf98fb697116511f9ecfb7dc4fdb4872791c341018a3ecda8d97c30142bcb1e60
SHA1 hash: e7e3ce13ba656b7de1bdbba8c46e4effee683a15
MD5 hash: 0857f027188b7a18716cdbf069b0b8b2
humanhash: purple-lamp-juliet-twenty
File name:0857F027188B7A18716CDBF069B0B8B2.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:14'458'880 bytes
First seen:2025-05-26 14:25:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd0981a4cdd988812b1156d80d755fb1 (1 x ValleyRAT)
ssdeep 98304:+SoiEmlG4wY1D53NH6uU6R8+H6L3Ovq7OcUqJeySJtCheYHmCkE:PV1DBsuUaH6L3FUqJe7oeSzkE
TLSH T157E66B045DA15162C8ACEAB928B57F3FC5FE2D17BE5F86E20B90BD106E77CA44F21106
TrID 42.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 23f0d89696d8f033 (2 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
45.204.194.199:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.204.194.199:6666 https://threatfox.abuse.ch/ioc/1534751/

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0857F027188B7A18716CDBF069B0B8B2.exe
Verdict:
Malicious activity
Analysis date:
2025-05-26 14:27:34 UTC
Tags:
payload silverfox backdoor valleyrat winos rat arch-exec auto-startup
Link:
https://app.any.run/tasks/9a68119a-a1c1-49f1-81f9-cc3905b617c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.26341.20807.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68347cbeacf88f5815e7289e
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
Launching a process
Searching for the window
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Blocking the Windows Defender launch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint iceid keylogger microsoft_visual_cc
Link:
https://www.filescan.io/uploads/68347a13e336a33801de5afc/reports/b4a47bcd-9871-44e4-a8ce-e3e6faf594e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ef17b77-78ce-4b94-9b36-e1ecb88eb3b9
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699268
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Disables UAC (registry)
Drops large PE files
Found malware configuration
Found suspicious ZIP file
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1699268 Sample: XuKgS1zcP4.exe Startdate: 26/05/2025 Architecture: WINDOWS Score: 100 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 11 other signatures 2->59 9 XuKgS1zcP4.exe 1 2->9         started        process3 signatures4 67 Drops large PE files 9->67 69 Tries to detect virtualization through RDTSC time measurements 9->69 12 XuKgS1zcP4.exe 1 19 9->12         started        16 cmd.exe 1 9->16         started        process5 file6 43 C:\Users\Public\Downloads\movedcs.exe, PE32 12->43 dropped 45 C:\Users\Public\DUCJuvS\shouhujincheng.exe, PE32 12->45 dropped 47 C:\Users\Public\DUCJuvS\qusdjcxzzsa.exe, PE32 12->47 dropped 49 4 other malicious files 12->49 dropped 71 Disables UAC (registry) 12->71 18 qusdjcxzzsa.exe 12->18         started        73 Uses cmd line tools excessively to alter registry or file data 16->73 21 conhost.exe 16->21         started        23 reg.exe 1 16->23         started        25 reg.exe 1 16->25         started        27 2 other processes 16->27 signatures7 process8 signatures9 61 Writes to foreign memory regions 18->61 63 Allocates memory in foreign processes 18->63 65 Injects a PE file into a foreign processes 18->65 29 Tdcxszznxsdf.exe 3 18->29         started        33 cmd.exe 1 18->33         started        35 ghn.exe 18->35         started        37 4 other processes 18->37 process10 dnsIp11 51 45.204.194.199, 49721, 49722, 49723 ITACE-AS-APItaceInternationalLimitedHK Seychelles 29->51 75 Contains functionality to inject threads in other processes 29->75 77 Contains functionality to capture and log keystrokes 29->77 79 Contains functionality to inject code into remote processes 29->79 81 Uses cmd line tools excessively to alter registry or file data 33->81 39 mshta.exe 3 15 33->39         started        41 conhost.exe 33->41         started        83 Tries to detect virtualization through RDTSC time measurements 35->83 signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-24 06:01:01 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnigcg2aqjhqbq4uk52rrsy6z2ivhbqzbtnzi4vfwdiprxhp3i3q._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
chinajmransomware
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery evasion privilege_escalation trojan
Link:
https://tria.ge/reports/250526-rrygwa1lt4/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies Windows Defender DisableAntiSpyware settings
UAC bypass
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
45.204.194.199:6666
Verdict:
Malicious
Tags:
processkiller
YARA:
n/a
Link:
https://app.threat.zone/submission/9e82e7c7-aa94-4df5-a768-561801e5e23c
Unpacked files
SH256 hash:
1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37
MD5 hash:
0857f027188b7a18716cdbf069b0b8b2
SHA1 hash:
e7e3ce13ba656b7de1bdbba8c46e4effee683a15
Link:
https://www.unpac.me/results/0a0606b2-1201-41e5-a77e-b2de31db7213/
SH256 hash:
3515e87720ce9ee0f2a37ce09807f0071c5733aadf042e3c1037b3ad71d19016
MD5 hash:
76b5fa9590d77082dc2556347e62c816
SHA1 hash:
c12d81b38afb3dbb3fa28e17798e378cad81786b
Link:
https://www.unpac.me/results/0a0606b2-1201-41e5-a77e-b2de31db7213/
SH256 hash:
a43d7009399c05c73caa4fb775034e0df80052e1294ed1ca2c24f5e7a088eff4
MD5 hash:
44a567c5178a67f56309d4f1fb5f2353
SHA1 hash:
7896418fc7af8785c850367f74d94b6947ceaa6d
Link:
https://www.unpac.me/results/0a0606b2-1201-41e5-a77e-b2de31db7213/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1350611b4082/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_bc6ae28d
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments