MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
SHA3-384 hash: 92e4c002d4114776b26ed51a5f834329c790714887105d6c52bfd25e4300c1c9707400c0bdaf26b7e04bd6813e0127ca
SHA1 hash: c7c5c3e857a2de348113256daca3ccff4f58d974
MD5 hash: 3c5436dbec37b273893d8469416d3825
humanhash: california-illinois-sweet-carbon
File name:Lets-VPN.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:17'295'872 bytes
First seen:2025-05-07 12:25:32 UTC
Last seen:2025-05-08 06:44:17 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:YnI5IRdl+do/FaCtCp8Kzy8JkSCsr1yy/wZl5EH:ZIRTtFzAprz7Esr1Sl+
Threatray 122 similar samples on MalwareBazaar
TLSH T13D072321A787C435D21E0177A968FF6E0939BEB70B3005D7B7987C6E09B08C29679B53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:43-99-244-219 msi ValleyRAT xk2-ksdcks-org

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b518a91991ead82b5d08c
Tags:
shellcode shell overt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context cmd expired-cert fingerprint lolbin msiexec netsh packed remote short-lived-cert wix
Link:
https://www.filescan.io/uploads/681b516abab2591d06548e1c/reports/573453d3-3159-4d04-994c-839cc06c558c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GhostRat, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1683242
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the DNS server
Modifies the windows firewall
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1683242 Sample: Lets-VPN.msi Startdate: 07/05/2025 Architecture: WINDOWS Score: 70 131 xk2.ksdcks.org 2->131 133 www.yandex.com 2->133 135 7 other IPs or domains 2->135 147 Suricata IDS alerts for network traffic 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Yara detected ValleyRAT 2->151 153 9 other signatures 2->153 11 msiexec.exe 19 52 2->11         started        14 cmd.exe 1 2->14         started        17 svchost.exe 2->17         started        19 11 other processes 2->19 signatures3 process4 file5 123 C:\Program Files (x86)behaviorgraphooggle\mesedge.exe, PE32 11->123 dropped 125 C:\Program Files (x86)behaviorgraphooggle\1.exe, PE32 11->125 dropped 127 C:\Program Files (x86)\ddffffaSD.bat, DOS 11->127 dropped 129 10 other files (none is malicious) 11->129 dropped 21 1.exe 10 287 11->21         started        25 cmd.exe 1 11->25         started        27 mesedge.exe 9 1 11->27         started        30 msiexec.exe 6 11->30         started        165 Uses netsh to modify the Windows network and firewall settings 14->165 167 Modifies the windows firewall 14->167 169 Adds a directory exclusion to Windows Defender 14->169 32 cmd.exe 1 14->32         started        34 conhost.exe 14->34         started        171 Changes security center settings (notifications, updates, antivirus, firewall) 17->171 36 MpCmdRun.exe 17->36         started        173 Modifies the DNS server 19->173 38 drvinst.exe 19->38         started        40 11 other processes 19->40 signatures6 process7 dnsIp8 103 C:\Program Files (x86)\...\tap0901.sys, PE32+ 21->103 dropped 105 C:\Program Files (x86)\...\LetsPRO.exe, PE32 21->105 dropped 107 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 21->107 dropped 117 218 other files (1 malicious) 21->117 dropped 155 Sample is not signed and drops a device driver 21->155 42 LetsPRO.exe 21->42         started        44 cmd.exe 21->44         started        47 powershell.exe 21->47         started        57 8 other processes 21->57 49 cmd.exe 25->49         started        51 conhost.exe 25->51         started        137 xk2.ksdcks.org 43.99.244.219, 443, 49716, 49766 LILLY-ASUS Japan 27->137 157 Adds a directory exclusion to Windows Defender 32->157 53 powershell.exe 32->53         started        60 2 other processes 32->60 55 conhost.exe 36->55         started        109 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 38->109 dropped 111 C:\Windows\System32\...\SET4FA1.tmp, PE32+ 38->111 dropped 113 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 40->113 dropped 115 C:\Windows\System32\drivers\SET552D.tmp, PE32+ 40->115 dropped file9 signatures10 process11 file12 62 LetsPRO.exe 42->62         started        159 Uses ipconfig to lookup or modify the Windows network settings 44->159 161 Performs a network lookup / discovery via ARP 44->161 76 2 other processes 44->76 163 Loading BitLocker PowerShell Module 47->163 66 conhost.exe 47->66         started        68 netsh.exe 49->68         started        70 netsh.exe 49->70         started        72 conhost.exe 49->72         started        78 25 other processes 49->78 119 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 57->119 dropped 121 C:\Users\user\AppData\Local\...\SET4C75.tmp, PE32+ 57->121 dropped 74 conhost.exe 57->74         started        80 10 other processes 57->80 signatures13 process14 dnsIp15 139 yandex.com 5.255.255.77, 443, 49733 YANDEXRU Russian Federation 62->139 141 23.98.101.155, 443, 49742, 49760 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 62->141 143 11 other IPs or domains 62->143 175 Loading BitLocker PowerShell Module 62->175 82 cmd.exe 62->82         started        85 cmd.exe 62->85         started        87 cmd.exe 62->87         started        177 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 68->177 179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 68->179 181 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 68->181 89 WmiPrvSE.exe 70->89         started        signatures16 process17 signatures18 145 Performs a network lookup / discovery via ARP 82->145 91 conhost.exe 82->91         started        93 ARP.EXE 82->93         started        95 conhost.exe 85->95         started        97 ipconfig.exe 85->97         started        99 conhost.exe 87->99         started        101 ROUTE.EXE 87->101         started        process19
Score:
88%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dazs5mtddpoa2ly4gy3nufcyy66lhnlm372ldgyty5zjqo6jbpma._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
winos
Create hunting rule
Similar samples:
00f4a3e1490412d6d09cce67d32a3f22276719a32aaff32cb646a0f685671242
ValleyRAT
16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
ValleyRAT
18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
ValleyRAT
3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
ValleyRAT
56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
ValleyRAT
7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5
ValleyRAT
b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
ValleyRAT
b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257
ValleyRAT
error
ValleyRAT
fb619d64ccfb1ec19658cbffe49a7b742ae4f279898cf330c60a5f251ade89bd
ValleyRAT
+ 112 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion discovery execution loader persistence privilege_escalation upx
Link:
https://tria.ge/reports/250507-pmbq7saq9z/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
UPX packed file
Adds Run key to start application
Enumerates connected drives
Modifies Windows Firewall
Network Service Discovery
Drops file in Drivers directory
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79679082-b35b-4e45-b40e-6b8113a045da
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18332eb2631b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://x.com/malwrhunterteam/status/1920051665442419177?t=oIjJ0lIXBIhsatQMuKsT_A&s=19

Comments