MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
SHA3-384 hash: 308c7b9720fb5669b3d78b5e2ddff60e5379981a8d95640d1d8d1583b22b1b7300ce23dc8fc05c9a98a775903bc89d4f
SHA1 hash: afaa9b8baef0925ce324c80ab8a012303319bdfc
MD5 hash: ca69691102b38ea5a46a0c00d17ede40
humanhash: oxygen-florida-monkey-juliet
File name:DeepLSetup.zip
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:52'138'976 bytes
First seen:2025-08-13 05:53:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 1572864:TlmVGXSNhGdVXTueLzACFuSDAVqLh/DGh6C:TMGCnGbueb4kvKUC
TLSH T10BB7339D34841352E083DE366E7FE8C13F48B1624F1A76817227891BBED07FD65A2687
Magika zip
Reporter GDHJDSYDH1
Tags:backdoor dllHijack file-pumped SilverFox ValleyRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
US US
File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:Thunderbird_v78.0.1.exe
File size:49'865'736 bytes
SHA256 hash: db39f947ea16341d435e3878c77f36fc1c61e0b72f754140d816ee28f2209a8a
MD5 hash: 8b3475ac92f4ef3b01c30dace4b03b5f
MIME type:application/x-dosexec
Signature ValleyRAT
File name:EnumW.dll
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:241'715'600 bytes
SHA256 hash: c9dc4ee7dd00afc58c58006da15e4f1b1a822dd46293650287eed97b014b1c6c
MD5 hash: 5214d054eb644d2e5b5ff8d3a4a1b8fd
De-pumped file size:241'702'400 bytes (Vs. original size of 241'715'600 bytes)
De-pumped SHA256 hash: 6ce8453d0fafe1d49da36c291d87b1cd776e142175f365de05bb9af0715db0b0
De-pumped MD5 hash: ed5337cc5aa97b0737d86aa2a13868e2
MIME type:application/x-dosexec
Signature ValleyRAT
File name:DeepLSetup.exe
File size:4'436'760 bytes
SHA256 hash: c0824599dec4170e272c800eb24f1cadc582d3f3dd6f351afa52b95dd4e81967
MD5 hash: e88464c70fa1e6af13f656c9523d020a
MIME type:application/x-dosexec
Signature ValleyRAT
File name:Uninstall AdsPower Global.exe
File size:297'176 bytes
SHA256 hash: b31832956d0be066bfb197055d188f20ada25f46e8e2e8db0b2df96ab8d78121
MD5 hash: 5b48de891d3444317aa642119e032adb
MIME type:application/x-dosexec
Signature ValleyRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c289e9901157561b5b50f
Tags:
virus
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
Score:
53%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
Gathering data
Verdict:
Malicious
Threat:
Win64.Certificate.Invalid
Link:
https://tip.neiki.dev/file/2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-13 05:54:28 UTC
File Type:
Binary (Archive)
Extracted files:
562
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebjkv6h3zfsnzhcnpdnhai6rxpqb5odt6rgv2qh3jnm3sxccbqxa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery persistence privilege_escalation spyware stealer trojan upx
Link:
https://tria.ge/reports/250813-h3zdwagr7t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Network Service Discovery
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Microsoft Software Installer (MSI) msi f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8

ValleyRAT

zip 2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e

(this sample)

  
Dropped by
SHA256 f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
  
Delivery method
Distributed via drive-by
  
Dropped by
MD5 3bfe9cbc18aa1687a59f761efe236ea7

Comments