MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015
SHA3-384 hash: b487c549f80b887c15427e4dc332cb32b81c3b3f825ee9e372864eee0d1bc4113bf69912dabd2a48d5b0c8bca9f2f5a0
SHA1 hash: 5d8cfeb5fa7a5a16c5368c781eecf4c0e204edd7
MD5 hash: f84ca31ce06e46703cd1a0fe969409df
humanhash: march-equal-eighteen-don
File name:letsvpn.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:21'167'616 bytes
First seen:2025-08-22 23:41:37 UTC
Last seen:2025-08-23 18:00:25 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:u8yd2t9zr8t8GFMhpppPi7P26RzIcdwQuiQDlwg0S+B7Pnnzmqyh:uxsYS+MBpgP2k0EwQul+dCqG
Threatray 62 similar samples on MalwareBazaar
TLSH T1CC271320759DC232F66F05B19929DA2AE53C7DE30B7004EB93E4F95A6A314C25739F83
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:CHN donutloader msi SilverFox ValleyRAT VoidArachne winos


Avatar
iamaachum
https://hckuailian.com.cn/ => https://userdowm.com/letsvpn => https://8.148.81.2:57896/letsvpn/letsvpn.msi

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.239.14.198:8863 https://threatfox.abuse.ch/ioc/1572870/

Intelligence

File Origin
# of uploads :
3
# of downloads :
57
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23106/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a9007ce9d9dbcfd96d2a9c
Tags:
shellcode dropper farfli virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 cmd lolbin msiexec threat
Link:
https://www.filescan.io/uploads/68a900394a87ed796768be9e/reports/b86ceec3-0eb4-4465-a413-c79506153181/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015
Verdict:
Malicious
File Type:
msi
First seen:
2025-08-18T19:49:00Z UTC
Last seen:
2025-08-18T19:49:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Inject.sb Trojan.Win32.Agentc.bp Backdoor.Win32.Xkcp.a Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1763304
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
33%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015
Verdict:
Malware
YARA:
7 match(es)
Tags:
.Net CAB:COMPRESSION:MSZIP DeObfuscated Executable Managed .NET Office Document PDB Path PE (Portable Executable) PE File Layout PowerShell SOS: 0.00 SOS: 0.01 SOS: 0.04 SOS: 0.06 SOS: 0.11 SOS: 0.13 SOS: 0.14 SOS: 0.15 SOS: 0.16 SOS: 0.17 SOS: 0.18 SOS: 0.19 SOS: 0.20 SOS: 0.21 SOS: 0.22 SOS: 0.23 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.28 SOS: 0.29 SOS: 0.30 SOS: 0.31 SOS: 0.32 SOS: 0.34 SOS: 0.35 SOS: 0.38 SOS: 0.40 SOS: 0.41 SOS: 0.43 SOS: 0.47 SOS: 0.52 SOS: 0.68 SOS: 0.73 SVG
Link:
https://app.malva.re/file/f84ca31ce06e46703cd1a0fe969409df
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Donut
Link:
https://tip.neiki.dev/file/233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 00:51:39 UTC
File Type:
Binary (Archive)
Extracted files:
831
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=em6cuwkp7ipeis5bqnnanzfdgjqqwuwpxyt4tg6i6iiugamiyakq._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
2896e00c273b4e820a8f41636166f6215cfee575430a06445fa58cd65983d256
ValleyRAT
2b18b1aa768ad59bee0b615399777edaae15f3834e62dd27dcd159d7a8604526
ValleyRAT
9e1b6b07c4e770a811fe6922c7f7cb56273c28cf37379ccba8ddaf632b87f401
ValleyRAT
error
ValleyRAT
fe931e1618250eb9ec266f276c9e50fab31028cc8e567ea9ce106fa24be1fda4
ValleyRAT
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250822-3qb32aen3z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef25668a-a425-437f-ac13-ab8ccd465790
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/233c2a594ffa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 233c2a594ffa1e444ba1835a06e4a332610b52cfbe27c99bc8f211430188c015

(this sample)

  
Link
https://tria.ge/250822-3khzdsem8z/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23106/

Comments