MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
SHA3-384 hash: e0194ddf13ab31959480b20ff4db866ea138e913e2476d1e4336a31876c451659190f820d7288a1d3b4616154a4562cc
SHA1 hash: d6c429733e1f23b522b908aeb8a47d644f27d3b3
MD5 hash: 15d3e848e744aa25b6edbaefdf57bf3f
humanhash: foxtrot-cat-spaghetti-violet
File name:15D3E848E744AA25B6EDBAEFDF57BF3F.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:77'302'708 bytes
First seen:2025-01-02 16:25:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (21 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 1572864:9X0PbA0443v1abVn91uAsrTKaCSMehPEHz7FMosCyx7ry1PVsyw80Zbn9CIrQme:eTAVmaJjsrTKpSMehc7FMohyx7ry19PX
Threatray 278 similar samples on MalwareBazaar
TLSH T1DC0833C9B708BB77C410DFB2AADCFB8B21F6D91015159D5E5AA14C47ACDE306036A2CB
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 01e4f2dcd4d4d400 (5 x ValleyRAT)
Reporter abuse_ch
Tags:exe SilverFox ValleyRAT winos


Avatar
abuse_ch
ValleyRAT C2:
156.251.17.243:17093

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.251.17.243:17093 https://threatfox.abuse.ch/ioc/1377275/

Intelligence

File Origin
# of uploads :
1
# of downloads :
747
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15D3E848E744AA25B6EDBAEFDF57BF3F.exe
Verdict:
Malicious activity
Analysis date:
2025-01-02 16:27:02 UTC
Tags:
silverfox backdoor
Link:
https://app.any.run/tasks/f79d1d29-19ac-46c0-9334-50336cd97d86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6776be221ada7077982558ad
Tags:
emotet shell sage blic
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer lolbin microsoft_visual_cc overlay packed packer_detected update
Link:
https://www.filescan.io/uploads/6776be200a45a868c018a22e/reports/f1855313-75c5-441f-b600-fae3233c0ee3/overview
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
Result
Verdict:
MALICIOUS
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583412
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583412 Sample: 8R2YjBA8nI.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 8R2YjBA8nI.exe 10 2->9         started        process3 file4 51 C:\Users\Public\Bilite\Axialis\Update.exe, PE32 9->51 dropped 53 C:\Users\Public\...\ldplayer9_ld_6000_ld.exe, PE32 9->53 dropped 55 C:\Users\Public\Bilite\Axialis\Update.dll, PE32 9->55 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 73 Bypasses PowerShell execution policy 12->73 15 Update.exe 3 8 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 57 156.251.17.243, 17093, 18852, 49890 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 15->57 45 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->49 dropped 59 Contains functionality to inject threads in other processes 15->59 61 Contains functionality to capture and log keystrokes 15->61 63 Contains functionality to inject code into remote processes 15->63 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        file9 signatures10 process11 process12 28 powershell.exe 1 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 37 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 tasklist.exe 1 26->39         started        41 timeout.exe 1 26->41         started        43 10 other processes 26->43 signatures13 75 Loading BitLocker PowerShell Module 33->75
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
Gathering data
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-01-01 23:12:00 UTC
File Type:
PE (Exe)
Extracted files:
421
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6vkpdlgcuzkrqtqezakinew6h5d6gntv4y5f46yceegb7zktiaq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
ValleyRAT
584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
ValleyRAT
5d58bde372ddc0e1515be4ce41246f302e7e4c9962e3296af49aabdec74bee2c
ValleyRAT
623897df28c316d90bb0946128ee6a4a9fe9776307787f1de12c3b078b338778
ValleyRAT
6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
ValleyRAT
9b1f4d88a2d0db1954030c38bbaac8f7f7a37575536f4124ebfe074936f14b98
ValleyRAT
error
ValleyRAT
+ 268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250102-txhpqa1khj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
Win.Malware.Lazy-10039964-0
YARA:
n/a
Link:
https://app.threat.zone/submission/24848411-a875-4f42-a553-f7abec83b49c
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments