MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f
SHA3-384 hash: b020e4310f6d9d69c0ba83f5403e447820eaef76e8dc74c4de945be2e9aaa564c7999ce7a84bf28c24144a7ee2d789f4
SHA1 hash: ed78ba159679c2303c22096afc856ff8d400ba46
MD5 hash: a8aa086c1e1e6dba37ed0e80892a9d05
humanhash: six-indigo-earth-iowa
File name:znmxsnd1748255140.zip
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:3'213'750 bytes
First seen:2025-09-23 16:29:18 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:2ARzQZfmnNZkg6c4BPKBobyFYva5tNARmUAJ70O3vUWJUbRpUi4zE52ngmEI:vRzQoUnfBiHoavNky0+vdObDUi4LngVI
TLSH T1C5E51185B4601B46E5914F3B6E3FF286678D23180A1E3920777B4A6AFE917ED21C40DF
Magika zip
Reporter GDHJDSYDH1
Tags:backdoor dllHijack file-pumped SilverFox ValleyRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
US US
File Archive Information

This file archive contains 8 file(s), sorted by their relevance:

File name:MSVCP140.dll
File size:627'992 bytes
SHA256 hash: 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
MD5 hash: c1b066f9e3e2f3a6785161a8c7e0346a
MIME type:application/x-dosexec
Signature ValleyRAT
File name:vcruntime140_1.dll
File size:49'744 bytes
SHA256 hash: 6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e
MD5 hash: eb49c1d33b41eb49dfed58aafa9b9a8f
MIME type:application/x-dosexec
Signature ValleyRAT
File name:tier0.dll
File size:415'328 bytes
SHA256 hash: 0c1f82e647de026ee30aa1f2948e5cdba680ffa62fe1ca17fd6a5f2cf6ba2df5
MD5 hash: 4e2a7adfddee50035407bb43659f305f
MIME type:application/x-dosexec
Signature ValleyRAT
File name:vstdlib.dll
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:246'290'832 bytes
SHA256 hash: 4126e5bbddac8b622bd13c118df02a900c356fa0f6a1250ac7ee0b26baa1e935
MD5 hash: 82063b54ddef802d0509484cab65cd77
De-pumped file size:246'283'776 bytes (Vs. original size of 246'290'832 bytes)
De-pumped SHA256 hash: cc58859c19e3dbd3bbad35aa895a3f1fcd950cd9b9083bae593b774a1d77e293
De-pumped MD5 hash: d7745dfe38e9abf2f2800a379f80a69a
MIME type:application/x-dosexec
Signature ValleyRAT
File name:VCRUNTIME140.dll
File size:119'376 bytes
SHA256 hash: a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8
MD5 hash: e9b690fbe5c4b96871214379659dd928
MIME type:application/x-dosexec
Signature ValleyRAT
File name:emjio.tmp
File size:311'681 bytes
SHA256 hash: fc4b5ece8716cd95ba8e2b064df057246da18a83e863283b998fbb7d5e3999da
MD5 hash: 9b0ad8919db1cfc7378ad1a83b8a7f89
MIME type:image/jpeg
Signature ValleyRAT
File name:qdata.tmp
File size:72'745 bytes
SHA256 hash: c250783846d5de0379e2da6286f554f516f2a3b7ce585c44036d2739be5d396e
MD5 hash: 9c50512b7c67f7fa37510d68c5525191
MIME type:image/jpeg
Signature ValleyRAT
File name:edr09.exe
File size:3'630'176 bytes
SHA256 hash: aa4bd50796313744a38bd02d0f9a911efc4e71a2bf9bdcd4293e0686f8091c22
MD5 hash: f3cf529a24ad407054e2a8359484f0bb
MIME type:application/x-dosexec
Signature ValleyRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c27289901157561b5b31d
Tags:
shellcode virus
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
zip
Link:
https://opentip.kaspersky.com/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f/results?tab=lookup
Score:
46%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f
Verdict:
Malware
YARA:
3 match(es)
Tags:
CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) Zip Archive Zip Bomb
Link:
https://app.malva.re/file/a8aa086c1e1e6dba37ed0e80892a9d05
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f/
Verdict:
Malicious
Threat:
Binary.Exploit.DonutMarte
Link:
https://tip.neiki.dev/file/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-23 16:24:12 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdndocued6abyuq7i427kyj36s5wpu7qu4t7dolu24ly5fecevxq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead

ValleyRAT

zip 28da370a841f801c521f4735f5613bf4bb67d3f0a727f1b974d7178e9482256f

(this sample)

anyrun
any.run
https://app.any.run/tasks/66f471a7-8f43-432a-b8e9-adcd745556f0
  
Dropped by
SHA256 0aeccb14399537299f4818ad8fc6afb408261df3ea184ff207fe69cd313dcead
  
Delivery method
Distributed via drive-by
  
Dropped by
MD5 849b7a482b1183c5f2490e3faf1f67a4

Comments