MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb3b1cb513e8f51af0bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 21 File information Comments

SHA256 hash: 29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb3b1cb513e8f51af0bf9
SHA3-384 hash: 1a874c4e1dca528fbba2cb2efa12a40bef6bda0acf1df544b6aad54f586cb60b106c4d067f97272a26ecd11154cc671f
SHA1 hash: 282d66eb369bcc8436585feb888d0ad18f4dcf8f
MD5 hash: 3a7ca2949caf97fa7a235cff7956aba1
humanhash: nuts-connecticut-alanine-coffee
File name:29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb.exe
Download: download sample
Signature ValleyRAT
File size:19'425'792 bytes
First seen:2025-12-28 23:30:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0d3388e07c55eef6c71a98c9a5477d5 (1 x ValleyRAT)
ssdeep 196608:V60W5/Z5tuLhkI0tzC/XLWim70G1EQteCqvlqUv:V6TZ5t6t0tzCCtt1reC2lqUv
TLSH T13417DF952D078791DC4DB6FC38AC91222AD86C5F0F7141A63FE3F959CB7D0826AA6C13
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
102.134.35.84:3322

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
102.134.35.84:3322 https://threatfox.abuse.ch/ioc/1687864/

Intelligence


File Origin
# of uploads :
1
# of downloads :
138
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb3b1cb513e8f51af0bf9.exe
Verdict:
Malicious activity
Analysis date:
2025-12-28 23:07:41 UTC
Tags:
auto-startup valleyrat silverfox rat winos blackmoon

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive explorer fingerprint installer-heuristic lolbin microsoft_visual_cc overlay
Verdict:
Malicious
Labled as:
Agent.BO potentially unwanted application
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-27T04:54:00Z UTC
Last seen:
2025-12-30T18:15:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.WOC.sb HEUR:Trojan-Spy.Win64.AntiAV.gen HEUR:Trojan.Win32.Agent.gen HEUR:Backdoor.Win32.Farfli.gen Trojan-Spy.Win32.Stealer.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Inject.sb Backdoor.Win32.Poison.sb Trojan-Spy.Win32.KeyLogger.sba PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Sdum.gen HEUR:Backdoor.Win32.WOC.gen Backdoor.Win32.Xkcp.a
Result
Threat name:
GhostRat, ValleyRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Disables UAC (registry)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840973 Sample: 29f005bdc2dbd50d1a4ae37b980... Startdate: 29/12/2025 Architecture: WINDOWS Score: 100 70 shed.dual-low.part-0010.t-0009.t-msedge.net 2->70 72 part-0010.t-0009.t-msedge.net 2->72 74 2 other IPs or domains 2->74 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 11 other signatures 2->92 8 29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb.exe 1 24 2->8         started        12 explorer.exe 2->12         started        14 explorer.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 62 C:\Users\user\AppData\Roaming\Rar.exe, PE32 8->62 dropped 64 C:\Program Files\PCtnRGBk\XgQiDazX\jzr.exe, PE32 8->64 dropped 66 C:\Program Files\PCtnRGBk\...\XgQiDazXw.exe, PE32 8->66 dropped 68 2 other malicious files 8->68 dropped 96 Disables UAC (registry) 8->96 18 XgQiDazXw.exe 8->18         started        21 Rar.exe 4 8->21         started        24 Rar.exe 2 8->24         started        26 XgQiDazXg.exe 12->26         started        28 XgQiDazXg.exe 12->28         started        30 XgQiDazXg.exe 14->30         started        32 XgQiDazXg.exe 14->32         started        34 explorer.exe 1 16->34         started        36 explorer.exe 16->36         started        signatures6 process7 file8 80 Writes to foreign memory regions 18->80 82 Allocates memory in foreign processes 18->82 84 Injects a PE file into a foreign processes 18->84 38 cmd.exe 10 1 18->38         started        42 jzr.exe 2 1 18->42         started        44 jzr.exe 18->44         started        52 3 other processes 18->52 58 C:\Program Files\PCtnRGBk\...\ImageMagik.dll, PE32 21->58 dropped 60 C:\Program Files\PCtnRGBk\...\HWSignature.dll, PE32 21->60 dropped 46 conhost.exe 21->46         started        48 conhost.exe 24->48         started        50 cmd.exe 26->50         started        54 5 other processes 26->54 56 6 other processes 30->56 signatures9 process10 dnsIp11 76 102.134.35.84, 3322, 49696, 49700 sun-asnSC South Africa 38->76 78 103.119.15.183, 3322, 49695, 49701 CLOUDIE-AS-APCloudieLimitedHK China 38->78 94 Unusual module load detection (module proxying) 38->94 signatures12
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Backdoor.Valleyrat
Status:
Suspicious
First seen:
2025-12-27 09:40:30 UTC
File Type:
PE (Exe)
Extracted files:
86
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
valleyrat krbanker
Similar samples:
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:blackmoon family:valleyrat_s2 backdoor banker defense_evasion discovery evasion trojan
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Detects ValleyRAT payload
Modifies Windows Defender DisableAntiSpyware settings
UAC bypass
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
102.134.35.84:3322
103.119.15.183:3322
Verdict:
Malicious
Tags:
Win.Virus.Expiro-10015928-0
YARA:
n/a
Unpacked files
SH256 hash:
29f005bdc2dbd50d1a4ae37b9809f481348186deb15cb3b1cb513e8f51af0bf9
MD5 hash:
3a7ca2949caf97fa7a235cff7956aba1
SHA1 hash:
282d66eb369bcc8436585feb888d0ad18f4dcf8f
SH256 hash:
fb4de66b485ad117ce2136a169ca2fa4153434ba7b5b80171bfc85b47dd9f04b
MD5 hash:
e3adbdb60dd7fe756cdff503e46808ac
SHA1 hash:
71eab410cca34637cd376834d58d7616e786a514
SH256 hash:
d3fe1efa5b523846f1340f777d41c9149d3c9ebb6cee0fe5f4e2fe5256ac52a7
MD5 hash:
564b03d28ec2a8135086ea29b76e4c98
SHA1 hash:
54aae4a3547700bf1403acd3e9c660fe33aea2aa
SH256 hash:
88c50043d957ab1d874bf63f7ab6cbc8212523aafa42427b5517db14b132ed92
MD5 hash:
175e9a41f977673d4c8f8c839851dde9
SHA1 hash:
e8a9744bacdb22b4769ad5054292ec8910128ea2
SH256 hash:
367755d30428a36942a503f0695ad2dab4a23db82841a603a7460ed6a81a1d47
MD5 hash:
e00aed4e2dcc761f8816b433e59135bb
SHA1 hash:
e5be7529d1a6ab1b615f35232a5981c789d29079
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackMoon
Author:NDA0E
Description:Detects BlackMoon
Rule name:blackmoon_payload_v1
Author:RandomMalware
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Author:Still
Rule name:Gh0stKCP
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:MALWARE_Win_BlackMoon
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_4b0b73ce
Author:Elastic Security
Rule name:Windows_Trojan_DustyWarehouse_a6cfc9f7
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Author:Elastic Security
Rule name:win_valley_rat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments