MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2
SHA3-384 hash: baa35347c14229c97d363515fa74515c7a70983786380f0a63d1a27bb2681414a102d3d700a9ce628fb07ffaf3369603
SHA1 hash: c541200b59689138cf553b37ea1cc9eaec4ea6d5
MD5 hash: 7d43f9fb43381fc2e4cdea159cb5ed91
humanhash: cola-idaho-timing-sad
File name:2bf34084c3f30c08e816e8e28033f3d59d62dfdbc5866.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:111'616 bytes
First seen:2025-11-19 16:35:10 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3737cfbfd92e8dd910c1a7d9839c8e78 (1 x ValleyRAT)
ssdeep 1536:QHNGvNmssQz2PwfCmAAMd40qquesuYCnqdEswhljdFysWIlcd7yWhfhxYrfL:ZPy4fC7K0qquesuY8hlhw+wfhxYrL
TLSH T1F8B38B10B5C1C071D4BE193E4534EA661B6E7970DE619E9F63A803BA1FB81C0EE39D27
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10522/11/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:dll RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
20.6.131.45:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.6.131.45:443 https://threatfox.abuse.ch/ioc/1646749/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38692/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691df1d627c5936d7d0dcb9a
Tags:
dropper remo
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug microsoft_visual_cc
Link:
https://www.filescan.io/uploads/691df1d31c15a0621ceacfbd/reports/6d2bd1b0-b1ac-423f-b8a4-4b96b319e3ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2
Verdict:
Malicious
File Type:
dll x32
First seen:
2025-11-18T04:22:00Z UTC
Last seen:
2025-11-21T01:30:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Xkcp.a Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Backdoor.Win32.Xkcp.blh Trojan-Spy.Win32.Stealer.sb Trojan-Spy.Win32.KeyLogger.sba PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4db654dd-afaf-4c53-a2ab-18386c95f718
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1817061
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1817061 Sample: 2bf34084c3f30c08e816e8e2803... Startdate: 19/11/2025 Architecture: WINDOWS Score: 100 30 ak1.xingxings2.cc 2->30 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 5 other signatures 2->46 8 loaddll32.exe 1 2->8         started        10 reg.exe 1 1 2->10         started        12 khrOXJ.exe 2->12         started        14 khrOXJ.exe 2->14         started        signatures3 process4 process5 16 rundll32.exe 8->16         started        19 rundll32.exe 1 8->19         started        22 cmd.exe 1 8->22         started        26 2 other processes 8->26 24 conhost.exe 10->24         started        dnsIp6 34 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 16->34 36 Potentially malicious time measurement code found 16->36 32 ak1.xingxings2.cc 20.6.131.45, 442, 443, 49690 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->32 38 System process connects to network (likely due to code injection or exploit) 19->38 28 rundll32.exe 22->28         started        signatures7 process8
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7d43f9fb43381fc2e4cdea159cb5ed91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2/
Verdict:
Malicious
Threat:
Trojan-Spy.Win32.KeyLogger
Link:
https://tip.neiki.dev/file/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpzubbgd6mgar2aw5driam7t2wowfx63ywdgopyxoolng6o45dja._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251119-t3x2lacv7f/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2
MD5 hash:
7d43f9fb43381fc2e4cdea159cb5ed91
SHA1 hash:
c541200b59689138cf553b37ea1cc9eaec4ea6d5
Link:
https://www.unpac.me/results/2a745018-7e9b-4c6b-afab-2743e5217db4/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bf34084c3f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bf34084c3f30c08e816e8e28033f3d59d62dfdbc586673f177396d379dce8d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:Check_Debugger
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38692/

Comments