MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca
SHA3-384 hash: f59806190a48e5cef1261299f9d7894357207b35611d1c908a408c5dad037cfd4f8181022126894b8e9c7aad60fc8309
SHA1 hash: 8c0b2c8c86480a4b78068cb4e2ff5a6050b1db8d
MD5 hash: 0fb29386b2915176eb666e5fa4a6957f
humanhash: happy-orange-sad-nineteen
File name:1M_Multi_Asset_Investment_Portfolio_IB_Grade_v2.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'704'326 bytes
First seen:2026-01-07 12:27:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (10 x HijackLoader, 9 x OffLoader, 8 x ValleyRAT)
ssdeep 49152:nDXrgVWFOpOJcSyS21SHk5I6IQDW20ZuRpYt4m8At3w:nDbVFwO+AE/j/+u76l8At3w
TLSH T16AC5D013B5EAF73ED4254A352D629B61043B6EE1F41A8E639EE4390CCE390501D3EE76
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 74e0c4ccf4f4dcc4 (7 x ValleyRAT, 2 x CobaltStrike)
Reporter smica83
Tags:exe ValleyRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
47.237.162.153:1123 https://threatfox.abuse.ch/ioc/1692604/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/592379ee-40ac-41c6-b255-85aebe65c996/
Malware family:
n/a
ID:
1
File name:
1M_Multi_Asset_Investment_Portfolio_IB_Grade_v2.exe
Verdict:
Malicious activity
Analysis date:
2026-01-07 12:29:59 UTC
Tags:
payload
Link:
https://app.any.run/tasks/332b30c7-a89d-41c5-a33a-65bc7cc99e30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48040/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695e51299922425f92fe411f
Tags:
emotet shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/695e51252227b0904b118459/reports/124cb896-98c5-4fb6-a87d-01009baf9f25/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-06T16:20:00Z UTC
Last seen:
2026-01-09T08:40:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Agent.myxcml Backdoor.Agent.TCP.C&C Backdoor.Win32.Xkcp.a
Link:
https://opentip.kaspersky.com/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1265432b-a63d-47fa-b981-b7868e9a7b37
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1845983
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses Register-ScheduledTask to add task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845983 Sample: 1M_Multi_Asset_Investment_P... Startdate: 07/01/2026 Architecture: WINDOWS Score: 100 66 us1.roaming1.live.com.akadns.net 2->66 68 shed.dual-low.part-0013.t-0009.t-msedge.net 2->68 70 9 other IPs or domains 2->70 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 4 other signatures 2->92 11 1M_Multi_Asset_Investment_Portfolio_IB_Grade_v2.exe 2 2->11         started        14 WUDFHost.exe 2->14         started        signatures3 process4 file5 64 1M_Multi_Asset_Inv...lio_IB_Grade_v2.tmp, PE32 11->64 dropped 17 1M_Multi_Asset_Investment_Portfolio_IB_Grade_v2.tmp 10 10 11->17         started        106 Drops executables to the windows directory (C:\Windows) and starts them 14->106 21 WUDFHost.exe 14->21         started        signatures6 process7 file8 56 C:\Windows\en-US\...\WUDFHost.exe (copy), PE32+ 17->56 dropped 58 C:\Windows\en-US\WUDFHost.exe (copy), PE32 17->58 dropped 60 C:\Windows\en-US\is-1056N.tmp, PE32 17->60 dropped 62 4 other files (none is malicious) 17->62 dropped 78 Drops executables to the windows directory (C:\Windows) and starts them 17->78 23 WUDFHost.exe 17->23         started        25 POWERPNT.EXE 220 69 17->25         started        80 Suspicious powershell command line found 21->80 82 Adds a directory exclusion to Windows Defender 21->82 84 PowerShell case anomaly found 21->84 28 powershell.exe 21->28         started        31 powershell.exe 21->31         started        33 WerFault.exe 21->33         started        signatures9 process10 dnsIp11 35 WUDFHost.exe 2 23->35         started        74 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49695 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->74 76 mira-ofc.tm-4.office.com 52.110.7.18, 443, 49692 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->76 39 ai.exe 25->39         started        102 Loading BitLocker PowerShell Module 28->102 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        signatures12 process13 dnsIp14 72 47.237.162.153, 1123, 49717, 49720 CHARTER-20115US United States 35->72 94 Suspicious powershell command line found 35->94 96 Adds a directory exclusion to Windows Defender 35->96 98 PowerShell case anomaly found 35->98 100 2 other signatures 35->100 45 powershell.exe 23 35->45         started        48 powershell.exe 35->48         started        50 WerFault.exe 35->50         started        signatures15 process16 signatures17 104 Loading BitLocker PowerShell Module 45->104 52 conhost.exe 45->52         started        54 conhost.exe 48->54         started        process18
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0fb29386b2915176eb666e5fa4a6957f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxsiils3gnoq6wihhtaoe3ejabey2pnn34vybhtkxp3zlj2tchfa._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution installer
Link:
https://tria.ge/reports/260107-pmwrdadz5c/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
47.237.162.153:1123
127.0.0.1:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/80971bde-fe30-4638-b51b-617582cf41c2
Unpacked files
SH256 hash:
2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca
MD5 hash:
0fb29386b2915176eb666e5fa4a6957f
SHA1 hash:
8c0b2c8c86480a4b78068cb4e2ff5a6050b1db8d
Link:
https://www.unpac.me/results/78a410f3-1e80-4f93-8479-98007f2f83c4/
SH256 hash:
1607b73df434d0f85dffafeb348077882b95ed74e749305f57473ba206ef026f
MD5 hash:
e134ee0d3c6eecfb976f893a9556afca
SHA1 hash:
6587f9290f48cb006abd4109a0d871bdec1912e5
Link:
https://www.unpac.me/results/78a410f3-1e80-4f93-8479-98007f2f83c4/
SH256 hash:
68d7f215d1d4b4274592bd681434fdf448fcc79eaa3ca359c534bba9e543eae0
MD5 hash:
cbfd6146c096006ff58eec5c49cd94ef
SHA1 hash:
9cd147d28e0ea6db3111613b6474db4111982c63
Link:
https://www.unpac.me/results/78a410f3-1e80-4f93-8479-98007f2f83c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2de4842e5b335d0f59073cc0e26c8900498d3daddf2b809e6abbf795a75311ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Shellcode_Rdi_edc62a10
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48040/

Comments