MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
SHA3-384 hash: f4444d4199f62d2280ed987cc920e27c4a25f94ef483891aad97cab468c7ac94b77a6d0718c2729431809827a7e29749
SHA1 hash: 55074bdd7f9f18e3b7748eb2008910c345f8b50b
MD5 hash: 5968e5dd6b135aeacb437af92a2b2b5b
humanhash: blossom-november-william-alabama
File name:kuaiVpn-t.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:15'855'031 bytes
First seen:2025-06-07 15:06:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'471 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 393216:WCKosP069V/kTXVUr7iyujdyXifodciQ3KLy6pmQA7gDoaf:WChR69RakuyujYXOV1KLy97Haf
TLSH T129F63351AFE242E8F3497CBB4EE72DB99E55ABDF1AA02C817D0E74680F245544CC8732
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon d0e0f86cf4dcdccc (4 x ValleyRAT, 1 x AsyncRAT, 1 x VenomRAT)
Reporter aachum
Tags:exe ValleyRAT winos


Avatar
iamaachum
https://www.letsaxvpn.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kuaiVpn-t.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 15:07:35 UTC
Tags:
valleyrat winos rat silverfox
Link:
https://app.any.run/tasks/0e87ac77-f92f-46d8-9ace-c84f4c43bd80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7911/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684455ed07b5e8c1cfe567aa
Tags:
emotet shell micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Running batch commands
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer invalid-signature overlay overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/684455a6fd02ed5e059d46bd/reports/242a8254-2fe6-4778-bd47-2eafc9819a2c/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/db120144-3c39-4b89-bbca-df9812d19456
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1708949
Signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected potential unwanted application
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses threadpools to delay analysis
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708949 Sample: kuaiVpn-t.exe Startdate: 07/06/2025 Architecture: WINDOWS Score: 76 151 yandex.com 2->151 153 www.yandex.com 2->153 155 6 other IPs or domains 2->155 175 Suricata IDS alerts for network traffic 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 Multi AV Scanner detection for submitted file 2->179 181 8 other signatures 2->181 15 kuaiVpn-t.exe 2 2->15         started        18 svchost.exe 2->18         started        21 sppsvc.exe 2->21         started        23 11 other processes 2->23 signatures3 process4 file5 147 C:\Users\user\AppData\Local\...\kuaiVpn-t.tmp, PE32 15->147 dropped 25 kuaiVpn-t.tmp 3 6 15->25         started        163 Changes security center settings (notifications, updates, antivirus, firewall) 18->163 28 MpCmdRun.exe 18->28         started        165 Uses threadpools to delay analysis 21->165 167 Modifies the DNS server 23->167 30 drvinst.exe 23->30         started        32 drvinst.exe 23->32         started        34 LetsPRO.exe 23->34         started        signatures6 process7 file8 117 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 25->117 dropped 119 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->119 dropped 121 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 25->121 dropped 36 kuaiVpn-t.exe 2 25->36         started        39 conhost.exe 28->39         started        123 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 30->123 dropped 125 C:\Windows\System32\...\SETE000.tmp, PE32+ 30->125 dropped 127 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 32->127 dropped 129 C:\Windows\System32\drivers\SETE81D.tmp, PE32+ 32->129 dropped process9 file10 115 C:\Users\user\AppData\Local\...\kuaiVpn-t.tmp, PE32 36->115 dropped 41 kuaiVpn-t.tmp 22 10 36->41         started        process11 file12 131 C:\Users\user\AppData\...\LWTQ_999.exe (copy), PE32 41->131 dropped 133 C:\Users\user\AppData\Roaming\is-SLR51.tmp, PE32 41->133 dropped 135 C:\Users\user\AppData\Roaming\is-K1LM5.tmp, PE32 41->135 dropped 137 6 other files (none is malicious) 41->137 dropped 44 cmd.exe 1 41->44         started        47 cmd.exe 1 41->47         started        process13 signatures14 185 Uses netsh to modify the Windows network and firewall settings 44->185 187 Uses ipconfig to lookup or modify the Windows network settings 44->187 189 Performs a network lookup / discovery via ARP 44->189 49 LWTQ_999.exe 10 287 44->49         started        53 conhost.exe 44->53         started        55 Hg0R.exe 2 47->55         started        57 conhost.exe 47->57         started        process15 file16 105 C:\Program Files (x86)\...\tap0901.sys, PE32+ 49->105 dropped 107 C:\Program Files (x86)\...\LetsPRO.exe, PE32 49->107 dropped 109 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 49->109 dropped 113 218 other files (1 malicious) 49->113 dropped 169 Bypasses PowerShell execution policy 49->169 171 Modifies the windows firewall 49->171 173 Sample is not signed and drops a device driver 49->173 59 LetsPRO.exe 49->59         started        61 powershell.exe 49->61         started        64 tapinstall.exe 49->64         started        69 8 other processes 49->69 111 C:\Users\user\AppData\Local\Temp\...\Hg0R.tmp, PE32 55->111 dropped 67 Hg0R.tmp 3 6 55->67         started        signatures17 process18 file19 71 LetsPRO.exe 59->71         started        191 Loading BitLocker PowerShell Module 61->191 75 conhost.exe 61->75         started        95 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 64->95 dropped 97 C:\Users\user\AppData\Local\...\SETDE0C.tmp, PE32+ 64->97 dropped 77 conhost.exe 64->77         started        99 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 67->99 dropped 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 67->101 dropped 103 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 67->103 dropped 79 Hg0R.exe 67->79         started        82 conhost.exe 69->82         started        84 conhost.exe 69->84         started        86 conhost.exe 69->86         started        88 9 other processes 69->88 signatures20 process21 dnsIp22 157 yandex.com 5.255.255.77, 443, 49734 YANDEXRU Russian Federation 71->157 159 23.98.101.155, 443, 49741, 49753 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 71->159 161 11 other IPs or domains 71->161 183 Loading BitLocker PowerShell Module 71->183 149 C:\Users\user\AppData\Local\Temp\...\Hg0R.tmp, PE32 79->149 dropped 90 Hg0R.tmp 79->90         started        file23 signatures24 process25 file26 139 C:\Users\user\AppData\...\is-V2TVD.tmp, PE32+ 90->139 dropped 141 C:\...\WinUpdate-Client-Auth_v8.p12 (copy), PE32+ 90->141 dropped 143 C:\Users\user\AppData\...\unins001.exe (copy), PE32 90->143 dropped 145 4 other files (none is malicious) 90->145 dropped 93 regsvr32.exe 90->93         started        process27
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-07 15:07:18 UTC
File Type:
PE (Exe)
Extracted files:
793
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3cixm4awkzekqzmtuys4mtsgjogneirepy3cla3azieoknve2yq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250607-shffdaszbv/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63a5e9e3-a8ec-43b3-9102-ecfa6ee14d49
Unpacked files
SH256 hash:
2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
MD5 hash:
5968e5dd6b135aeacb437af92a2b2b5b
SHA1 hash:
55074bdd7f9f18e3b7748eb2008910c345f8b50b
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
d821a623080f015d75a32ae0ecd66f9dddb8c45ad2859348e250343f4d5fc3c1
MD5 hash:
2e6ae448938f1eb46eace240c3578ab8
SHA1 hash:
82f72b4f4e8b5b3783857a0d8f5074c1a06fb16a
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
94059e3b70e177bfee21811703b41c8784dc96270301e59ac11387369aea4589
MD5 hash:
ffd0594720584ae3112b6aa62847ef6e
SHA1 hash:
617c961f14a780e7c87b1803b4b38aadd834d84a
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
d699dc146fcc9aee342555f28941a7a9613eb36183c64d51198d236bf87f7d1d
MD5 hash:
914a3e3ef22aaa0188830eec4dedbed3
SHA1 hash:
4f2fec8f9e4237778adaede2031ff6b542aae857
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
a1268e37fd8573696e7a5ac72245f9e68d03da58e233aa8459ade1ebaceb5e9e
MD5 hash:
272e07f476c7e1c5aca60830b56e0a34
SHA1 hash:
7fa680d08bdf89cb239cb0477bd2670bc551dd21
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
31f5be8f8c915b9380f9313c7207d443ed9457ebe85082b24351bf0dba2de3d4
MD5 hash:
b9a679b3b6e628877a583c69d1494eb8
SHA1 hash:
ba15003edf48bac6ca355278462ce35d6cef1504
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
9928c168b3df8088952f0a22041488d8259dc3860b840277f0c13e4d34662bba
MD5 hash:
c1538d2dea45f600ea94366a6953bb6a
SHA1 hash:
8447ba4ac05d5bc1370b58326f0040510edc883c
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
Parent samples :
2431ef60a5f5c610cdab7ab95de6a8d58a4a216042aa3150571d105e5c4b7917
1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
38ff8d6e05742766864764c2c8c7d5752f3653d504449dd8d0d089f0f63032a3
266632523da6b47b23e9071cae0dde0b0a612d947495c4fb62b61800b397bbfa
41f12ece23a813b74dbaf3c5ad30b8672d33cd416d146854cc095bdea191db54
86943869650c77b3a4ac1c1124d197cb92303758d496ba9a4eaa333da53da06d
a970cc51051fd6923b98acc862e68a201610d54638a6523d6a7b271ae9ec05bc
df38776644c675f864709f6f508018e95b39a44d3719c3b320c9cfe206678ebf
2f99f89baa3385d879e5d687874e8595c0ba23f1540fa406c045208af10837e3
SH256 hash:
867e02930955c7b46f056f75103b3f319201f9e17fbf5b43e232339b31aabf23
MD5 hash:
8c7f419509838cba5f21f39354093e2e
SHA1 hash:
7f36028d846d1cfd32431acde5d54347e0751740
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
6ce84b76065b3be4681f8b426bd205b6136b0a86645adb648bcaaf591091a5c4
MD5 hash:
5ca51114b792fc913e1f02f7eee38da7
SHA1 hash:
03ee7ba91620551c7405c7b793274a60c1299baa
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
b55d1e505df751c0a1124fdb603ef0930fff877c444aeb9e032eacfa4d418c16
MD5 hash:
0d5f7e68fa09525e167e03c75eac729a
SHA1 hash:
1f9ba859c2e13ec607fcda992f482566ad4fea92
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
869c7e2c335ac0b4ea8c10ea6b06d46e15cf7e5ddadbc1601b8650382822284c
MD5 hash:
55355b036ab87e8fc8668c903023946e
SHA1 hash:
7e53ae7041706b7d0915f6dd6aba93a53d7a6b7c
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
cc750b2713707819a9040ee4f606ebc3cd1c62ba8280b96dde425c3a356bff00
MD5 hash:
8c0b729c5f2e3a6b3ff67d9e654623c1
SHA1 hash:
d77aaeb6bc94bc71d9f16c67187c695886bca8b5
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
0773e5eb4d9937c29af68f7b44ade7427d1fd682b2242b4cb29daaf8b0e3f56e
MD5 hash:
74f339d5d47aedacd574ea8e43c78eef
SHA1 hash:
9ce203e22c170217a726531b81b3b1119320f5e2
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
66aaef421a6e5600c9a55df8c2408ba6ac393a18481763234062b5b4d6219463
MD5 hash:
7be1e3cf7ce2218c91f8ea5329855106
SHA1 hash:
19e11bd58759d161d6b63c3166c9783cbe25ea53
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
51accaea47c925c746289dcc2c2468000e52d35014d5beec0d4527ba5edb8f32
MD5 hash:
2ab0f22398c97c110ebcec4a16696754
SHA1 hash:
0b3c5f61dd906154849e3641abef80b703f5a524
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
421f535f975206581a319388cf5c4446b13d38fb577cd8d0949cee95d0355bcd
MD5 hash:
61ce4d7a9ce800ae1a2640eb354d8699
SHA1 hash:
e598725c90a17576c348aeb091f62ed8254eca05
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
df37bae8908a3ff8c81f24fe8af7cbed5e7866c06c9d0501e5622cf92f24f2b4
MD5 hash:
4ca0f090fdcfe7f69e76c74ed4061c5f
SHA1 hash:
3f6b2ade15bd17e3788f28a4234579fb29145cb4
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
0fb3e6ce76adb9382505786ca72e54795610ae0945aa2188f1aaa1e2434bc758
MD5 hash:
d11586531b1ad873c75414af8f522b12
SHA1 hash:
e9ffada993abfc3c137b29116b2b0fe825fd5b89
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
2fd76a0b108dae5a8c7f2d3ddb211578708a7fb290f04ab21aa5590afc08bff5
MD5 hash:
52db06f93ceb63971cc6a57f47b2ca08
SHA1 hash:
d7f2fba5bd65626fc277b4119486a9981698f72e
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
8751f05a3fe9f47769688dffbb1a693a4ed294fb926c48977403a33335e8aa16
MD5 hash:
ae161bb3c83ab4b8734180bced6d2f2d
SHA1 hash:
8761f19a2bd2b79f977f60cab4be6eb6cdbeb340
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
e66ecc070ca8d11695e4419a237c8772db52ae379cc25fa8f2d730cd18a1634a
MD5 hash:
c76c74988b910e15a33600329e10d5f7
SHA1 hash:
6062928b46a7a9bbb48460884cd43cfa961e11a3
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
24baf40aaa25034bec86ecf320346f9ff78ce193e0183a9dde30cd88f0aaee0a
MD5 hash:
f28c6dab4323451de706e09f1ae88a1a
SHA1 hash:
93ff9c39dad928a7ba058876e16dab27a97e389e
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
2dcfc29720137e3202d10f58fe12e82550302b6afea08180afc86791e3fc0c44
MD5 hash:
f4398fe43e52a4a4fcae21d461b43372
SHA1 hash:
92a5d557dfa367aff9ee7a1042da259d7da670d9
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
75947d11b416413e79da6ab5f44dcb54b1dc48eebfde6c85610bb8b3d6134004
MD5 hash:
674a8ba78b28a220503c8f98e281fd1d
SHA1 hash:
14fdc05872adf4c6871e07ebcdd470088b987149
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
1ccb3d44ace876f746329fe7fcf2856023e73e55af3d9e903b23a5a25af12c8b
MD5 hash:
7290c34bb20cc24a484db06ae4397f99
SHA1 hash:
0d8277cef404251a8850f463001f4ba57202c6b0
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
3ab9cead7cef63380c067a2dbbab74cf235eae7d0062d6b87bdd54dd3d47d29d
MD5 hash:
c4fd23daaa6cbd1f874a6de29249e265
SHA1 hash:
ca60063bb6116d2d64c8b341a5d629f1b2343309
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
28313d126e02792fb92178bcb85ceb076512f8f5fcad08fa020433c3fc8f62d6
MD5 hash:
d723b270a44704b397a3105227473736
SHA1 hash:
0f9a2e4ebce6b7b5116a331a7f0d12cb1b9cd521
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
c89f066f65528371744e7b11dc5d6ae8d60412f9eedb0ea3b16da34d2b49a0a1
MD5 hash:
3292894be0809414901c1ab760927c9f
SHA1 hash:
de7d403e2b6714ff789442bb0fb3d5568fdaabd3
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
341e481706ec61e991373e0fbd3ed224f74b9b91c3f1d122d0e802f7145fedb1
MD5 hash:
27139c2eaab131627031a142b6eb8fee
SHA1 hash:
3ff180e3709f7b4c70c922dab1ad9544308e132b
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
de86d770cbcf733688daf90f6a7845cc937bd4e0bacc36bcb092ac5552d153c0
MD5 hash:
1a129494d9fa3d82eda1935ae5952bbf
SHA1 hash:
b7523c2d680f2dbca67eca4ba56b2a768b558a63
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
8efb2d14b79c25ede58b2440c533c0469287b8d05e21fc087fa7ceeab35e08db
MD5 hash:
f727238aac4966b90b592873a6675d95
SHA1 hash:
0c05d1ec5aacf7bcecdd9a873b08026e866a262c
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
d186980882573174279c26db7f9f572fd6e0c4456ddb283ef5a4a81da8f3dc2e
MD5 hash:
bb0404fe0c1d40bee14e1efe425efe1c
SHA1 hash:
4d6c5710172e2cad9f3bacead9e139703404599b
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
186953cd630228fbf2dae45609aec84603a7486aa3a801a9a338af9731604a32
MD5 hash:
ecdac8c162642e014ef49f6aa261ad33
SHA1 hash:
d90018d030b2f42f2583f6d1585d77734e4d76a2
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
68d9703cf227e18786c59097b2b161fcca02fdc8fc71e146e114d1e2989c3825
MD5 hash:
9e781243e74d737371a9ab43dbd82c7a
SHA1 hash:
2076cd04f90d0d99e093dd76ab30f60415f637ca
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
9c99142bf158b0504bc6b0f2a90f3e20c5951c3bbb03afaa0a245524f8609fdb
MD5 hash:
2bb3a5d9d0e2f3dbdb0a9db6222df2a2
SHA1 hash:
ef1543080b4195363d8e7dca65f278d8bfa7e41a
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
dbf9db5b408e4148de3a16421778eda94817263e9e6394ced4b150675d47f79e
MD5 hash:
b852f474ef9218f45098ace770f8e03d
SHA1 hash:
0d1dc2458b1f565ba3ad67521e387794d6dbd5dc
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
03a936a32fc810e591ee016ce4d693f74554b29fb3b837dd317116b49ca2cdd7
MD5 hash:
ad9c1cbd94dbe6491ddbcc8a4357bd02
SHA1 hash:
1e3f2624163be873160a321777a360aebaae16a6
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
bb3097be7078f95db4b5f8eca6f096227d4e5bed36ff423cbf1614fa6d6c163f
MD5 hash:
5dd3dee266ec6cbbaaa98cd90d3daf27
SHA1 hash:
e4d1f116c9c7e27039e9a3a7fbfade088b348542
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
10397f8ef2b6d2561a6b66f45b7c39c7dee1bafeb2a7901c7d826cc4b9ee783f
MD5 hash:
99abd532a48a95b0dd97da12d85b6145
SHA1 hash:
3e6ec6080215ffed9fc75e37837a751750a2a90a
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
250ba009864179cf3938c44c3996a0214138a21e557fb4752b1265b2276de8db
MD5 hash:
29aca8d4890037d4c36b2c9a5b908edf
SHA1 hash:
e13ba2fec82ea7f947cfa4b64a8998c74bdb2be4
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
e9dfb48631d420f82dcbdb3ad8b3ea5a1e8530133dc0e53c153a56e83396dcae
MD5 hash:
c40bb25883d8802a3a6a27ecb003bc13
SHA1 hash:
2a145d4ebd6e590a2e2b87ddb459c8b36644da13
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
61cb331483c8bf172c7c78eebb0659700402c91c04c334bdada6745bcf7c317d
MD5 hash:
da8c9b6d2380128ea101c137fec032bc
SHA1 hash:
e25eb1cb8a7dd88d3371eddbb6132c25a90be415
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
a66e04ac02cc716a6b803bbf9392ef30350f11e37fc6ecb73675b679dd6e4ccb
MD5 hash:
a1aef10d7c301e4c682b799a7505fa83
SHA1 hash:
d8373b4d571d928218d4c9b9d7f50aa4df1fd81c
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
98521e259e5be4e96a6f4060a8bfa732316629da5409bc0262ce0ee412ef4876
MD5 hash:
57d5105ad4304c17acbc7a056ed854fe
SHA1 hash:
60fc4e5ef8ed785b881183165eea3eed62947487
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
f6850dac70f91a49aa17ce01ab745374daff1e97fdd8429081d49f48e1a11b1e
MD5 hash:
7d221893b9a3c2c8f56d509e3a11a779
SHA1 hash:
36ed9bae1965a3bd78448c5f31fba0e36dfc788b
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
1b4a31d943d1cdf61374c5f1144d987fb592b6fe07634904b686337c402443c5
MD5 hash:
dcd13ca6580abcbce9d784e4c8b7baf6
SHA1 hash:
8525809d4f44f688eb1c9a6c91cd16a807147824
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
1aa08bbc0d85705059ec93b377e65ed7621d753b9c72287adec70f34d4748250
MD5 hash:
0c993e9e4f7730dbf766b4c3ccfa6fe0
SHA1 hash:
8cee7f00a3be84e50fdb75f4d7cdfe19d8f71c65
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
3fca1c2976a99d3c5360e9c23e56945e88fe308982e08b974133238a8d19197a
MD5 hash:
83200c33c863a600dffe0121fb088be7
SHA1 hash:
20232a807d6d7fdfab3dee5b50edbd9d1371ea00
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
df146439dabf50af9ec29cdbabcf0308eb3b6889090282dc5da5cd4c5a092851
MD5 hash:
88365149f581ab45b8e7069a9ded8f84
SHA1 hash:
031ff0b7e79acf3a5b2672af300baf2fa2a3fdfd
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
a89de7b1912796b438a57cf8c55253dafe969a6b7ffca11c8746a5ca0a90701e
MD5 hash:
291bbc4128fdbdbbb936664f855198b7
SHA1 hash:
9f172721d5f6369833457463fdbe1d0d8fcc6407
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
f6b0218f34cf89f7e085c6583d6547e85388e090e5f9a4d17d7814f264fe6f39
MD5 hash:
e064afd521d474e661a94303bf6cc73e
SHA1 hash:
c21937438cb35da6d317e8a682a4e3b250de6411
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
f1229345db1f7cf3c21f3cbc23c0386f94d8684aa1df53f8e582885682782bec
MD5 hash:
3f23561a65159d080bda4946ae485e45
SHA1 hash:
1c8959a750ad6058004ec6904d407d6d2296a5d3
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
51bcb05b3683925a1cd24f8736ba8b37b35be4e4744d6780ef2f2e15c84526b3
MD5 hash:
2c91a4b1460a6fd711ce9ff2197e161c
SHA1 hash:
fc3ccbfd8f48ef89e07d4fd17fb596473594ed06
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
2997a69a5fafd14f06fef0209ff6d401514931726392767720240bebbb715e66
MD5 hash:
5965914eb0a3f60ff4644c0a7b03c0ac
SHA1 hash:
9977bff0bed6207a8e385562022f6f4cfef7ba97
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
1a623db73e79276b0ad3d2455e7edc3ab8952d4169eb3dbb8a5e2dba9db5d6c0
MD5 hash:
137388fc71b167712ef759277a3779c1
SHA1 hash:
de07b9e5cf067fdd7ccd0e9a44b3bf2c466f5185
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
7bef8b7fef823154ab234c36ef1276a93edc131375e870a0fdb0643daec08d93
MD5 hash:
77d97d2588b6a66c15fac9336513c324
SHA1 hash:
59f71fe70e5b3048fbb6fe6b08515388c37c24c3
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
33655cfc898b404d3ebec588170bba8129690ea24c69017d3c79a3b752f66137
MD5 hash:
731d978add96e14f34af3decff8e0a6d
SHA1 hash:
f7d69618e685c7ed9b94e02af08bbff82362aec9
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
de919b194118e02b8142c3e04dc64b3af66c8ce30747c8f0dd98856d6e3ab9d5
MD5 hash:
212dcaa8fe2f1b73790c4d8376531c5a
SHA1 hash:
62af026c0c45561574a836fc3ca0075e6647f4e9
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
d28d191c3cc8a94562596f7bc4f2e2f6104fd3b6de55a3170d283c730998321f
MD5 hash:
ad4d0251860b77641c21f425d137b6a0
SHA1 hash:
79512ddb574ad45a16fc286015b7c348afe838ed
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
631403b64c713b78211dbc4bfa385f2e908798299ae1af1cf913fbc2836717e8
MD5 hash:
4b3ff081a6ca2f2a0287d903f5d93f80
SHA1 hash:
103a4395f7a2c4226adc70a6c88cbaec697dc7c0
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
c6547cad13a9e664fdbd634e6b2f1ad5da2f478c55812e0d6ce7ea63d9ea2438
MD5 hash:
74b67a114c8b98763bf3598fd3f0f866
SHA1 hash:
7b5596cc656e010c065274b08dcc578e3172cb60
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
499cad64cfefa6a9a6311c2278b62280978da027915516f2ca9d346556c254ab
MD5 hash:
ac00e3dce46dc817a5cff6aea0a832fb
SHA1 hash:
94aca30ace3ef5de69ef5de246e8f071b71b1356
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
be16d630d658a5b0cf6562c6d682c67c825658b601e3026f4d07ad4bd9ed50ab
MD5 hash:
2442f972874f392058f1a75152926631
SHA1 hash:
6876d5b68fe2dc77ab3f5f65842f582629a16961
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
d63c912d8923ff50932ee4ddd44c66e50fe3059f34731f5c07cd532c17b588a6
MD5 hash:
781acd9e4ac8e02b253d55078d569cfe
SHA1 hash:
92b3c76c9df9986d7c03ef58ac94ba037982fc97
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
70333a2723e6b7b93114749a6cb0cbd3ee5d69bfdccdcf1330eadca4df26a68e
MD5 hash:
ed14048fc83edc332eadad9ddc42b6a3
SHA1 hash:
c0a7c8a43106629931f6971300711d47d1e0de6b
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
9a70bfcc63443345ed9df805540638ce7726c894597bc10c4acb850e59905d5b
MD5 hash:
4d8e2cad10047b4bfe8bb92e025fa1d0
SHA1 hash:
449d7204491a2564c36f648d1ed58ca7be1fc3aa
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
3e8612f77247808d091a5caaaa7edbe92c0844b6a3de8c02cce4d2b1b80b5cc1
MD5 hash:
a0cf15d87555899a2ffff35fb0a9dbab
SHA1 hash:
777b622c650c2d3d358fd2ac47306cb37eb30df7
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
846944b6af06a43d5bac3fa5b2335e952db19b363c0149f72415b9172cbf1f41
MD5 hash:
8f4c87afed0f7d2576cf4315e57e3aea
SHA1 hash:
4ce5562b5af2b99af665be8ba20b7ddc813c892a
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
Parent samples :
2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
38ff8d6e05742766864764c2c8c7d5752f3653d504449dd8d0d089f0f63032a3
266632523da6b47b23e9071cae0dde0b0a612d947495c4fb62b61800b397bbfa
a970cc51051fd6923b98acc862e68a201610d54638a6523d6a7b271ae9ec05bc
df38776644c675f864709f6f508018e95b39a44d3719c3b320c9cfe206678ebf
SH256 hash:
a992f0f721f63c23a58eaefbcf8fcb54adca208f0f3c8d2307bebe9a4a7193f1
MD5 hash:
21a2a253b0cfa00523ac9392909e46da
SHA1 hash:
fb7dcc179bae5a81ec623dfae569c3dc96f8b784
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
SH256 hash:
b2d7cdf37b2da7755db0ffdac8b524c9e57ac6ef7416d17179f7d2b9ae7a57c8
MD5 hash:
3ec6a6153a4a559c46716a2412130b87
SHA1 hash:
10d0a6091d17b2e0eb48bcdd064a1a32fab07892
Link:
https://www.unpac.me/results/cba0991a-8c39-4b25-8fbd-c839869a97f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1

(this sample)

ValleyRAT

Executable exe 104085338277a88eabe79aa3da83fd6e5adb5cfcea14d8f6947e119ee9347ea2

  
Link
https://tria.ge/250607-r61ksaxmy8/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7911/
  
Dropping
SHA256 104085338277a88eabe79aa3da83fd6e5adb5cfcea14d8f6947e119ee9347ea2
  
Dropping
MD5 76b14fef9dd58f8ac2494fd596607058

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments