MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578
SHA3-384 hash: e7b4a2a9fe784f574d936bc950bd29a36922c6a090aa81034d1980cdfb3287202634b055162e608bcfb31dd434252723
SHA1 hash: f57c1073e202a9a0ebebda3e39ec91cfcf06504b
MD5 hash: b5f3398aea0a5120d48ef422cd7ee0bc
humanhash: jersey-beer-lamp-lamp
File name:326ec709d9d42bdd49f421488f957ba6fdcc5f3ec8261.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'495'111 bytes
First seen:2026-03-16 04:50:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (7 x ValleyRAT, 5 x GCleaner, 4 x CoinMiner)
ssdeep 49152:FgqKIXzRJryYj0A53S1ML3OiSWxoZHeYetS9iwxVfRHKEbk/:FzDlj0AG8+isHeYetS99HDbO
Threatray 261 similar samples on MalwareBazaar
TLSH T138B51259D6A808F8D073A2B88A635A03E7777C5A1371D78F03A479622F773915D3EB02
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
143.92.32.132:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.32.132:80 https://threatfox.abuse.ch/ioc/1767819/

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/d9173554-544d-4293-b020-ae43c4ed8d06/
Malware family:
n/a
ID:
1
File name:
326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578.exe
Verdict:
Malicious activity
Analysis date:
2026-03-16 04:38:15 UTC
Tags:
silverfox backdoor valleyrat rat winos donutloader loader evasion arch-exec
Link:
https://app.any.run/tasks/917861c0-ae00-41d3-8a6d-d9bd2f566742

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57602/
Detection(s):
Win.Exploit.Rozena-10038302-0
Create hunting rule

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b7893793b644ca466a7bf9
Tags:
emotet nemty
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Launching a process
Loading a suspicious library
Running batch commands
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm donut exploit explorer fingerprint fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc msiexec overlay packed packed rozena runonce sfx unsafe valleyrat
Link:
https://www.filescan.io/uploads/69b78c0e4678eefbc7ac7c37/reports/f5db5e92-2a2d-477c-b02e-427e8da30d97/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.nsi Backdoor.Win32.Agentb.sb Backdoor.Agent.TCP.C&C UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/800290b2-101a-462c-bf5c-817acd6cb2b7
Result
Threat name:
DonutLoader, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884058
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Ping/Del Command Combination
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DonutLoader
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884058 Sample: 326ec709d9d42bdd49f421488f9... Startdate: 16/03/2026 Architecture: WINDOWS Score: 100 63 zodia-custody-test.co 2->63 65 inst.olpotl.cn 2->65 67 5 other IPs or domains 2->67 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 7 other signatures 2->85 10 326ec709d9d42bdd49f421488f957ba6fdcc5f3ec8261.exe 5 2->10         started        14 WindowsTasker.exe 4 14 2->14         started        signatures3 process4 dnsIp5 51 C:\Program Files\mysetup.exe, PE32 10->51 dropped 53 C:\Program Files\FastOrange.exe, PE32 10->53 dropped 89 Uses ping.exe to sleep 10->89 91 Uses ping.exe to check the status of other devices and networks 10->91 17 mysetup.exe 2 10->17         started        20 PING.EXE 10->20         started        23 FastOrange.exe 19 10->23         started        25 conhost.exe 10->25         started        75 zodia-custody-test.co 143.92.32.132, 49724, 49728, 49732 BCPL-SGBGPNETGlobalASNSG Singapore 14->75 77 myexternalip.com 34.160.111.145, 49729, 49733, 49735 ATGS-MMD-ASUS United States 14->77 93 Found evasive API chain (may stop execution after checking mutex) 14->93 95 Contains functionality to inject threads in other processes 14->95 97 Contains functionality to capture and log keystrokes 14->97 99 3 other signatures 14->99 27 schtasks.exe 14->27         started        file6 signatures7 process8 dnsIp9 45 C:\Users\user\AppData\Local\...\mysetup.tmp, PE32 17->45 dropped 29 mysetup.tmp 5 11 17->29         started        69 127.0.0.1 unknown unknown 20->69 71 appinstall.uajrl.cn 178.128.50.163, 443, 49714, 49719 DIGITALOCEAN-ASNUS Netherlands 23->71 73 cdn.bitiful.qtlcdn.com 117.91.199.23, 443, 49715, 49720 CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ China 23->73 33 dfsvc.exe 17 30 23->33         started        35 conhost.exe 27->35         started        file10 process11 file12 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->55 dropped 57 C:\ProgramData\...\vcruntime140.dll (copy), PE32 29->57 dropped 59 C:\ProgramData\...\msvcp140.dll (copy), PE32 29->59 dropped 61 6 other malicious files 29->61 dropped 101 Multi AV Scanner detection for dropped file 29->101 37 regsvr32.exe 2 29->37         started        signatures13 process14 file15 47 C:\ProgramData\...behaviorgraphuard.dll, PE32 37->47 dropped 49 C:\ProgramData\...\DataReport.dll, PE32 37->49 dropped 40 cmd.exe 1 37->40         started        43 conhost.exe 37->43         started        process16 signatures17 87 Uses ping.exe to sleep 40->87
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b5f3398aea0a5120d48ef422cd7ee0bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 18:00:02 UTC
File Type:
PE+ (Exe)
Extracted files:
69
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjxmocoz2qv52spuefei7fl3u364yxz6zatblxnhuzkv2dumqv4a._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
165f6d2f481d0f36b37e6f8485f189174f3b058a01f1a64e83986d0de65dfc35
ValleyRAT
3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
ValleyRAT
8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
ValleyRAT
92c8abacfa42d471c6a0fa5b697e7b357dde49f8cb35aa6a60e1e33d1a12fcd7
ValleyRAT
dc0adb03fd833ab70b582fc092d5e5e511669abb125c41660e3d4ee3b95163b1
ValleyRAT
ddb507850733991abd05a435c5b680d67087b3fc0d10f5fb9b249ccacfffd308
ValleyRAT
error
ValleyRAT
+ 251 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer
Link:
https://tria.ge/reports/260316-fge21ad19q/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578
MD5 hash:
b5f3398aea0a5120d48ef422cd7ee0bc
SHA1 hash:
f57c1073e202a9a0ebebda3e39ec91cfcf06504b
Link:
https://www.unpac.me/results/4473c49e-4246-419e-96d0-58261a39efb1/
SH256 hash:
5c17c60f5fb07693cd03dbb2d3e3331afb6e95235df7f99a8c43b5183e657be8
MD5 hash:
4adb5f40b496ecd7d3aa2b78d2f57ef7
SHA1 hash:
54674e04c580b93d3e1e027a8e0c601b1b4e1ff3
Link:
https://www.unpac.me/results/4473c49e-4246-419e-96d0-58261a39efb1/
SH256 hash:
ccb6f246b0f5058e69782a91fe8dd45379c8918877594966a021f0014be2c7d1
MD5 hash:
9b4e5046097cd4d900a21719e5540803
SHA1 hash:
aa800b76eb6ecdc5a2de0153eaa0a79010bfe83a
Link:
https://www.unpac.me/results/4473c49e-4246-419e-96d0-58261a39efb1/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/326ec709d9d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/326ec709d9d42bdd49f421488f957ba6fdcc5f3ec82615dda7a6555d0e8c8578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57602/

Comments