MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b
SHA3-384 hash: cbb7eab675d35eb3e8ef8fca3c4fc38f6d224d4eaac0d2e8a6f7489af0fa5120f1ec8ce755cb549eebaa2bd2fb1f95e5
SHA1 hash: 784b5fd7ccce4c68751cfa3a9e091f338a470b27
MD5 hash: 6125eafaa4c3aa5b5d434c5e16b3535f
humanhash: sink-aspen-beer-delta
File name:2025????????????.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:8'462'336 bytes
First seen:2025-05-08 18:50:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ef231457cec8bb61624cdad14564e92 (1 x ValleyRAT)
ssdeep 98304:LqKLvhedPZIqKLvhedPZIqKLvhedPZIqKLvhedPZIqKLvhedPZIqKLvhedPZ:mLdZLdZLdZLdZLdJLd
TLSH T1C086F21E0E7E7D16C00549F1B68C6B586639FD3A902D4A7E76BCB4A018BD377722227C
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 9c8aa4a4a0aca4c4 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
103.12.149.123:8080

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.12.149.123:8080 https://threatfox.abuse.ch/ioc/1518470/

Intelligence

File Origin
# of uploads :
1
# of downloads :
576
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e39a66a4-db1b-40cc-9214-9c80e2fc3bf5
Verdict:
Malicious activity
Analysis date:
2025-05-08 19:19:06 UTC
Tags:
amsi-bypass payload silverfox backdoor valleyrat winos rat
Link:
https://app.any.run/tasks/e39a66a4-db1b-40cc-9214-9c80e2fc3bf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.IRC.Sdbot.based.9098.13614.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681cfde391991ead82b64a5e
Tags:
obfuscate emotet shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for analyzed file
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/681cfd1dd95f3e34e964620b/reports/ba9e0c65-f1d1-44dc-a7fc-6524b4f83d3a/overview
Verdict:
Malicious
Labled as:
Malware_42.2
Link:
https://www.hybrid-analysis.com/sample/329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b61760bd-195b-4641-af4a-06380dd802bf
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1684779
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1684779 Sample: 2025____________.exe Startdate: 08/05/2025 Architecture: WINDOWS Score: 100 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 8 2025____________.exe 3 14 2->8         started        12 cmd.exe 1 2->12         started        process3 dnsIp4 28 103.12.149.123, 49720, 49721, 49723 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 8->28 30 43.248.173.152, 49719, 49722, 80 JIC-AS-APJSLINKINTERNATIONALCORPORATIONHK Hong Kong 8->30 42 Detected unpacking (creates a PE file in dynamic memory) 8->42 44 Suspicious powershell command line found 8->44 46 Contains functionality to inject threads in other processes 8->46 48 3 other signatures 8->48 14 powershell.exe 37 8->14         started        17 2025____________.exe 13 12->17         started        19 conhost.exe 12->19         started        signatures5 process6 signatures7 50 Loading BitLocker PowerShell Module 14->50 21 conhost.exe 14->21         started        52 Suspicious powershell command line found 17->52 23 powershell.exe 17->23         started        process8 signatures9 40 Loading BitLocker PowerShell Module 23->40 26 conhost.exe 23->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-08 18:35:42 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkonhmzxdx25mlujpokgl6glciygelxeqad7n6xqyxstwumojvfq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250508-xhhyqavtcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ad94ea7-98fe-470a-93fb-bd1cb9a11dd2
Unpacked files
SH256 hash:
329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b
MD5 hash:
6125eafaa4c3aa5b5d434c5e16b3535f
SHA1 hash:
784b5fd7ccce4c68751cfa3a9e091f338a470b27
Link:
https://www.unpac.me/results/b759af2f-5188-433e-ae57-49ff42fda881/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/329cd3b3371d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/329cd3b3371df5d62e897b9465f8cb1230622ee48007f6faf0c5e53b518e4d4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingA

Comments