MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 10 File information Comments

SHA256 hash:	352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65
SHA3-384 hash:	9acb8d7cacf964e10f8779c8f22f7898199ca9885a1cde5c0e6de20be4cba405ef0126b54d6d898919aabdb7b7f49a95
SHA1 hash:	e5254d9e0c4499f896a0cd3f5b31d3b3f8cc0e03
MD5 hash:	8d2b9ef3afb94897ff2066a8b154f934
humanhash:	idaho-november-alanine-beer
File name:	plsamc2228834359.zip
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	2'478'072 bytes
First seen:	2025-06-07 15:42:28 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	49152:RhJQmCVT34BdUAJ70lsNtmvtzo/vaW3+Y56eBzu+jfcuw:LJsVToqy0GNtvvDOYUeBzmuw
TLSH	T155B5009875952B82E5E05A3F1D3FF2D2A7982B010A4C3051373B1A1ABED17FC65E42DB
Magika	zip
Reporter	GDHJDSYDH1
Tags:	backdoor dllHijack file-pumped SilverFox ValleyRAT zip

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

File Archive Information

This file archive contains 8 file(s), sorted by their relevance:

File name:	MSVCP140.dll
File size:	627'992 bytes
SHA256 hash:	99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
MD5 hash:	c1b066f9e3e2f3a6785161a8c7e0346a
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	vcruntime140_1.dll
File size:	49'744 bytes
SHA256 hash:	6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e
MD5 hash:	eb49c1d33b41eb49dfed58aafa9b9a8f
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	tier0.dll
File size:	415'328 bytes
SHA256 hash:	0c1f82e647de026ee30aa1f2948e5cdba680ffa62fe1ca17fd6a5f2cf6ba2df5
MD5 hash:	4e2a7adfddee50035407bb43659f305f
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	vstdlib.dll
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	253'502'416 bytes
SHA256 hash:	47af35b22e6b8acf1bb4affd93f53dffd8ccde280112f4e6be57b48248e37cd4
MD5 hash:	5e0655687a378442d917951160b06a8e
De-pumped file size:	253'494'272 bytes (Vs. original size of 253'502'416 bytes)
De-pumped SHA256 hash:	8f0ce13e9deab5c65aea91ce139673debc86af8c1a04a3be6a8617d1e22929ea
De-pumped MD5 hash:	e6b0b267fee90d23762fa0c22a3a9b50
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	749ju.exe
File size:	288'352 bytes
SHA256 hash:	c82be304c3d63be9d6404ef1a27a853e056604234dcab664f111f6de82acf8b2
MD5 hash:	af0b85f90d990c5528c2787bb6008ae5
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	VCRUNTIME140.dll
File size:	119'376 bytes
SHA256 hash:	a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8
MD5 hash:	e9b690fbe5c4b96871214379659dd928
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	emjio.tmp
File size:	416'381 bytes
SHA256 hash:	6b336f99ceb51600f437354de705f4eaef255bc87aa56dfac3c63ac98361d26a
MD5 hash:	65de6d9d21b1bde4024b596f0a8568b0
MIME type:	image/jpeg
Signature	ValleyRAT

File name:	qdata.tmp
File size:	489'528 bytes
SHA256 hash:	791c37b599f2383362a6815d276eac05593e281030cff435c654e6058442eda3
MD5 hash:	76f2b16af4218db4e3fd4b223f30190c
MIME type:	image/jpeg
Signature	ValleyRAT

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684134908bd5d68a12e5660c

Tags:

n/a

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65

Score:

13%

Verdict:

Benign

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpUsage Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PK_PUMP_AND_DUMP Create hunting rule
Author:	Will Metcalf @node5
Description:	Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)