MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 6 File information Comments

SHA256 hash:	3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071
SHA3-384 hash:	010168e02cea1ff1c8eb3391ab90b7f465e0d21ea0738a0801235a49d45e4efae6e7526df24e7a2181e2f413a1ae3df5
SHA1 hash:	9c68bac2fa375682d913b79f85a0bed0a41ab98c
MD5 hash:	2f6e6f7fb18033435748339991ff3801
humanhash:	helium-winner-johnny-floor
File name:	2f6e6f7fb18033435748339991ff3801.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	3'125'248 bytes
First seen:	2025-08-19 00:40:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0034aebbc3c3bf80b48e332b8f34a6fa (2 x ValleyRAT)
ssdeep	49152:U0ePpNuji6CBBNrJ/etcu32qMbld0MUUiV1:UpPpNuji6Oc2qid0MUUiV1
Threatray	150 similar samples on MalwareBazaar
TLSH	T19AE51983AACB4DF6C9C2677855D393316378BD468B2A5F1B6708F6312D736C1AE1A700
TrID	42.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 14.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	74e0c4ccecf4ccd4 (4 x ValleyRAT, 1 x CobaltStrike)
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
203.91.74.11:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
203.91.74.11:6666	https://threatfox.abuse.ch/ioc/1569776/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2f6e6f7fb18033435748339991ff3801.exe

Verdict:

Malicious activity

Analysis date:

2025-08-19 00:40:39 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/3143c9bd-b4f1-432d-9cdb-65f62bec28d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22011/

Detection(s):

Win.Malware.Malwarex-10056465-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a3c81ec2f5296a1a2839ea

Tags:

shellcode dropper virus

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a process from a recently created file

Searching for synchronization primitives

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/101805a8-b4ad-4500-befc-91c30ef5a087

Result

Threat name:

ValleyRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1759732

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Detected unpacking (creates a PE file in dynamic memory)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Found stalling execution ending in API Sleep call

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: System File Execution Location Anomaly

Suricata IDS alerts for network traffic

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Yara detected ValleyRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/2f6e6f7fb18033435748339991ff3801

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071/

Verdict:

Malicious

Threat:

Family.VALLEYRAT_S2

Link:

https://tip.neiki.dev/file/3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2025-08-15 20:13:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hm5syql3oxbp3ceg7aidcu3sadafz4a5fhziwsxjkelsa2unkbyq._file

Verdict:

malicious

Label(s):

valleyrat

ValleyRAT

383b0abb5274e9c87f8d42b0dfca92d82ea28ac940d55d25787a0c3394df6a93

ValleyRAT

3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

ValleyRAT

41fd73e1d67148bc64e18697f82af08a496908a6ae4553f6219ac758df8427f7

ValleyRAT

55a47a47c9f85671ee4baa818b11be4da2f4f259254f6722d20270f263373b60

ValleyRAT

d78359314732275ef2f721397cc512579dcef1c5216b419db69b07992033f131

ValleyRAT

e60400f9da142b7bb4e83bfa2d964e3ed937dd350d2c6881c21daa826757bac3

ValleyRAT

error

ValleyRAT

+ 140 additional samples on MalwareBazaar

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor discovery persistence ransomware

Link:

https://tria.ge/reports/250819-a1l2rsyxbs/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

203.91.74.11:6666
203.91.74.11:8888
203.91.74.11:80

Verdict:

Malicious

Tags:

exploit

YARA:

cve_2014_6352

Link:

https://app.threat.zone/submission/5a07a4b2-6e8b-4161-8bd2-56981b7a44e7

Unpacked files

SH256 hash:

3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

MD5 hash:

2f6e6f7fb18033435748339991ff3801

SHA1 hash:

9c68bac2fa375682d913b79f85a0bed0a41ab98c

Link:

https://www.unpac.me/results/2555680b-fbcf-4b4f-9ccf-f8a9d43427ca/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b3b2c417b75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b3b2c417b75c2fd8886f81031537200c05cf01d29f28b4ae95117206a8d5071

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/22011/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::midiOutPrepareHeader WINMM.dll::midiOutReset WINMM.dll::midiOutUnprepareHeader WINMM.dll::midiStreamClose WINMM.dll::midiStreamOpen WINMM.dll::midiStreamOut
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::GetSystemDirectoryA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::FindFirstFileA KERNEL32.dll::GetTempPathA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample