MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
SHA3-384 hash: aa09ec5801bd1b6f3536faca59717898cf20c347078e556520e82b23c68e8f21839ae65a6b48fb797708d8761cd2de06
SHA1 hash: 4cb4abb9f2084cc447958d3e5605825b6f4474c7
MD5 hash: 70a43f05ebbb4c0f0c09315778b5204c
humanhash: indigo-mexico-don-kentucky
File name:70A43F05EBBB4C0F0C09315778B5204C.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:47'523'239 bytes
First seen:2024-12-28 23:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (21 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 786432:XAGhPZ/2u+jAcPiy3GrySHDNuf2DXAXG3pdHTi7mO6cW5o7iqK/lbOu+NqmXWAt:/PZ+pPiywyUDNDDSG3pY756NomD/ll+V
TLSH T196A733B970B51A36EEAE5F3BF509A42F90F1FBF6444DDA8223801E90FE056E580D2745
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe SilverFox ValleyRAT winos


Avatar
abuse_ch
ValleyRAT C2:
8.218.163.85:9091

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.218.163.85:9091 https://threatfox.abuse.ch/ioc/1369108/

Intelligence

File Origin
# of uploads :
1
# of downloads :
641
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70A43F05EBBB4C0F0C09315778B5204C.exe
Verdict:
Malicious activity
Analysis date:
2024-12-28 23:38:49 UTC
Tags:
silverfox backdoor
Link:
https://app.any.run/tasks/85fc6370-12ac-4d71-8030-a4276e862ed5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67708b6a1bb06b8884790f3c
Tags:
dropper emotet shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67708b76d986a2005f8dcb2c/reports/9e6d64aa-a6e6-4f99-bf0f-8da4240a675b/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
Result
Verdict:
MALICIOUS
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1581797
Signature
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581797 Sample: V2clgnyM2J.exe Startdate: 29/12/2024 Architecture: WINDOWS Score: 96 60 Suricata IDS alerts for network traffic 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 9 V2clgnyM2J.exe 10 2->9         started        process3 file4 50 C:\Users\Public\Bilite\chiomsStup.exe, PE32 9->50 dropped 52 C:\Users\Public\Bilite\Axialis\libcurl.dll, PE32 9->52 dropped 54 C:\Users\Public\Bilite\...\RuntimeBrokers.exe, PE32 9->54 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 68 Bypasses PowerShell execution policy 12->68 15 RuntimeBrokers.exe 3 18 12->15         started        19 conhost.exe 12->19         started        process7 dnsIp8 56 8.218.163.85, 18852, 49756, 49757 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 15->56 44 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->48 dropped 21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 cmd.exe 1 15->25         started        file9 process10 process11 27 conhost.exe 21->27         started        29 tasklist.exe 1 21->29         started        31 timeout.exe 1 21->31         started        42 35 other processes 21->42 33 powershell.exe 1 23 23->33         started        36 conhost.exe 23->36         started        38 powershell.exe 39 25->38         started        40 conhost.exe 25->40         started        signatures12 58 Loading BitLocker PowerShell Module 38->58
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
Gathering data
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-12-27 13:27:00 UTC
File Type:
PE (Exe)
Extracted files:
210
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzielyfpsj763etwb2ckimakpabwgll5rwqpzvism4al7jfhsauq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241228-3lkjlsvrgr/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
Win.Malware.Lazy-10039964-0
YARA:
n/a
Link:
https://app.threat.zone/submission/44d72cf8-f8fc-4f80-8daa-7797f1e0fecb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments