MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
SHA3-384 hash: 382820bac27f48f1083047b03896eafa6da5cdf4ea28172b54060dabb956cbd4524a4076b9944536b416f35715ae665c
SHA1 hash: a521cddfa5cad6431da500358e60e0d448953b97
MD5 hash: 7d16def42e7672dcd0e078bb8c2a68c6
humanhash: winner-two-fifteen-fillet
File name:3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:4'651'629 bytes
First seen:2026-02-10 00:01:12 UTC
Last seen:2026-02-10 15:55:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (7 x ValleyRAT, 5 x GCleaner, 4 x CoinMiner)
ssdeep 98304:FzKX8hAW2impY8vTeN8HJyHjDeP2/3d4sZ5:FzKoAW2iQY86N8HAHy2/N3
TLSH T175262386D59809F8E077EEB48E794D06D37F3C6A5750A28B53D4B5921FB32A14C3BB02
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
143.92.32.132:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.32.132:443 https://threatfox.abuse.ch/ioc/1744155/

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/4416bd74-acc7-4d5b-add8-873ab5fb0ee3/
Malware family:
n/a
ID:
1
File name:
3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8.exe
Verdict:
Malicious activity
Analysis date:
2026-02-09 22:18:52 UTC
Tags:
silverfox backdoor donutloader loader
Link:
https://app.any.run/tasks/34a44656-1f48-455f-b5fd-e6e82d2cfc7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52868/
Detection(s):
Win.Exploit.Rozena-10038302-0
Create hunting rule

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698a5d4c42fd65534cce1220
Tags:
vmdetect emotet nemty
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context alien anti-debug anti-vm anti-vm base64 donut evasive expired-cert exploit explorer fingerprint fingerprint fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc overlay packed rozena sfx unsafe
Link:
https://www.filescan.io/uploads/698a7552930564ff3c958472/reports/22689a52-92de-423e-9637-35f1e4a4e85a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-09T04:25:00Z UTC
Last seen:
2026-02-10T03:55:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Shellcode.mjq Backdoor.Win32.Agentb.sb Backdoor.Agent.TCP.C&C UDS:DangerousObject.Multi.Generic Backdoor.Win32.Agent.a Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb
Link:
https://opentip.kaspersky.com/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7812ac90-c56f-4d2d-9b11-6f811f34a12d
Result
Threat name:
DonutLoader, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866421
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Ping/Del Command Combination
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DonutLoader
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1866421 Sample: 3ef95a0b2bc2a22bfae3383b20a... Startdate: 10/02/2026 Architecture: WINDOWS Score: 100 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 10 other signatures 2->91 10 3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66.exe 5 2->10         started        13 WindowsTasker.exe 4 14 2->13         started        17 QuarkPC_V6.0.2.624_pc_pf30002_(zh-cn)_releasemini_(Build2510386-1001-x64).exe 41 2->17         started        process3 dnsIp4 51 C:\Program Files\mysetup.exe, PE32 10->51 dropped 53 QuarkPC_V6.0.2.624...10386-1001-x64).exe, PE32+ 10->53 dropped 19 mysetup.exe 2 10->19         started        22 QuarkPC_V6.0.2.624_pc_pf30002_(zh-cn)_releasemini_(Build2510386-1001-x64).exe 10->22         started        75 143.92.32.132 BCPL-SGBGPNETGlobalASNSG Singapore 13->75 77 34.160.111.145 ATGS-MMD-ASUS United States 13->77 101 Detected unpacking (creates a PE file in dynamic memory) 13->101 103 Found evasive API chain (may stop execution after checking mutex) 13->103 105 Contains functionality to inject threads in other processes 13->105 109 4 other signatures 13->109 26 schtasks.exe 1 13->26         started        79 138.113.159.37 FR-INRIA-SOPHIAINRIASophia-AntipolisEU United States 17->79 81 59.82.120.39 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 17->81 83 2 other IPs or domains 17->83 55 C:\Users\user\AppData\...\mini_install.dll, PE32+ 17->55 dropped 57 C:\Users\user\AppData\Local\...\6.4.0.728.exe, PE32 17->57 dropped 59 C:\Users\user\AppData\Local\QuarkMini\...\0, PE32 17->59 dropped 107 Query firmware table information (likely to detect VMs) 17->107 file5 signatures6 process7 dnsIp8 49 C:\Users\user\AppData\Local\...\mysetup.tmp, PE32 19->49 dropped 28 mysetup.tmp 5 11 19->28         started        69 106.8.139.148 CHINANET-BACKBONENo31Jin-rongStreetCN China 22->69 71 123.182.51.94 CHINANET-BACKBONENo31Jin-rongStreetCN China 22->71 97 Query firmware table information (likely to detect VMs) 22->97 32 conhost.exe 26->32         started        file9 signatures10 process11 file12 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->61 dropped 63 C:\ProgramData\...\vcruntime140.dll (copy), PE32 28->63 dropped 65 C:\ProgramData\...\msvcp140.dll (copy), PE32 28->65 dropped 67 6 other malicious files 28->67 dropped 99 Multi AV Scanner detection for dropped file 28->99 34 regsvr32.exe 2 28->34         started        signatures13 process14 file15 45 C:\ProgramData\...behaviorgraphuard.dll, PE32 34->45 dropped 47 C:\ProgramData\...\DataReport.dll, PE32 34->47 dropped 37 cmd.exe 1 34->37         started        process16 signatures17 93 Uses ping.exe to sleep 37->93 95 Uses ping.exe to check the status of other devices and networks 37->95 40 PING.EXE 1 37->40         started        43 conhost.exe 37->43         started        process18 dnsIp19 73 127.0.0.1 unknown unknown 40->73
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7d16def42e7672dcd0e078bb8c2a68c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 07:33:45 UTC
File Type:
PE+ (Exe)
Extracted files:
73
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h34vuczlykrcx6xdha5sbjogxve7o6cnkxtgweftpg2hdmxh434a._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer
Link:
https://tria.ge/reports/260210-aa3xlafw4c/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8
MD5 hash:
7d16def42e7672dcd0e078bb8c2a68c6
SHA1 hash:
a521cddfa5cad6431da500358e60e0d448953b97
Link:
https://www.unpac.me/results/cb8cf47d-21d7-4fcc-ba21-564379ba55e9/
SH256 hash:
9ff455ac522cb4597f94df5121a1534726bc9eaf151f18990e3c3049071d41d5
MD5 hash:
d62d49a886654710bcc3fd2b8e27a77a
SHA1 hash:
b9d46d75283041b04749ec9878e430fa85cbc88d
Detections:
win_squidloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb8cf47d-21d7-4fcc-ba21-564379ba55e9/
SH256 hash:
bd843f7c165a6251455639d01b6ae85f20c7aec2a8ca5d4ab521880d6813735e
MD5 hash:
145898cb5af2ca809c95e23b45fed65e
SHA1 hash:
0d33795c0d669182c2eab357c05c741eff8977c4
Link:
https://www.unpac.me/results/cb8cf47d-21d7-4fcc-ba21-564379ba55e9/
SH256 hash:
f73b507cdfd9df9d1eb3f945bede71fe67fe31c4694fad4fee498cebc8d201a9
MD5 hash:
d08c17dc902923e6ad46b9146adb873e
SHA1 hash:
077a3a3dc73b7c17de3891c286f72a6a12cf8c15
Detections:
win_squidloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb8cf47d-21d7-4fcc-ba21-564379ba55e9/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ef95a0b2bc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ef95a0b2bc2a22bfae3383b20a5c6bd49f7784d55e66b10b379b471b2e7e6f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52868/

Comments