MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80
SHA3-384 hash: 7108b2e54c847d88d6e42b22c9d50800883d53c67a4f36bd719525fdd10cf47a0a4ea627715700d564530e548f1e2ab4
SHA1 hash: c5584588af5181e7b08b79ddc8b3a8efe8687c70
MD5 hash: a62eeed7baaed1ba4e4e744b4f0f25a8
humanhash: artist-undress-alanine-undress
File name:A62EEED7BAAED1BA4E4E744B4F0F25A8.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'307'584 bytes
First seen:2025-10-07 18:40:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1aae8bf580c846f39c71c05898e57e88 (214 x LummaStealer, 70 x SalatStealer, 18 x ValleyRAT)
ssdeep 24576:LHQNF8f3qgQvLV/P/LuebehrDs9IAnCdEDNCIDxP9ry2eQfe6ENj9Rl7/HDq/Qfd:LWDDH8qJx/ENj9j8XLh9is
Threatray 1'748 similar samples on MalwareBazaar
TLSH T1B4B56B30FC87A9F2E40A6934458762AF2F246D0B0F318BCBE7447B7AE5772914937259
TrID 38.7% (.EXE) InstallShield setup (43053/19/16)
28.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.4% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
156.247.41.70:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.247.41.70:6666 https://threatfox.abuse.ch/ioc/1608885/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A62EEED7BAAED1BA4E4E744B4F0F25A8.exe
Verdict:
No threats detected
Analysis date:
2025-10-07 18:50:29 UTC
Tags:
api-base64 golang
Link:
https://app.any.run/tasks/a324aef7-0ada-4d30-abd6-15120d168b8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31028/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e55eab277c2bd8bc5d8a26
Tags:
autorun emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Launching the process to change the firewall settings
Launching a service
Connection attempt
Sending a custom TCP request
Creating a window
Firewall traversal
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 crypt fingerprint golang obfuscated
Link:
https://www.filescan.io/uploads/68e55fbc5a3bccf09ebbf3cd/reports/377f18bd-8183-4908-b599-8c04497922cd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-05T00:48:00Z UTC
Last seen:
2025-10-08T00:50:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/03fd6b2d-d3bc-4de3-a996-ae931c80a552
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790899
Signature
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected EXE embedded in BAT file
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1790899 Sample: BwYEIbSPSg.exe Startdate: 07/10/2025 Architecture: WINDOWS Score: 100 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 5 other signatures 2->41 8 BwYEIbSPSg.exe 3 3 2->8         started        13 cmd.exe 1 2->13         started        process3 dnsIp4 33 156.247.41.70, 49682, 49683, 49693 PEGTECHINCUS Seychelles 8->33 31 C:\Users\user\Desktop\System.dll, PE32 8->31 dropped 43 Detected unpacking (creates a PE file in dynamic memory) 8->43 45 Contains functionality to inject threads in other processes 8->45 47 Contains functionality to inject code into remote processes 8->47 49 2 other signatures 8->49 15 netsh.exe 2 8->15         started        17 conhost.exe 8->17         started        19 BwYEIbSPSg.exe 1 13->19         started        21 conhost.exe 13->21         started        file5 signatures6 process7 process8 23 conhost.exe 15->23         started        25 netsh.exe 2 19->25         started        27 conhost.exe 19->27         started        process9 29 conhost.exe 25->29         started       
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Base64 Block Base64 Payload Contains Base64 Block Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a62eeed7baaed1ba4e4e744b4f0f25a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4qqugzt4enm27bm2getck5vihiopmpqxplvmtuphoycajlib6aa._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
valleyrat
Create hunting rule
Similar samples:
2e575672428aaaaefad64f5535cb2416c962db8a8ae060303ef765eec38ba2d2
ValleyRAT
64f099327947fe21c770ada4c870a1d25304cda4f028973d7098b3f831771ceb
ValleyRAT
67c39f2e56dc93e4b6f16b4658366462f8f90acad03792b2f5c1797bd9f89702
ValleyRAT
7bd055075eb686d64a347bbae78cc07f6e2937918cdd4136987ad1177906236e
ValleyRAT
9501bd6236e2e36cd2afbcf4126b44f7aff1f0b51d675ba3c26587ba02c108ce
ValleyRAT
aecd15cf284e8c4ba6d92a3cc082d27b24465513cdc0deb1c4ccb338ef072619
ValleyRAT
c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b
ValleyRAT
error
ValleyRAT
+ 1'738 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion discovery loader persistence privilege_escalation
Link:
https://tria.ge/reports/251007-xdqg1axtaw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Modifies Windows Firewall
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/046e25e6-3ca4-42e2-baab-e316f98fd291
Unpacked files
SH256 hash:
3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80
MD5 hash:
a62eeed7baaed1ba4e4e744b4f0f25a8
SHA1 hash:
c5584588af5181e7b08b79ddc8b3a8efe8687c70
Link:
https://www.unpac.me/results/25f9d173-a88b-4bf0-90d7-3634a55816c4/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f210a1b33e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f210a1b33e11acd7c2cd189312bb541d0e7b1f0bbd7564e8f3bb02025680f80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31028/

Comments