MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f78ec4bd0a0ccff1c5e0fda4f47531abb343a9835682c40f538bebab5b770e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f78ec4bd0a0ccff1c5e0fda4f47531abb343a9835682c40f538bebab5b770e8
SHA3-384 hash: ce646a7c2d5a94f9f20f38700b59b817ee73a2fff1574e9c54836e337a545c9cf399a446897278ac3bbb00235e7f5d0e
SHA1 hash: bf943652ddfef722be10f4cc129e2fe3d3004bc8
MD5 hash: 515915ad759965dce79ed17c142b03de
humanhash: oklahoma-summer-burger-georgia
File name:515915ad759965dce79ed17c142b03de.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:42'884'128 bytes
First seen:2025-08-05 19:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (84 x Gh0stRAT, 22 x ValleyRAT, 6 x OffLoader)
ssdeep 786432:Jyrr7YeuTiFNr1PoDfyJ5qIX4msztFboMxVeaZ7ZsTJgl:u22NBPIIX4mqL5IaZ7ZsTJgl
TLSH T138973367618B613FF8794D3419B2E217163B6E30A5134C6A8BECB64CCE351D11E3FA26
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f0f0e0d4e0f0e871 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT signed ValleyRAT

Code Signing Certificate

Organisation:咸宁创翼互联网科技有限公司
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha384WithRSAEncryption
Valid from:2025-07-17T00:00:00Z
Valid to:2025-08-13T23:59:59Z
Serial number: 0d62a5672bbbce5a3b7441f3a33426b3
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 908e1fc0b6f557c0d3e2be625a699019cf92eebbd1b02ac9c2fd4c14d06ec7b5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ValleyRAT C2:
18.167.247.26:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.167.247.26:443 https://threatfox.abuse.ch/ioc/1564594/

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
515915ad759965dce79ed17c142b03de.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 20:10:15 UTC
Tags:
inno installer delphi
Link:
https://app.any.run/tasks/a3fb2eaf-100c-430a-8ecc-d3f12e5799db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689260d811d7f9b979e5bf72
Tags:
dropper kryptik virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context alien crypt embarcadero_delphi fingerprint installer obfuscated overlay signed
Link:
https://www.filescan.io/uploads/689260ce2fbe0788fb1a30c3/reports/490c9daa-e76c-41d6-8b74-4e694f1e5067/overview
Verdict:
Malicious
Labled as:
Trojan.Alien.aiuu
Link:
https://www.hybrid-analysis.com/sample/3f78ec4bd0a0ccff1c5e0fda4f47531abb343a9835682c40f538bebab5b770e8
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1750837
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses Register-ScheduledTask to add task schedules
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750837 Sample: MNubust4SQ.exe Startdate: 05/08/2025 Architecture: WINDOWS Score: 66 74 ks2.ksdcks3.org 2->74 76 safew.org 2->76 78 6 other IPs or domains 2->78 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 8 other signatures 2->94 11 MNubust4SQ.exe 2 2->11         started        14 mesedg.exe 2->14         started        17 explorer.exe 2->17         started        signatures3 process4 dnsIp5 62 C:\Users\user\AppData\...\MNubust4SQ.tmp, PE32 11->62 dropped 20 MNubust4SQ.tmp 25 18 11->20         started        108 Injects code into the Windows Explorer (explorer.exe) 14->108 110 Writes to foreign memory regions 14->110 112 Allocates memory in foreign processes 14->112 114 Creates a thread in another existing process (thread injection) 14->114 72 ax-0003.ax-msedge.net 150.171.27.12, 443, 49692 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->72 116 System process connects to network (likely due to code injection or exploit) 17->116 118 Query firmware table information (likely to detect VMs) 17->118 file6 signatures7 process8 file9 52 C:\Program Files (x86)\...\mesedg.exe (copy), PE32+ 20->52 dropped 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->54 dropped 56 C:\...\unins000.exe (copy), PE32 20->56 dropped 58 14 other files (none is malicious) 20->58 dropped 23 mesedg.exe 20->23         started        25 safew.exe 2 20->25         started        process10 file11 28 mesedg.exe 23->28         started        60 C:\Users\user\AppData\Local\...\safew.tmp, PE32 25->60 dropped 31 safew.tmp 30 17 25->31         started        process12 file13 100 Suspicious powershell command line found 28->100 102 Injects code into the Windows Explorer (explorer.exe) 28->102 104 Writes to foreign memory regions 28->104 106 4 other signatures 28->106 34 explorer.exe 28->34 injected 38 powershell.exe 37 28->38         started        40 powershell.exe 23 28->40         started        64 C:\Users\user\AppData\...\unins000.exe (copy), PE32 31->64 dropped 66 C:\Users\user\AppData\...\is-6PK26.tmp, PE32 31->66 dropped 68 C:\Users\user\...\d3dcompiler_47.dll (copy), PE32 31->68 dropped 70 6 other files (none is malicious) 31->70 dropped 42 SafeW.exe 31->42         started        44 SafeW.exe 31->44         started        signatures14 process15 dnsIp16 80 ks2.ksdcks3.org 18.167.247.26, 443, 49691 AMAZON-02US United States 34->80 96 System process connects to network (likely due to code injection or exploit) 34->96 46 WerFault.exe 34->46         started        98 Loading BitLocker PowerShell Module 38->98 48 conhost.exe 38->48         started        50 conhost.exe 40->50         started        82 47.106.23.36, 49704, 49711, 49712 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 42->82 84 gitlab.com 172.65.251.78, 443, 49737, 49749 CLOUDFLARENETUS United States 42->84 86 2 other IPs or domains 42->86 signatures17 process18
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3f78ec4bd0a0ccff1c5e0fda4f47531abb343a9835682c40f538bebab5b770e8
Gathering data
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 19:32:05 UTC
File Type:
PE (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h54oys6qudgp6hc6b7ne6r2tdk5tiouygvucyqhvhc7lvnnxodua._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250805-yk69rsgj6x/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d87b875b-a1d2-447b-83a1-19178971adcd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f78ec4bd0a0ccff1c5e0fda4f47531abb343a9835682c40f538bebab5b770e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments