MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
SHA3-384 hash: 2bec0d4a6718220ca85186f8b62a9ae8491201d5b323daaaa12315c1c0e9e6b15a299d1d57f4f2e4d086964124ecee9a
SHA1 hash: 752dc7750d3434859e0f77a541911e9d77b8a33d
MD5 hash: f94a1130cd6d809ba16f2bb73cc5bff5
humanhash: quebec-william-solar-zebra
File name:kuaiVPN.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:38'639'888 bytes
First seen:2025-07-13 17:11:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep 786432:sXwDJhY/TEBp+wnxtzfwU1czxnStN43c9zbUon0zXrZfsbk5amXvk:sgDblpVxpJcVnSvcc9cTbNfsbuav
Threatray 180 similar samples on MalwareBazaar
TLSH T14E871231B642C03AD56A00B15A3DAEAA553CBE660B7514C777DC3E6E0FB05C21B36E27
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter aachum
Tags:82-29-54-36 CHN exe signed SilverFox ValleyRAT VoidArachne winos Xiangyang-Dianjue-Trading-Store-Sole-Proprietorship

Code Signing Certificate

Organisation:Xiangyang Dianjue Trading Store (Sole Proprietorship)
Issuer:Certum Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2025-03-03T14:04:18Z
Valid to:2026-03-03T14:04:17Z
Serial number: 4c4c9f16877c6c8508a12bdd7c94607d
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7b3341df0b62744d1912e8b593a3dc6971f36e2bab87ae7c3d49412a99f7adf2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
https://www.kuailianguanwangvpn.com/ => https://kuaipmevpn.com/kuaiVPN.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kuaiVPN.exe
Verdict:
No threats detected
Analysis date:
2025-07-13 17:01:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e41c9afa-ec38-4aca-8c47-739fc8e9d329

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6873e900c9eb97473768b87d
Tags:
shellcode dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Loading a suspicious library
Creating a file
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Multiple_detections
Link:
https://www.hybrid-analysis.com/sample/4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/1735338
Signature
AI detected suspicious PE digital signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1735338 Sample: kuaiVPN.exe Startdate: 13/07/2025 Architecture: WINDOWS Score: 58 118 nit.crash1ytics.com 2->118 120 nal.fqoqehwib.com 2->120 122 chr.alipayassets.com 2->122 130 Found malware configuration 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 Yara detected ValleyRAT 2->134 136 3 other signatures 2->136 13 msiexec.exe 86 42 2->13         started        16 wechatdata.exe 2->16         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 102 C:\ProgramData\wechatweb\wechatdata.exe, PE32 13->102 dropped 104 C:\ProgramData\appdata\latest.exe, PE32 13->104 dropped 106 C:\ProgramData\appdata\appdat.exe, PE32 13->106 dropped 114 7 other files (none is malicious) 13->114 dropped 23 msiexec.exe 1 13->23         started        25 msiexec.exe 13->25         started        126 Detected unpacking (creates a PE file in dynamic memory) 16->126 27 wechatdata.exe 16->27         started        29 WerFault.exe 16->29         started        128 Changes security center settings (notifications, updates, antivirus, firewall) 19->128 31 MpCmdRun.exe 19->31         started        108 C:\Users\user\AppData\Local\...\shi3F3A.tmp, PE32+ 21->108 dropped 110 C:\Users\user\AppData\Local\...\MSI779A.tmp, PE32 21->110 dropped 112 C:\Users\user\AppData\Local\...\MSI777A.tmp, PE32 21->112 dropped 116 10 other files (none is malicious) 21->116 dropped 33 kuaiVPN.exe 1 21->33         started        35 WerFault.exe 21->35         started        37 WerFault.exe 21->37         started        39 3 other processes 21->39 signatures6 process7 process8 41 cmd.exe 1 23->41         started        43 wechatdata.exe 27->43         started        45 conhost.exe 31->45         started        47 msiexec.exe 33->47         started        49 Conhost.exe 33->49         started        process9 51 cmd.exe 1 41->51         started        53 conhost.exe 41->53         started        process10 55 latest.exe 10 286 51->55         started        59 appdat.exe 1 51->59         started        61 conhost.exe 51->61         started        file11 94 C:\...\AddWindowsSecurityExclusion.ps1, ASCII 55->94 dropped 96 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 55->96 dropped 98 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 55->98 dropped 100 217 other files (none is malicious) 55->100 dropped 138 Bypasses PowerShell execution policy 55->138 63 powershell.exe 55->63         started        66 tapinstall.exe 55->66         started        69 tapinstall.exe 55->69         started        140 Contains functionality to inject threads in other processes 59->140 142 Contains functionality to capture and log keystrokes 59->142 144 Contains functionality to inject code into remote processes 59->144 71 appdat.exe 59->71         started        74 WerFault.exe 59->74         started        signatures12 process13 dnsIp14 146 Loading BitLocker PowerShell Module 63->146 76 conhost.exe 63->76         started        90 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 66->90 dropped 92 C:\Users\user\AppData\Local\...\SET777D.tmp, PE32+ 66->92 dropped 78 conhost.exe 66->78         started        80 conhost.exe 69->80         started        124 82.29.54.36, 6789 NTLGB United Kingdom 71->124 148 Disables UAC (registry) 71->148 150 Disable UAC(promptonsecuredesktop) 71->150 82 appdat.exe 71->82         started        84 WerFault.exe 71->84         started        86 WerFault.exe 71->86         started        file15 signatures16 process17 process18 88 appdat.exe 82->88         started       
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
Gathering data
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-11 11:17:19 UTC
File Type:
PE (Exe)
Extracted files:
2723
AV detection:
9 of 24 (37.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igl5u4p5iww53v34kuiba7d3bs4kaofantb2qsn52sla7rne3szq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47
ValleyRAT
4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
ValleyRAT
70dc1b89b608524c98f02a2bd8a0cf162d662841f30b6e622c8fea77dbaae148
ValleyRAT
8a4351200638f68995aaaef923393851321e4064508e9aed734224617cc5d69d
ValleyRAT
aa50da2a49089316258540ca5606b7daa77cc9b93a406bff136166882261182e
ValleyRAT
e38e23432813e4eb1ddec51456d1a9bb6f3a3a99cd68e3a130a1622e9d53c54d
ValleyRAT
error
ValleyRAT
+ 170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/250713-vq1sdsdl8x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/90b57454-dc7d-4db0-a6c4-983b9b0422b2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3

(this sample)

  
Link
https://tria.ge/250713-vf7sysswgt/behavioral1
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW

Comments