MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f
SHA3-384 hash: 4d2bd3138a62a00e728e53b6d976ee5397415f2ed15722318498371db6cfe37f022a3ee708d6bc9809d7b8773764d7c9
SHA1 hash: 2624b46855f3715ffc9a0bd87c0c715ed5042951
MD5 hash: 995db7636b76cf33c20865fee42dc273
humanhash: kitten-arkansas-lima-freddie
File name:995DB7636B76CF33C20865FEE42DC273.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:111'616 bytes
First seen:2025-07-27 19:40:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9a3792aff0565a5387303270c11c4e6e (4 x ValleyRAT)
ssdeep 1536:TLzXF9S71HAfYoMv/BfPqSynD4cz/s6oN+BeOnEtKX6tkyn05K8GYX5zt:XbF471RPqSynEczkUfEtMtXX5zt
Threatray 562 similar samples on MalwareBazaar
TLSH T1A0B38C217660C832D0DB253D586AC7725A7FB83197B854CBF7A40ABD5FB02D06E3934A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:dll RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
1.94.198.111:8888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
1.94.198.111:8888 https://threatfox.abuse.ch/ioc/1561253/

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17228/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688680e70b4775fb21324009
Tags:
emotet farfli
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
farfli microsoft_visual_cc obfuscated zusy
Link:
https://www.filescan.io/uploads/688680bd42dbe1175d42a814/reports/d8eb8bf2-4fb3-465f-b8c2-434c2b7f793e/overview
Verdict:
Malicious
Labled as:
Trojan.Farfli
Link:
https://www.hybrid-analysis.com/sample/427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92dc08fe-f792-4af6-b6f2-0ef729b8da89
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745198
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1745198 Sample: 7D9MA0hJED.dll Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 rundll32.exe 3 8->15         started        18 5 other processes 8->18 dnsIp5 38 Found evasive API chain (may stop execution after checking mutex) 10->38 40 Contains functionality to inject threads in other processes 10->40 42 Contains functionality to capture and log keystrokes 10->42 44 Contains functionality to inject code into remote processes 10->44 20 WerFault.exe 18 10->20         started        46 System process connects to network (likely due to code injection or exploit) 13->46 28 1.94.198.111, 49695, 49699, 49702 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN China 15->28 22 rundll32.exe 18->22         started        24 WerFault.exe 4 16 18->24         started        signatures6 process7 process8 26 WerFault.exe 20 16 22->26         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/995db7636b76cf33c20865fee42dc273
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f/
Verdict:
Malicious
Threat:
Backdoor.Win32.Xkcp
Link:
https://tip.neiki.dev/file/427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f
Threat name:
Win32.Trojan.FatalRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 12:54:00 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ij5x6vw4mfx3ct2dfwuu5q7e5bk2bztuzvzvp52cbrjmh6bwiepq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
498a29a707112e1a95b867015e4efaf71f2e1ce41260e78573101f18886d4900
ValleyRAT
4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
ValleyRAT
4fce44f0c9eb6df41e0d3c4852f83843ba72a81ed12b442610e3472871994bcb
ValleyRAT
6c0edcc6278bfe22ceda9e478810f6854073b0ef13ef809d5e734ab1829275ac
ValleyRAT
7de5f5f6f3b17c99c97b37c3be788952ce01b7d2437e2139b344318af580d023
ValleyRAT
bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
ValleyRAT
c0fec7656d60de54985a2a4a65811afcf61cac1fb50725cbb80eed3dd76077df
ValleyRAT
error
ValleyRAT
+ 552 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 discovery
Link:
https://tria.ge/reports/250727-ydq9zael4t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
1.94.198.111:8888
127.0.0.1:80
Unpacked files
SH256 hash:
427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f
MD5 hash:
995db7636b76cf33c20865fee42dc273
SHA1 hash:
2624b46855f3715ffc9a0bd87c0c715ed5042951
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/a62dff0e-885a-4468-b9eb-e2d1cc9ee280/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/427b7f56dc616fb14f432da94ec3e4e855a0e674cd7357f7420c52c3f836411f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17228/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAIoctl
WS2_32.dll::WSAResetEvent
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW

Comments