MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1
SHA3-384 hash: e5ff83432856cd0242cd7cb79343bc0099992262cbf3a9702d7656b52da4d89111ea905b10bbd5b6b49a9fa7fc5c81a5
SHA1 hash: 98079ea87d017add7dc8f17ff96d81065316220e
MD5 hash: 7678ba7092c658fb4ad3908852277184
humanhash: cola-hot-chicken-uniform
File name:7678ba7092c658fb4ad3908852277184.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:24'925'704 bytes
First seen:2025-07-14 01:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep 393216:wEXg3pA8BmqtQLjoHWahnc3X8oC5xxb+jDcIYQS0uzsTRfnSGPrbI0lwFfSV6I5c:jX+pAokcHtcHaqvDjSDsT5nS+k0MqYI+
TLSH T17D471231B14AC43ADA6201B11A2C9FDF5128BF261BB514D7B3DC2E6E0BB45D21736E27
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter abuse_ch
Tags:exe RAT signed ValleyRAT

Code Signing Certificate

Organisation:Xiangyang Dianjue Trading Store (Sole Proprietorship)
Issuer:Certum Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2025-03-03T14:04:18Z
Valid to:2026-03-03T14:04:17Z
Serial number: 4c4c9f16877c6c8508a12bdd7c94607d
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7b3341df0b62744d1912e8b593a3dc6971f36e2bab87ae7c3d49412a99f7adf2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ValleyRAT C2:
143.92.43.168:6688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.43.168:6688 https://threatfox.abuse.ch/ioc/1556537/

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7678ba7092c658fb4ad3908852277184.exe
Verdict:
Malicious activity
Analysis date:
2025-07-14 01:57:13 UTC
Tags:
advancedinstaller
Link:
https://app.any.run/tasks/a4be1c25-129f-416c-a28b-6cdd24766080

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14144/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6874639f900df8e7f86a7e0e
Tags:
shellcode dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Loading a suspicious library
Creating a file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 expired-cert fingerprint lolbin microsoft_visual_cc msiexec overlay runonce signed
Link:
https://www.filescan.io/uploads/6874639a1bf7248a928a76c2/reports/acf796bc-c407-4759-860c-5163b3c517bc/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_DLLhijack_xge
Link:
https://www.hybrid-analysis.com/sample/43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1735593
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to modify Windows User Account Control (UAC) settings
Detected unpacking (creates a PE file in dynamic memory)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1735593 Sample: 1Sqi5Dfr25.exe Startdate: 14/07/2025 Architecture: WINDOWS Score: 64 102 msg.video.dns.iqiyi.com 2->102 104 msg.iqiyi.com 2->104 106 2 other IPs or domains 2->106 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 5 other signatures 2->136 12 msiexec.exe 88 35 2->12         started        15 1Sqi5Dfr25.exe 84 2->15         started        17 svchost.exe 2->17         started        20 22 other processes 2->20 signatures3 process4 dnsIp5 80 webserver.exe (copy), PE32 12->80 dropped 82 libcurl.dll (copy), PE32 12->82 dropped 84 libcef.dll (copy), PE32 12->84 dropped 92 7 other malicious files 12->92 dropped 23 msiexec.exe 1 12->23         started        25 msiexec.exe 12->25         started        86 C:\Users\user\AppData\...\webserver.exe, PE32 15->86 dropped 88 C:\Users\user\AppData\Roaming\...\libcurl.dll, PE32 15->88 dropped 90 C:\Users\user\AppData\Roaming\...\libcef.dll, PE32 15->90 dropped 94 16 other malicious files 15->94 dropped 27 1Sqi5Dfr25.exe 1 15->27         started        126 Changes security center settings (notifications, updates, antivirus, firewall) 17->126 29 MpCmdRun.exe 17->29         started        108 192.168.2.4, 138, 443, 49540 unknown unknown 20->108 110 127.0.0.1 unknown unknown 20->110 128 Detected unpacking (creates a PE file in dynamic memory) 20->128 31 chrome.exe 20->31         started        34 webserver.exe 20->34         started        36 webserver.exe 20->36         started        38 WerFault.exe 20->38         started        file6 signatures7 process8 dnsIp9 40 cmd.exe 1 23->40         started        42 msiexec.exe 27->42         started        44 conhost.exe 29->44         started        116 google.com 142.251.16.138, 443, 49785, 49799 GOOGLEUS United States 31->116 118 172.217.14.97, 443, 49783 GOOGLEUS United States 31->118 120 13 other IPs or domains 31->120 46 webserver.exe 34->46         started        48 webserver.exe 36->48         started        process10 process11 50 cmd.exe 1 40->50         started        52 conhost.exe 40->52         started        process12 54 appdata.exe 1 50->54         started        57 ChromeSetup.exe 7 50->57         started        60 conhost.exe 50->60         started        file13 138 Contains functionality to inject threads in other processes 54->138 140 Contains functionality to capture and log keystrokes 54->140 142 Contains functionality to inject code into remote processes 54->142 144 Contains functionality to modify Windows User Account Control (UAC) settings 54->144 62 appdata.exe 54->62         started        67 WerFault.exe 54->67         started        78 C:\Users\user\AppData\Local\...\updater.exe, PE32 57->78 dropped 69 updater.exe 11 57->69         started        signatures14 process15 dnsIp16 114 143.92.43.168, 49732, 6688 BCPL-SGBGPNETGlobalASNSG Singapore 62->114 96 C:\ProgramData\sjfc\falcon.dll, PE32 62->96 dropped 98 C:\ProgramData\sjfc\browser.exe, PE32 62->98 dropped 122 Disables UAC (registry) 62->122 124 Disable UAC(promptonsecuredesktop) 62->124 71 browser.exe 62->71         started        74 appdata.exe 62->74         started        100 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 69->100 dropped 76 updater.exe 69->76         started        file17 signatures18 process19 dnsIp20 112 msg.video.dns.iqiyi.com 118.26.32.89, 49740, 80 IQIYI-AS-APBeijingIQIYIScienceTechnologyCoLtdCN China 71->112
Score:
63%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/7678ba7092c658fb4ad3908852277184
Gathering data
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-11 05:27:37 UTC
File Type:
PE (Exe)
Extracted files:
2096
AV detection:
8 of 37 (21.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imjq36owzgpa2akhbjl6biqscwu27oy4tmmr4g4g7syemmln43iq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/250714-ccenwswry2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0573a2ce-b826-426b-aae0-fec4c80d517c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14144/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW

Comments