MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d
SHA3-384 hash: 1ff7edf94c256db7c278ec8184dab39e8426a689332bfad3b7d0aba46f4875c56ae4e7f431af43ae5a26cce955ad7078
SHA1 hash: 429d8f8878e4a12950ffef88d1de01bb9ca4b485
MD5 hash: c09f85a78a99f7f61ce946530db83f08
humanhash: kentucky-rugby-muppet-fifteen
File name:C09F85A78A99F7F61CE946530DB83F08.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'746'606 bytes
First seen:2026-01-16 12:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (10 x HijackLoader, 9 x OffLoader, 8 x ValleyRAT)
ssdeep 49152:nDXr39jOpqzo7e18omk5I6IQDW20ZuRpYt4m8At3Q:nDb39jwqMA8o//j/+u76l8At3Q
TLSH T110D5D013B5EAF73ED4254A351D629B61043F6EE1F41A8E639EE43A0CCE390511D3EE62
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 74e0c4ccf4f4dcc4 (7 x ValleyRAT, 2 x CobaltStrike)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
8.222.204.62:2001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.222.204.62:2001 https://threatfox.abuse.ch/ioc/1733532/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/432dac19-94b4-4eb5-836c-4deae482b85f/
Malware family:
n/a
ID:
1
File name:
C09F85A78A99F7F61CE946530DB83F08.exe
Verdict:
Malicious activity
Analysis date:
2026-01-16 12:45:40 UTC
Tags:
payload
Link:
https://app.any.run/tasks/1a48d60f-a8be-4a5b-b0a2-3fe24ef51107

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49073/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a32e757243ef151cd8f0a
Tags:
emotet shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed soft-404
Link:
https://www.filescan.io/uploads/696a32e03dd9d209505715b7/reports/4aa8f5a8-2780-4c24-a7e3-3dda6a6b0365/overview
Verdict:
Malicious
Labled as:
Program_Win32_Wacapew_C_ml
Link:
https://www.hybrid-analysis.com/sample/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-10T23:25:00Z UTC
Last seen:
2026-01-18T06:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.DLLhijack.adgj Trojan.Win32.DLLhijack.adgk Backdoor.Agent.TCP.C&C Trojan.Win64.DllHijack.sb Trojan.Win32.DLLhijack.sb
Link:
https://opentip.kaspersky.com/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a25c9046-03e0-4031-a85c-38441ac046ee
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1851981
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses Register-ScheduledTask to add task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1851981 Sample: v61vRQZZD6.exe Startdate: 16/01/2026 Architecture: WINDOWS Score: 100 66 us2.roaming1.live.com.akadns.net 2->66 68 shed.dual-low.part-0041.t-0009.t-msedge.net 2->68 70 10 other IPs or domains 2->70 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 5 other signatures 2->92 11 v61vRQZZD6.exe 2 2->11         started        14 WUDFHost.exe 2->14         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\v61vRQZZD6.tmp, PE32 11->64 dropped 17 v61vRQZZD6.tmp 10 13 11->17         started        106 Drops executables to the windows directory (C:\Windows) and starts them 14->106 21 WUDFHost.exe 14->21         started        signatures6 process7 file8 56 C:\Windows\en-US\is-H8IBN.tmp, PE32 17->56 dropped 58 C:\Windows\...\vcruntime140_1.dll (copy), PE32+ 17->58 dropped 60 C:\Windows\en-US\...\vcruntime140.dll (copy), PE32+ 17->60 dropped 62 10 other files (9 malicious) 17->62 dropped 78 Drops executables to the windows directory (C:\Windows) and starts them 17->78 23 WUDFHost.exe 17->23         started        25 POWERPNT.EXE 214 62 17->25         started        80 Suspicious powershell command line found 21->80 82 Adds a directory exclusion to Windows Defender 21->82 84 PowerShell case anomaly found 21->84 28 powershell.exe 21->28         started        31 powershell.exe 21->31         started        33 WerFault.exe 21->33         started        signatures9 process10 dnsIp11 35 WUDFHost.exe 2 23->35         started        74 part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49724, 49725 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->74 76 mira-ofc.tm-4.office.com 52.110.2.180, 443, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->76 39 ai.exe 25->39         started        102 Loading BitLocker PowerShell Module 28->102 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        signatures12 process13 dnsIp14 72 8.222.204.62, 2001, 49742, 49750 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 35->72 94 Suspicious powershell command line found 35->94 96 Adds a directory exclusion to Windows Defender 35->96 98 PowerShell case anomaly found 35->98 100 2 other signatures 35->100 45 powershell.exe 23 35->45         started        48 powershell.exe 35->48         started        50 WerFault.exe 35->50         started        signatures15 process16 signatures17 104 Loading BitLocker PowerShell Module 45->104 52 conhost.exe 45->52         started        54 conhost.exe 48->54         started        process18
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Suspicious
First seen:
2026-01-11 04:09:21 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=imtcq77z4vxtdlmsvq3gw2j6etzchbgiosspwizxiqqbz2gwb46q._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution installer
Link:
https://tria.ge/reports/260116-py8v3shs4e/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
8.222.204.62:2001
127.0.0.1:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b59f3ef-7615-4687-9841-7be9212fe299
Unpacked files
SH256 hash:
4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d
MD5 hash:
c09f85a78a99f7f61ce946530db83f08
SHA1 hash:
429d8f8878e4a12950ffef88d1de01bb9ca4b485
Link:
https://www.unpac.me/results/6c4dfc21-3dd3-4e47-9dd2-6cb94c033540/
SH256 hash:
59b74f69476b8c4614d8eb06e27f4104a56adaa0816c527580b15688393b4d77
MD5 hash:
47eb73fbf262c9d19ca3033390c447ab
SHA1 hash:
2dec7f633a65c4c0ff68831cf462e93f09b030aa
Link:
https://www.unpac.me/results/6c4dfc21-3dd3-4e47-9dd2-6cb94c033540/
SH256 hash:
7e7ac37454e0a5853b9e1b71760e9ae5c665f6d4aefa0fab01cacc2c0f9139c9
MD5 hash:
f16b64c7861f532fe801e6d2c9892f05
SHA1 hash:
d962cc8ea462e8c7c7e94929f51e688dc39a720a
Link:
https://www.unpac.me/results/6c4dfc21-3dd3-4e47-9dd2-6cb94c033540/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/6c4dfc21-3dd3-4e47-9dd2-6cb94c033540/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4326287ff9e56f31ad92ac366b693e24f22384c874a4fb233744201ce8d60f3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Shellcode_Rdi_edc62a10
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49073/

Comments