MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
SHA3-384 hash: 0b7f4b4d36d3ff6367bcd1beecb724411f57f06c49a5de24f4effaf1d3a3ecded3fbb892266377b3fa0d2e273d82a397
SHA1 hash: ce121d800a38db4849de9c7637a8343831e62409
MD5 hash: 54a429080e06fd2b9d8e48ad362523de
humanhash: lithium-don-table-lake
File name:avutil-56.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:22'016 bytes
First seen:2026-03-29 03:17:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 564b6f17255f6c9f1282ea5e61b18c8f (1 x ValleyRAT)
ssdeep 384:ybUGFrIVnOk/yidLkJHcCPLu3AOYWeQ3Ky6FL:fdmiViHDgAOt3Kp
Threatray 252 similar samples on MalwareBazaar
TLSH T11AA27C99F85A48DEF0729578C82BAF9ED1F97A24632007DF53E1046E2F353C1A636742
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter dght_432
Tags:Downloade exe SilverFox ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
avutil-56.dll
Verdict:
No threats detected
Analysis date:
2026-03-29 02:05:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d09c2911-585d-4a5d-957e-d61788462037

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59644/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c888e9635680513cf5284c
Tags:
dropper emotet virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm lolbin masquerade microsoft_visual_cc rundll32
Link:
https://www.filescan.io/uploads/69c899f62346b9da57adad5b/reports/4ae86cee-a6be-4148-9bd9-d73f6203aae8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-03-28T23:08:00Z UTC
Last seen:
2026-03-29T12:05:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Win32.Sheloader.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.gen PDM:Exploit.Win32.Generic
Link:
https://opentip.kaspersky.com/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/954406f9-4acc-4af8-b4f0-90e20c52a7be
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b/
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.Sheloader
Link:
https://tip.neiki.dev/file/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i67zgjjb2snvwrgvuzbxvj6flcy2xb7srubey5culpp6zlo2cuvq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
darkbit
Create hunting rule
Similar samples:
15a5d1692a088cbf334cd507f1ee407e9a794ab76a5275b11799351537e95602
ValleyRAT
23e82be61fb19583d1f8082a5639d61c03707558d0cba3b59f65c12eaca11a7c
ValleyRAT
47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
ValleyRAT
69f720f1caae81d5897244ffbed547e9cb11643a26966c7880973b61df5436a8
ValleyRAT
784ce917a01cc0eede501ab8f98927cb732486c9262215231c4c4885c5ade680
ValleyRAT
ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
ValleyRAT
b8fee4437c65685d6404f630164ace8bdbdefefec1220f8c3dc4cbecba253805
ValleyRAT
c373be374ca2e92cb015dca9e571f89103be65d12e6af224c94ac033c208761e
ValleyRAT
ee2148c1a134fb363b61013413882f531c8591647294fec99fcd37b69570cffc
ValleyRAT
error
ValleyRAT
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260329-dtqm6ac181/
Unpacked files
SH256 hash:
47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
MD5 hash:
54a429080e06fd2b9d8e48ad362523de
SHA1 hash:
ce121d800a38db4849de9c7637a8343831e62409
Detections:
win_miancha_w0
Create hunting rule
Link:
https://www.unpac.me/results/45256169-59bd-4c04-8fb0-f40a84456477/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47bf932521d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_miancha_w0
Create hunting rule
Author:Context Threat Intelligence
Description:Bytes inside
Reference:http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59644/

Comments