MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
SHA3-384 hash: 62857374078e4da4a9d1b55aef91c7d4063c3d1908e1d3895c975fb347268665147036c6de6ad1fbf5b7a6968e918167
SHA1 hash: a95ed623a499eecce187b839971f1ef746b69720
MD5 hash: 2aa8665670e5b543e40f5fbc8bd672f8
humanhash: uranus-east-ohio-comet
File name:2aa8665670e5b543e40f5fbc8bd672f8.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:724'480 bytes
First seen:2026-02-20 07:50:18 UTC
Last seen:2026-02-20 08:35:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (359 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 12288:ftoktfQzrzGK3Dk7ETU1Ar975FZpbTGEu2WKKpA42OtJ:Fokt+nD3DkL1AtDbyECpA4R
TLSH T177F423D9AA5F4527D6A0B730E6B48F54BAA7CF3E6C2B73694408A5C1237019C23F17B1
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT UPX ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
192.163.162.194:447

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.163.162.194:447 https://threatfox.abuse.ch/ioc/1751063/
File size (compressed) :724'480 bytes
File size (de-compressed) :1'826'816 bytes
Format:win64/pe
Unpacked file: 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/841d38c3-0e64-4dfb-a5f9-f9ffb8ab6792/
Malware family:
n/a
ID:
1
File name:
2aa8665670e5b543e40f5fbc8bd672f8.exe
Verdict:
Malicious activity
Analysis date:
2026-02-20 07:52:30 UTC
Tags:
anti-evasion auto-sch auto-reg upx antivm golang
Link:
https://app.any.run/tasks/9baf9869-7f4a-4800-bbcd-9ad166ccd299

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53899/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.61137513.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699812468fffa866e3afb498
Tags:
virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm packed packed packed unsafe upx
Link:
https://www.filescan.io/uploads/69981241cd25bfe1dfd61651/reports/7d517bae-2eeb-4d21-9bba-36b826e907b0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-13T15:02:00Z UTC
Last seen:
2026-02-13T15:26:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b8e8aaf9-253d-4afb-9207-b0e83de660b0
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1872345
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates multiple autostart registry keys
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1872345 Sample: HavIhy2E3t.exe Startdate: 20/02/2026 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected ValleyRAT 2->64 66 2 other signatures 2->66 7 HavIhy2E3t.exe 1 2->7         started        12 hhopplaa.exe 2->12         started        14 hhopplaa.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 58 192.163.162.194, 447 LEASEWEB-USA-LAX-11US United States 7->58 56 C:\Users\user\AppData\...\hhopplaa.exe, PE32+ 7->56 dropped 72 Uses cmd line tools excessively to alter registry or file data 7->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 7->76 18 reg.exe 1 1 7->18         started        29 2 other processes 7->29 78 Multi AV Scanner detection for dropped file 12->78 80 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 12->80 82 Potentially malicious time measurement code found 12->82 21 reg.exe 1 1 12->21         started        31 2 other processes 12->31 23 reg.exe 1 1 14->23         started        33 2 other processes 14->33 25 reg.exe 1 1 16->25         started        27 reg.exe 1 1 16->27         started        35 17 other processes 16->35 file5 signatures6 process7 signatures8 68 Uses cmd line tools excessively to alter registry or file data 18->68 70 Creates multiple autostart registry keys 18->70 37 conhost.exe 18->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 2 other processes 29->47 50 2 other processes 31->50 52 2 other processes 33->52 54 17 other processes 35->54 process9 signatures10 84 Uses cmd line tools excessively to alter registry or file data 47->84
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl2tj7xj4vlmptq4msj4z25btnmxt2wvhgi7v36u3uatbbmrv6ua._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence upx
Link:
https://tria.ge/reports/260220-jpf6taez7f/
Behaviour
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
UPX packed file
Adds Run key to start application
Executes dropped EXE
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Unpacked files
SH256 hash:
4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
MD5 hash:
2aa8665670e5b543e40f5fbc8bd672f8
SHA1 hash:
a95ed623a499eecce187b839971f1ef746b69720
Link:
https://www.unpac.me/results/635d35b2-2cd8-4e17-ba1d-2fda586ef29d/
SH256 hash:
5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
MD5 hash:
e11c298b40d712029a3de9280fd777ac
SHA1 hash:
7811f68dea28c7baab6c99c408bef04f37f896b9
Link:
https://www.unpac.me/results/635d35b2-2cd8-4e17-ba1d-2fda586ef29d/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4af534fee9e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_3055c14a
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8

(this sample)

Executable exe 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba

Cape
Cape
https://www.capesandbox.com/analysis/53899/
  
Dropping
SHA256 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
  
Dropping
MD5 e11c298b40d712029a3de9280fd777ac

Comments