MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
SHA3-384 hash: b2fd8511122440ccd49136c86d7f2a3919f35b520486d304af04155367cca49a06662d3100a5531861ac686d9022f67d
SHA1 hash: 24dcad81efe5d9c2f63ac8e57136056186ba4eea
MD5 hash: f2f895f3c320b45ae00065bff9bf311e
humanhash: mirror-bakerloo-monkey-pasta
File name:f2f895f3c320b45ae00065bff9bf311e.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:3'282'241 bytes
First seen:2025-07-03 05:00:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (60 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 49152:5wREDDMMD2kWnKOP2Yeb1azBj7DmkpMWI2K4y3jWIB6zKOU17vwIjZ6mj5n4NG:5wREVSkWnNbeGjv3MWS4yT/wUxbdnO4
Threatray 152 similar samples on MalwareBazaar
TLSH T1D9E5F123B2CBE43EE06E0B3705B3B15894FB66616523BE579AF484ACCF250641D3E647
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
27.124.46.112:8880

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
27.124.46.112:8880 https://threatfox.abuse.ch/ioc/1552874/

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
Verdict:
Suspicious activity
Analysis date:
2025-07-03 05:01:58 UTC
Tags:
inno installer delphi
Link:
https://app.any.run/tasks/8a7a9902-acde-4aca-9c51-3d00f285aa67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12094/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68660ea3900df8e7f865f406
Tags:
spoof virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Delayed reading of the file
Launching a process
Creating a service
Launching a service
Loading a system driver
Connection attempt
Sending a custom TCP request
Running batch commands
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68660ea1ee5b1c8f3d25ba68/reports/26b88904-59cc-4009-8414-d97fcc0e1b17/overview
Verdict:
Malicious
Labled as:
UDS_Trojan_Win32_BypassUAC_cwn
Link:
https://www.hybrid-analysis.com/sample/4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1454e93d-24fc-45b0-8ec4-9a82817d16d6
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1727759
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Drops password protected ZIP file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1727759 Sample: 5ZIwMFiC85.exe Startdate: 03/07/2025 Architecture: WINDOWS Score: 88 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Drops password protected ZIP file 2->57 59 3 other signatures 2->59 8 5ZIwMFiC85.exe 2 2->8         started        process3 file4 31 C:\Users\user\AppData\...\5ZIwMFiC85.tmp, PE32 8->31 dropped 11 5ZIwMFiC85.tmp 5 7 8->11         started        process5 file6 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->33 dropped 35 C:\Users\Public\Documents\unzip.exe (copy), PE32 11->35 dropped 37 C:\Users\Public\Documents\is-TEFC7.tmp, PE32 11->37 dropped 61 Adds a directory exclusion to Windows Defender 11->61 15 man.exe 6 11->15         started        19 powershell.exe 23 11->19         started        21 unzip.exe 2 11->21         started        signatures7 process8 file9 39 C:\Users\Public\Documents\...\kail.exe, PE32 15->39 dropped 41 C:\Users\Public\Documents\...\bypass.exe, PE32 15->41 dropped 43 C:\Users\Public\Documents\...43VIDIA.exe, PE32 15->43 dropped 47 Antivirus detection for dropped file 15->47 49 Multi AV Scanner detection for dropped file 15->49 23 WerFault.exe 19 16 15->23         started        51 Loading BitLocker PowerShell Module 19->51 25 conhost.exe 19->25         started        27 WmiPrvSE.exe 19->27         started        45 C:\Users\Public\Documents\man.exe, PE32 21->45 dropped 29 conhost.exe 21->29         started        signatures10 process11
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/f2f895f3c320b45ae00065bff9bf311e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 12:02:00 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqvns2itwdpcorwhzmrfp7wqadhzgjthhuqevw3rviapoa36snxq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
1350611b40824f00c394577518cb1ece915386190cdb9472a5b0d0f8dcefda37
ValleyRAT
4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
ValleyRAT
7de5f5f6f3b17c99c97b37c3be788952ce01b7d2437e2139b344318af580d023
ValleyRAT
81d66c6ed1e60f646ac9a611fd80dcc82fb2de66690ae5d932f8f3aa42848127
ValleyRAT
982c53771e2f23b29141062b5e2a90bf1588ce4a2dbb559031e7758bd192c8eb
ValleyRAT
a4c69f14f4fce4a95026231a9a8fafafc5121fb9078651eb90f277d313057db3
ValleyRAT
aa303004e816cbae8d3a946073966b49e0cce0731a8c568aa70c785127e63838
ValleyRAT
bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
ValleyRAT
error
ValleyRAT
+ 142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250703-fnpj1svkt5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa193676-234b-465e-9c6f-23cd17bb696f
Unpacked files
SH256 hash:
4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
MD5 hash:
f2f895f3c320b45ae00065bff9bf311e
SHA1 hash:
24dcad81efe5d9c2f63ac8e57136056186ba4eea
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
52d43d7ca25ba0b52ac970ca341b567d33dbf3482d4a201a3f1675d4da04d9c0
MD5 hash:
6de36179b5b5f509eacde3e61548f497
SHA1 hash:
af6ed1a289e5b26677b8268676b159bcd0576a8e
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
816bc523f89185a8ff22d68ba12b3090efed8f2507f4692f47e339eaa74e2819
MD5 hash:
6820cac6f50d467ae8c7fe0b6868b4e7
SHA1 hash:
d4977d4a7013b9ac94666f5f98a32b732533ce8f
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
e2a363cac2e2550cc7d4f70fbe5644cd4ece632c87515fe836b3933813202ba8
MD5 hash:
444fb37f786dd433f892d484a179fde0
SHA1 hash:
d355744fda934c3ead645c1c1febf0343295db64
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
b6ba102af40b434576101b18a4538a85ef0f4ef3861592a978fa499c23ccf198
MD5 hash:
8268032c74de6a493a5458610ba8bb92
SHA1 hash:
eab6ea4d1327690e6ace01be6e73915e6e73fb5e
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
881ea36324910a33dc6fe7cc13f5a23d3a3134a7cd1d767b9cd00db3463530a7
MD5 hash:
07c8b3bf5ef18bdd646980f765de0fc6
SHA1 hash:
d78477c581970e57461b5c3fb0826dcfadc34a3d
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
3a490a7676c4460daf61eb0bf2d551741d9300054114db37c48992a5ef176339
MD5 hash:
ca1026a88917006f7780c195cdb56a3a
SHA1 hash:
3282f50813a9a1cb771717052f1b23980dd020dd
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
SH256 hash:
7b055e380bc1abb779d3c5c04db2b851eadcd8e51edc45a11daedfb519f45893
MD5 hash:
2a0af5063e620210d6410af7c94f978c
SHA1 hash:
17f876e53c75e3d59bf6532c7fcdf5fcbc63cc70
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/87a0d576-0502-44b2-a8bc-d21013363d13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12094/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments