MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 17 File information Comments

SHA256 hash:	4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c
SHA3-384 hash:	58f21db313112a8cce414ce2e3bd05a0de80683d270c0b5da80d6f222e9a1ea4760715f93698a12fd9cbccbcb1cfeda9
SHA1 hash:	c70e981b0f6e1f350b3f5ecdb74d7a8dabd86df3
MD5 hash:	475f3816eac696998d989fddd8299e7b
humanhash:	winter-nebraska-king-nebraska
File name:	4c993a15232b3a3f78261be4d01c24ded4df626ca571b.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	8'760'320 bytes
First seen:	2025-12-23 00:00:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a6e88978190402037523e1eaa1add838 (1 x ValleyRAT)
ssdeep	196608:puXlYeEG9MKSHtj8X0FggtB9z7Q3ghWIdWd8xi9VXG:pilYybSxyU9z7Rba9
TLSH	T1E496339F1CCFACDAC5B10170BB3B9BD7A3B6AE550995CC2D66C03445B1B5AA3302E6C4
TrID	30.2% (.EXE) Win64 Executable (generic) (10522/11/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4504/4/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
206.238.144.163:23051

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
206.238.144.163:23051	https://threatfox.abuse.ch/ioc/1684896/

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/1e9c3df6-99ed-4813-aabc-1097a2f663e2/

Malware family:

n/a

ID:

File name:

4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c.exe

Verdict:

No threats detected

Analysis date:

2025-12-22 23:43:44 UTC

Tags:

upx

Link:

https://app.any.run/tasks/4d1a6665-de98-4fb8-bb37-1217d15828e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WinosStager

Link:

https://www.capesandbox.com/analysis/45793/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6949d7af1f457957572387d3

Tags:

vmprotect virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

neshta obfuscated packed packed unsafe virus vmprotect

Link:

https://www.filescan.io/uploads/6949dbcc3f8fdbf8e94f47bd/reports/8f43f456-3924-4db0-a0ed-20182ed128a6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-19T12:05:00Z UTC

Last seen:

2025-12-23T02:44:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Xkcp.a Trojan-Spy.Win32.KeyLogger.sba Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.TCP.C&C PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Stealer.sb Trojan.Win32.DrvInst.gx Backdoor.Win32.Xkcp.bvd

Link:

https://opentip.kaspersky.com/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1a114f9a-dc78-4538-8fac-c2e8cc5c75c0

Result

Threat name:

ValleyRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1837966

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sample is not signed and drops a device driver

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Unusual module load detection (module proxying)

Yara detected ValleyRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/475f3816eac696998d989fddd8299e7b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c/

Verdict:

Malicious

Threat:

Family.VALLEYRAT_S2

Link:

https://tip.neiki.dev/file/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c

Threat name:

Win32.Trojan.Etset

Status:

Malicious

First seen:

2025-12-19 17:09:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsmtufjdfm5d66bgdpsnahbe33kn6ytmuvy3eejuqkvhi755ugoa._file

Verdict:

malicious

Label(s):

valleyrat

Similar samples:

error

ValleyRAT

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor defense_evasion discovery upx

Link:

https://tria.ge/reports/251223-aam65syrhw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

UPX packed file

Enumerates connected drives

Executes dropped EXE

Modify Registry: Disable Windows Driver Blocklist

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

206.238.144.163:23051
206.238.144.163:23052

Verdict:

Malicious

Tags:

ProcessKiller

YARA:

n/a

Link:

https://app.threat.zone/submission/3181deb5-6d9e-4b1f-997e-029b74e07e42

Unpacked files

SH256 hash:

4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c

MD5 hash:

475f3816eac696998d989fddd8299e7b

SHA1 hash:

c70e981b0f6e1f350b3f5ecdb74d7a8dabd86df3

Link:

https://www.unpac.me/results/6ca0f3a5-e9c9-43d9-8f4c-098cce6257a5/

SH256 hash:

1ffcc5b0e9b5615d579fce4d83c43e4187550c777e6e92649d420f8e637e97c8

MD5 hash:

c39fd397faa2f98c5536cdfe71934b32

SHA1 hash:

d468b2301da57341f9294673bb1ff691339b4724

Link:

https://www.unpac.me/results/6ca0f3a5-e9c9-43d9-8f4c-098cce6257a5/

Malware family:

Terminator.Spyboy

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c993a15232b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c993a15232b3a3f78261be4d01c24ded4df626ca571b2113482aa747fbda19c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	GenericGh0st Create hunting rule
Author:	Still

Rule name:	Gh0stKCP Create hunting rule
Author:	Netresec
Description:	Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:	https://netresec.com/?b=259a5af

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Generic_Threat_4b0b73ce Create hunting rule
Author:	Elastic Security

Rule name:	win_valley_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45793/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample