MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
SHA3-384 hash: bd75b90929fe7b79245b34acb23402bc33b16376f9f900ef279f82b581f25a34823529d0d5fbe18a58143b08d36e12ff
SHA1 hash: 732aa89300caeb8e00d1ba2986299e9f91ef819d
MD5 hash: 1d43b1e05c8e881f1f0d180ffda2f245
humanhash: sweet-october-purple-rugby
File name:1D43B1E05C8E881F1F0D180FFDA2F245.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:19'083'470 bytes
First seen:2025-08-02 14:00:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (14 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 393216:WG1zBIWy+nCda0ameCvRYmL1nVyTHLzJnDqVKoMIT+BMjc0L5Q6jW6aib5w2:WaR3CL9dpYulVyTrd2KvIT+ag0eqDakL
TLSH T11917336916558402CE120879DF239B137BD4EDFA8288F8CCC3D7DE6B310676B98E51E6
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c0c8d4cc64d4ccf8 (8 x ValleyRAT, 3 x AsyncRAT, 3 x Blackmoon)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
45.192.208.56:25836

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.192.208.56:25836 https://threatfox.abuse.ch/ioc/1563505/
45.192.208.56:14725 https://threatfox.abuse.ch/ioc/1563506/

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1D43B1E05C8E881F1F0D180FFDA2F245.exe
Verdict:
Malicious activity
Analysis date:
2025-08-02 14:02:15 UTC
Tags:
valley winos rat silverfox rust
Link:
https://app.any.run/tasks/45a1915a-586b-40d4-b034-3b61760bc341

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18454/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e1a18af3050dc8d3383f2
Tags:
dropper emotet shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Moving a recently created file
Launching a process
Loading a suspicious library
Creating a service
Launching a service
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc overlay overlay packed signed
Link:
https://www.filescan.io/uploads/688e1a0f73b8ef6f4afb41a4/reports/e48da560-af48-42e6-9195-1f856960e1a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749071
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell launch regsvr32
Sigma detected: Suspicious Rundll32 Activity Invoking Sys File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1749071 Sample: Tipz2I5i3v.exe Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 9 other signatures 2->101 14 rundll32.exe 2->14         started        16 Tipz2I5i3v.exe 4 2->16         started        process3 process4 18 rundll32.exe 14->18         started        21 rundll32.exe 14->21         started        23 rundll32.exe 14->23         started        28 11 other processes 14->28 25 Tipz2I5i3v.exe 10 16->25         started        file5 103 Writes to foreign memory regions 18->103 105 Allocates memory in foreign processes 18->105 107 Creates a thread in another existing process (thread injection) 18->107 30 svchost.exe 18->30 injected 85 C:\Users\user\AppData\Roaming\UcYJ  .exe, PE32 25->85 dropped 87 C:\Users\user\AppData\Roaming\ItrY .exe, PE32 25->87 dropped 33 UcYJ  .exe 2 25->33         started        36 ItrY .exe 15 25->36         started        38 powershell.exe 28->38         started        40 conhost.exe 28->40         started        signatures6 process7 dnsIp8 93 45.192.208.56, 14725, 25836, 49694 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 30->93 71 C:\Users\user\AppData\Local\...\UcYJ  .tmp, PE32 33->71 dropped 42 UcYJ  .tmp 3 4 33->42         started        73 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 36->73 dropped 75 C:\Users\user\AppData\Local\...\System.dll, PE32 36->75 dropped 45 conhost.exe 38->45         started        file9 process10 file11 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->89 dropped 47 UcYJ  .exe 2 42->47         started        process12 file13 91 C:\Users\user\AppData\Local\...\UcYJ  .tmp, PE32 47->91 dropped 50 UcYJ  .tmp 23 10 47->50         started        process14 file15 77 C:\Users\user\AppData\...\unins000.exe (copy), PE32 50->77 dropped 79 C:\Users\user\AppData\Local\is-DPFCM.tmp, PE32 50->79 dropped 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->81 dropped 83 8 other files (5 malicious) 50->83 dropped 109 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 50->109 54 powershell.exe 16 50->54         started        57 regsvr32.exe 50->57         started        signatures16 process17 signatures18 111 Suspicious execution chain found 54->111 59 rundll32.exe 54->59         started        61 conhost.exe 54->61         started        63 regsvr32.exe 57->63         started        process19 process20 65 rundll32.exe 59->65         started        67 powershell.exe 15 63->67         started        process21 69 conhost.exe 67->69         started       
Score:
51%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/1d43b1e05c8e881f1f0d180ffda2f245
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642/
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-30 00:10:59 UTC
File Type:
PE (Exe)
Extracted files:
793
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsykhalxvq56sllx5nj3rgjxkw6lrllr3a232perbl3bo2blyzba._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:valleyrat_s2 backdoor defense_evasion discovery execution loader persistence privilege_escalation ransomware spyware trojan
Link:
https://tria.ge/reports/250802-rbdgrshp5y/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Detects DonutLoader
DonutLoader
Donutloader family
ValleyRat
Valleyrat_s2 family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7f79ce4d-224b-419a-b1df-176f12b53d93
Unpacked files
SH256 hash:
4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
MD5 hash:
1d43b1e05c8e881f1f0d180ffda2f245
SHA1 hash:
732aa89300caeb8e00d1ba2986299e9f91ef819d
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
242d5b60a55b33bf0dba05881b33da3dec190036d6e7a39d2ae795576e65f5b8
MD5 hash:
d546d96851977f79235416cf5ecbd83b
SHA1 hash:
9870983d8f1fd13efee6791eb9b61b6309b201c2
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
70ce335c9987c3ef157dbf660ebbd9496b4c7745932d4cbdb7d955c782b4c95c
MD5 hash:
c05188fb03ab24591b53a4f352e5d2dc
SHA1 hash:
8a1cf3da79a3fa6ff60d4c937557e1ac01a33665
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
57e267ff2d6eb520b7ec7d5448e8cfef29ccfd2e4b72bd8bfa79123f9dd4a1c6
MD5 hash:
6cf8f27672d4158aa8f5bba12ab18dc2
SHA1 hash:
e87a4be3adf30e37dc1b65d4863638e8cec38439
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
SH256 hash:
98e62db0443bd5b6a28c48db883af80745bc2cace733d799efbdcdd9838d303e
MD5 hash:
433a478839e08cca23150ac90828a942
SHA1 hash:
77fcb318efedc59b49bfc91b751fdfa8cb350b53
Detections:
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/13d5fc2d-d4b4-4703-84e8-7d405d6f20f3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4cb0a38177ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18454/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments