MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d7800a3be568df4c44d375e24434b000e724f689af92ccfedadf9986138b601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 49 File information Comments

SHA256 hash: 4d7800a3be568df4c44d375e24434b000e724f689af92ccfedadf9986138b601
SHA3-384 hash: acfdb1f908d2e9cc998ce73e81ab8f3109be9fcdb53974fc4f1f2c00c4e5ddfaff9ad496cf0cbbee4e7fffb93047b3af
SHA1 hash: 8b0b5193d5a5ce5b6933275800c6e8d598276a52
MD5 hash: f1275a25ae3f83f91099e280a52da8be
humanhash: april-social-tennessee-south
File name:紧急通知_WIFI故障.exe
Download: download sample
Signature ValleyRAT
File size:895'437 bytes
First seen:2026-06-30 13:07:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2057790ae7855765d51bdc4142e62f9c (3 x ValleyRAT, 3 x SalatStealer, 2 x AsyncRAT)
ssdeep 24576:625kkKdcLt08/95V/ddlouEfaxidjjWj6:D6xcx0yl+bJWe
Threatray 221 similar samples on MalwareBazaar
TLSH T13E158D29D2E88BBAF0E2D1768D62AD41D6B57C0D0360F18B13947B669EF31704D3B726
TrID 93.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.3% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 68e8ccd2daccc0d8 (1 x Cobalt Strike, 1 x VShell, 1 x ValleyRAT)
Reporter Ling
Tags:exe RAT ValleyRAT


Avatar
CNGaoLing
RAT
IOC (IP 8.148.26.10:8083)

Intelligence


File Origin
# of uploads :
1
# of downloads :
156
Origin country :
TW TW
Vendor Threat Intelligence
Malware configuration found for:
Archives MSO
Details
Malware family:
n/a
ID:
1
File name:
_WIFI.exe
Verdict:
No threats detected
Analysis date:
2026-06-30 12:39:46 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
emotet trojan virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint installer installer installer-heuristic microsoft_visual_cc overlay packed reconnaissance sfx
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-30T07:50:00Z UTC
Last seen:
2026-07-01T10:52:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Zenpak.sb Trojan.Win32.Shelm.c Trojan.Win32.Rekvex.sb Trojan.Win32.Dedok.sb VHO:Trojan.Win32.Shelm.gen Trojan.Win64.Agent.sb HEUR:Trojan.Win32.Generic Trojan-PSW.PureLogs.TCP.C&C PDM:Exploit.Win32.Generic Backdoor.VShell.TCP.C&C Trojan-PSW.Stealer.TCP.C&C PDM:Trojan.Win32.Generic
Gathering data
Threat name:
Win64.Trojan.Ravartar
Status:
Malicious
First seen:
2026-06-30 12:39:49 UTC
File Type:
PE+ (Exe)
Extracted files:
79
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
4d7800a3be568df4c44d375e24434b000e724f689af92ccfedadf9986138b601
MD5 hash:
f1275a25ae3f83f91099e280a52da8be
SHA1 hash:
8b0b5193d5a5ce5b6933275800c6e8d598276a52
SH256 hash:
4737f3294d41ebfccc6b3b7391524c885d0c5dba344892b7a599c744dc7e7f6a
MD5 hash:
20ab0ddb275aaf1d7bab81d62ae2a80e
SHA1 hash:
d75d18387f2861a7e6d03a13dd247a3dfedfa279
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Gentlemen_Ransomware_Binary
Author:Bedrock Safeguard Inc.
Description:Detects The Gentlemen ransomware binary (Go/Garble)
Reference:https://github.com/Bedrock-Safeguard/gentlemen-decryptor
Rule name:GoBinTest
Rule name:golang
Rule name:golang_binary_string
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Rule name:Golang_Find_CSC846_Simple
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:Indicator_MiniDumpWriteDump
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:mht_inside_word
Author:dPhish
Description:Detect embedded mht files inside microsfot word.
Rule name:pe_detect_tls_callbacks
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RemusStealer_GoPayload
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SelfExtractingRAR
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SuspiciousDll
Author:martclau
Description:Detects SolarWinds Orion backdoor
Rule name:Suspicious_Golang_Binary
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 4d7800a3be568df4c44d375e24434b000e724f689af92ccfedadf9986138b601

(this sample)

  
Delivery method
Distributed via web download

Comments