MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
SHA3-384 hash: 25a5f1ccbc3821a6f857c3646afbd79e03b56125b4ca10ce4a502ba477619b49a476facb64c6aca67af2c85e1acb4eab
SHA1 hash: d23a42294c9d07f94f537ca5255d97570e696ecb
MD5 hash: 2f618c9fb28870f29543c04c0d98a16e
humanhash: purple-illinois-zebra-table
File name:点击安装中文语言包.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:5'800'803 bytes
First seen:2026-05-26 04:48:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a63cea75197fbe9cc550ab772692134 (1 x BlankGrabber, 1 x ValleyRAT)
ssdeep 98304:rtN/0sO6G+RQ6zAMkREv6L3tZ9jHr8zOXXxEHuW+Xthc/qH1M0feHYcsP7OunAqg:rta6G+qMkREihZ9jHr8zOXh8dqHae9DY
Threatray 6 similar samples on MalwareBazaar
TLSH T11E4633453BC14572D9A521332462D77227BDADA14F05ABD3B3A87A35E930CC0E739B2B
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (904 x DCRat, 486 x NirCmd, 172 x RedLineStealer)
Reporter Ling
Tags:exe Shellcode SilverFox ValleyRAT


Avatar
CNGaoLing
SilverFox & Shellcode
IOC (IP 38.181.48.143) (Domain downcry.s3.ap-east-1.amazonaws.com)

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
3185e56b_.exe
Verdict:
Malicious activity
Analysis date:
2026-05-26 04:45:05 UTC
Tags:
adware innosetup inno installer delphi auto-reg donutloader loader
Link:
https://app.any.run/tasks/7317b072-6b78-4b64-84c2-4c14684b3496

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67927/
Detection(s):
Win.Exploit.Rozena-10038302-0
Create hunting rule

Sanesecurity.Foxhole.Zip_Hideexe.5.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a15254d5d76862ef947dce8
Tags:
injection dropper sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Loading a suspicious library
Creating a process with a hidden window
Sending an HTTP GET request
Possible injection to a system process
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Moving a recently created file
Creating a file in the Program Files subdirectories
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto expired-cert fingerprint installer-heuristic microsoft_visual_cc overlay packed packed reconnaissance wiper
Link:
https://www.filescan.io/uploads/6a1547e746e44aecc0bbd5f7/reports/0e907d4b-2249-4057-8907-14d611e355b4/overview
Verdict:
Malicious
Labled as:
Suspicious:Adware.HotBar.G.kotg
Link:
https://www.hybrid-analysis.com/sample/4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-25T09:11:00Z UTC
Last seen:
2026-05-26T23:40:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.AutoRun.sb Trojan.Win32.Agent.sb Trojan.Win32.Shellcode.pum Trojan.Win64.Agent.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.pun HEUR:Trojan.Win64.SilverFox.gen Trojan.Multi.Agent.au
Link:
https://opentip.kaspersky.com/4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/184294b1-b7f3-4564-9fa5-dd20d47988a1
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/2f618c9fb28870f29543c04c0d98a16e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j32w7yoeyvypaltsjaatvnfujxg7337vj3exskr37st2x3n76s2q._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
donutloader
Create hunting rule
Similar samples:
0f07ad05a0f1c0f0c232ed50bc56de228f1500c98be8bacda16035c318709ca9
ValleyRAT
4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
ValleyRAT
c0ac6d5c5779923f66a8eb49c7683bf6d6fa30c428aac13c94c51fac90855553
ValleyRAT
error
ValleyRAT
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution installer loader persistence ransomware
Link:
https://tria.ge/reports/260526-ffepvaby2j/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Badlisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
Family: DonutLoader
Unpacked files
SH256 hash:
4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5
MD5 hash:
2f618c9fb28870f29543c04c0d98a16e
SHA1 hash:
d23a42294c9d07f94f537ca5255d97570e696ecb
Link:
https://www.unpac.me/results/75223f3d-dd69-4143-934f-4bada44c7d35/
SH256 hash:
8a59673de26c5e8ad2154233218b045e4a3c924d3a2d37821ba67b7990d700f4
MD5 hash:
e0884a800a5e23c1dbbfb6a041368732
SHA1 hash:
d9b858d220fbdd1e115495b3f07d43d3004a71de
Link:
https://www.unpac.me/results/75223f3d-dd69-4143-934f-4bada44c7d35/
SH256 hash:
9a6ae86816f57458d6b726a11a7a590a7ba8b2672569d29ce308b451bef61f11
MD5 hash:
0680f37d8606d2f788c129ae9465d26d
SHA1 hash:
16dbd7f62af58ac4ebf028bafa1d3a99a0280efb
Link:
https://www.unpac.me/results/75223f3d-dd69-4143-934f-4bada44c7d35/
SH256 hash:
c06e83d1a609bdd4362b936aee852925637440183b51cd5194329d0d47f5d1e2
MD5 hash:
c1182e8329db1273ce4f8e7a939019e0
SHA1 hash:
3b75db8cbb70a0047123809e7cdc62a0f8cb1038
Link:
https://www.unpac.me/results/75223f3d-dd69-4143-934f-4bada44c7d35/
SH256 hash:
7a33d0e01f722169e177c18af168a92010f827be5914ff0ea367a53ee5dd32a9
MD5 hash:
091c342a0cceaa3243a1d6d4d9548af8
SHA1 hash:
ce66e2ff2f7765e83405ed8595bb7ae533acb04d
Link:
https://www.unpac.me/results/75223f3d-dd69-4143-934f-4bada44c7d35/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ef56fe1c4c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 4ef56fe1c4c570f02e7248013ab4b44dcdfdeff54ec9792a3bfca7abedbff4b5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/67927/

Comments