MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47
SHA3-384 hash:	4f91603d419165443d971e1d1f9439dcb566c2a6b8c392bad0ae35fdcfcb4ba607b7af5e1c18ad7afcc01401352b515d
SHA1 hash:	209ae34bd1ffe429f049bf5fb3a060cc432d5f4c
MD5 hash:	535f98371370fa09383f23ccc0c265a7
humanhash:	ack-spring-lemon-bacon
File name:	Chrome-x64.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	37'748'736 bytes
First seen:	2026-02-26 15:03:28 UTC
Last seen:	2026-02-26 15:35:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (57 x PureHVNC, 56 x Stealc, 35 x PureCrypter)
ssdeep	196608:lcK24hA0VoGBYex3w7hZ0xat5iQ3uS7PDFaGA:lcH4h0GOex3w7HUauQ3DrFa
TLSH	T1258733CF9042F3D7DF948A7712DD28980F7D15ADD23C7186F829A8261EC727A8424D5E
TrID	52.9% (.EXE) Win32 Executable (generic) (4504/4/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Ling
Tags:	exe Expiro kryptik Microjoin Themida TrojanDropper:Win32/Microjoin!rfn ValleyRAT

CNGaoLing

TrojanDropper:Win32/Microjoin!rfn (Microsoft Defender)

Themida & Expiro & Kryptik
IOC Domain (anpmnmxo.biz) (bumxkqgxu.biz) (cvgrf.biz) (deoci.biz) (dwrqljrr.biz)

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Chrome-x64.exe

Verdict:

Malicious activity

Analysis date:

2026-02-26 15:07:02 UTC

Tags:

m0yv stealer phishing

Link:

https://app.any.run/tasks/6ebf45d9-20d1-470e-a17b-06dd9e67076b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a060f7c950ab5d9ab1d917

Tags:

shellcode emotet trojan sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypt obfuscated overlay packed packed themidawinlicense xpack

Link:

https://www.filescan.io/uploads/69a060f097feb4afd65cffd3/reports/7a72d450-e4b8-4785-9e09-cd1e6c210f58/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.Agent.sb HEUR:Virus.Win32.Generic Backdoor.Win32.Xkcp.a Trojan.Kryplod.UDP.C&C Trojan.Agent.HTTP.C&C Backdoor.Win64.Bedep.sb Trojan-PSW.Win32.Pycoon.sb Trojan-Dropper.Win32.Agent.sb Trojan.Win64.Kryplod.cfzl Trojan.Win32.Shellcode.sb Virus.Win64.Moiva.a HEUR:Trojan.Win64.Zenpak.pef HEUR:Trojan.Win64.Kryplod.pef Trojan.Win64.PhantomP.sb Trojan.Agentb.UDP.ServerRequest Virus.Win32.Moiva.a Trojan-PSW.Win32.Stealer.sb

Link:

https://opentip.kaspersky.com/4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47

Gathering data

Verdict:

Malicious

Threat:

Family.M0YV

Link:

https://tip.neiki.dev/file/4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2026-02-26 15:04:27 UTC

File Type:

PE (Exe)

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j7z44epmywi5xtjtdluncc7n5fsrtvygm6flja5kafu4xo5kj5dq._file

Verdict:

malicious

Label(s):

expiro

Similar samples:

error

ValleyRAT

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:donutloader family:valleyrat_s2 backdoor defense_evasion discovery execution loader persistence privilege_escalation ransomware spyware stealer themida trojan

Link:

https://tria.ge/reports/260226-sfp7ssgs7g/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Themida packer

Checks BIOS information in registry

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Image File Execution Options Injection

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects DonutLoader

DonutLoader

Donutloader family

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

156.239.0.38:1256
156.239.0.38:1266
127.0.0.1:80

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ff3ce11ecc5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

exe 4ff3ce11ecc591dbcd331ae8d10bede96519d706678ab483aa0169cbbbaa4f47

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample