MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 515a914e7d9336fa5e0feb6fb24e302884c0a0fc8e18aba333b59cdc5594a155. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: 515a914e7d9336fa5e0feb6fb24e302884c0a0fc8e18aba333b59cdc5594a155
SHA3-384 hash: 8621b6e914e3751cfe1889efeaeb0f018c2088a3687d14d005248773ebd5e489adee433426b8734b98583c415310832f
SHA1 hash: 46dea2219d0334c983120ddba1cb45aa19faff4b
MD5 hash: 12f05853d800771f8366ce5cb6de3be9
humanhash: winner-delaware-massachusetts-whiskey
File name:LetsVPN4.exe
Download: download sample
Signature ValleyRAT
File size:37'929'246 bytes
First seen:2026-02-07 10:40:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d221b1dc8c3a08622f6512e7876527c8 (15 x ValleyRAT, 6 x DonutLoader, 3 x ZhongStealer)
ssdeep 786432:/1iLLE6v+IOr+dgCdZavYhKas8oCi4Q9K6jXknSMUmS6w3ObQvqJe9:/1iLY65XdgCd0vYhKxJ95jXkSPGw3Ob+
TLSH T1218733B3434FCCA6FF985C3689DB02DD3C35776B2D449417391E6A44E82228FE9B5922
TrID 36.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
23.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.0% (.EXE) Win32 Executable (generic) (4504/4/1)
4.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon c0c8d4cc64d4ccf4 (2 x ValleyRAT, 1 x Gh0stRAT, 1 x DonutLoader)
Reporter Ling
Tags:exe Malgent Trojan:Win32/Malgent!MSR ValleyRAT


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

Intelligence


File Origin
# of uploads :
1
# of downloads :
148
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_515a914e7d9336fa5e0feb6fb24e302884c0a0fc8e18aba333b59cdc5594a155.exe
Verdict:
Malicious activity
Analysis date:
2026-02-07 10:43:20 UTC
Tags:
delphi auto-reg websocket payload valleyrat silverfox rat winos evasion golang

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Tags:
micro shell madi sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc overlay packed soft-404
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-07T00:07:00Z UTC
Last seen:
2026-02-07T03:29:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Gasipi.be HEUR:Trojan.VBS.SAgent.gen
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-02-07 05:53:55 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution installer persistence privilege_escalation spyware trojan
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Badlisted process makes network request
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Network Service Discovery
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
127.0.0.1:443
www.noggrtea.cyou:80
www.noggrtea.cyou:8080
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Author:albertzsigovits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 515a914e7d9336fa5e0feb6fb24e302884c0a0fc8e18aba333b59cdc5594a155

(this sample)

  
Delivery method
Distributed via web download

Comments