MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
SHA3-384 hash: 8b183c3a03c02eca83dbce36995fa9d2d6fdb882cc33a45b7d6ecfbe6f77364a75d432699cc4f76aae1c0ff873f96d38
SHA1 hash: eb5126ae8aaea6c467f07e524de071206412479c
MD5 hash: 24bd73dff3cac85b74eaa24e3b6a458a
humanhash: spring-tennis-mike-nitrogen
File name:24BD73DFF3CAC85B74EAA24E3B6A458A.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:18'086'676 bytes
First seen:2025-12-28 14:10:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 039d1617d5f0788dacbd04b35a141ebe (27 x ValleyRAT)
ssdeep 393216:ZkEoln5GT+h6PqutIN3vXIz5CaIQ+/mV62/PBqh9K:ZkEol5Gqh6PXmV/2Y
TLSH T1A2073356C00F84C6E064127C841F5094A09BBE9F2C32E7A6E6C5FFE6757B51A46BB20F
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
203.91.74.3:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.91.74.3:443 https://threatfox.abuse.ch/ioc/1687166/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d.exe
Verdict:
Malicious activity
Analysis date:
2025-12-28 14:11:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72a65b7b-7374-46ed-8587-cfb1f13023fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46287/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69513a556de7591fd8fc0c2d
Tags:
micro shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic invalid-signature microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/69513a5084afa5547b5f224d/reports/197894f7-bdc0-4587-9b89-602ddf873c1e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-25T19:36:00Z UTC
Last seen:
2025-12-26T20:33:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Agent.myxbys PDM:Trojan.Win32.Generic Backdoor.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d/results?tab=lookup
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1840799
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840799 Sample: vRcZTB6ER9.exe Startdate: 28/12/2025 Architecture: WINDOWS Score: 72 122 yandex.com 2->122 124 www.yandex.com 2->124 126 7 other IPs or domains 2->126 136 Suricata IDS alerts for network traffic 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 Yara detected ValleyRAT 2->140 142 4 other signatures 2->142 12 vRcZTB6ER9.exe 12 2->12         started        15 mRcIqE.exe 2->15         started        18 svchost.exe 2->18         started        20 11 other processes 2->20 signatures3 process4 file5 116 C:\Users\adminadmin6\msconfig\micorsoft.exe, PE32 12->116 dropped 118 C:\Users\adminadmin6\...\cef_frame_render.exe, PE32 12->118 dropped 120 C:\Users\adminadmin6\msconfig\cef_frame.dll, PE32 12->120 dropped 22 cef_frame_render.exe 1 1 12->22         started        174 Detected unpacking (creates a PE file in dynamic memory) 15->174 176 Found evasive API chain (may stop execution after checking mutex) 15->176 178 Contains functionality to capture and log keystrokes 15->178 184 2 other signatures 15->184 27 drvinst.exe 18->27         started        29 drvinst.exe 18->29         started        180 Changes security center settings (notifications, updates, antivirus, firewall) 20->180 182 Modifies the DNS server 20->182 31 MpCmdRun.exe 20->31         started        33 LetsPRO.exe 20->33         started        35 LetsPRO.exe 20->35         started        signatures6 process7 dnsIp8 134 ak1.xingxings8.org 203.91.74.3, 443, 49729, 49731 ENTRUSTICT-AS-APQRHUBPTYLTDTAEntrustICTAU Australia 22->134 106 C:\Users\adminadmin6\...\mRcIqE.exe (copy), PE32 22->106 dropped 156 Detected unpacking (creates a PE file in dynamic memory) 22->156 158 Found evasive API chain (may stop execution after checking mutex) 22->158 160 Contains functionality to capture and log keystrokes 22->160 164 2 other signatures 22->164 37 micorsoft.exe 10 304 22->37         started        108 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 27->108 dropped 110 C:\Windows\System32\drivers\SET352A.tmp, PE32+ 27->110 dropped 162 Accesses sensitive object manager directories (likely to detect virtual machines) 27->162 112 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 29->112 dropped 114 C:\Windows\System32\...\SET2FAE.tmp, PE32+ 29->114 dropped 41 conhost.exe 31->41         started        file9 signatures10 process11 file12 98 C:\Program Files (x86)\...\tap0901.sys, PE32+ 37->98 dropped 100 C:\Program Files (x86)\...\LetsPRO.exe, PE32 37->100 dropped 102 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 37->102 dropped 104 223 other files (1 malicious) 37->104 dropped 144 Bypasses PowerShell execution policy 37->144 146 Modifies the windows firewall 37->146 148 Sample is not signed and drops a device driver 37->148 43 LetsPRO.exe 37->43         started        45 cmd.exe 37->45         started        48 powershell.exe 23 37->48         started        50 8 other processes 37->50 signatures13 process14 file15 53 LetsPRO.exe 43->53         started        166 Uses netsh to modify the Windows network and firewall settings 45->166 168 Uses ipconfig to lookup or modify the Windows network settings 45->168 170 Performs a network lookup / discovery via ARP 45->170 57 conhost.exe 45->57         started        59 netsh.exe 45->59         started        172 Loading BitLocker PowerShell Module 48->172 61 conhost.exe 48->61         started        94 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 50->94 dropped 96 C:\Users\user\AppData\Local\...\SET2D7B.tmp, PE32+ 50->96 dropped 63 conhost.exe 50->63         started        65 conhost.exe 50->65         started        67 conhost.exe 50->67         started        69 9 other processes 50->69 signatures16 process17 dnsIp18 128 119.29.29.29, 49733, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 53->128 130 23.98.101.63, 443, 49738, 49744 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->130 132 9 other IPs or domains 53->132 150 Loading BitLocker PowerShell Module 53->150 71 cmd.exe 53->71         started        74 WMIC.exe 53->74         started        76 cmd.exe 53->76         started        78 cmd.exe 53->78         started        signatures19 process20 signatures21 152 Performs a network lookup / discovery via ARP 71->152 80 conhost.exe 71->80         started        82 ARP.EXE 71->82         started        154 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 74->154 84 conhost.exe 74->84         started        86 conhost.exe 76->86         started        88 ipconfig.exe 76->88         started        90 conhost.exe 78->90         started        92 ROUTE.EXE 78->92         started        process22
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/24bd73dff3cac85b74eaa24e3b6a458a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-26 00:27:03 UTC
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=km47y3nffshs6gderylyb7izlxg7xcdgjyandtkr2vlpmielb4oq._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution installer persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/251228-rgvy1axnc1/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1ee0b9d3-5c13-4b97-bb02-823a261c332b
Unpacked files
SH256 hash:
5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
MD5 hash:
24bd73dff3cac85b74eaa24e3b6a458a
SHA1 hash:
eb5126ae8aaea6c467f07e524de071206412479c
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
1f2d7fcc9e1faf1a56b19984c546abdb6972e5368fa47276619398c9741c5b49
MD5 hash:
f27594c052805e2a362036b5f2b05bab
SHA1 hash:
1f2b01eb914fa4522f7f620466a177397c2aeb96
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
4e74773e39699b952780747a48a308c1d77d4f32f1701fd9da9a1b9bf78687ce
MD5 hash:
75628f89530360baa941c52edb1647cb
SHA1 hash:
d019881cb80b818dac20fc10083bb5c6c2f03ae3
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
b2cbd13f3237c5b7aefec35d8aa15942a2f11fcee19a8d62756e2c387c5eedb5
MD5 hash:
02fdb8350f1785f359792d80477e12cb
SHA1 hash:
f60036c9662768302e0a6045fe238401012f1e2b
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
1d9e9cc991766ece552061aa1d1c79c99a87a014efe6de6202cd6567e9267fa9
MD5 hash:
4728394dbf9bf77cc545397ec837ffd3
SHA1 hash:
c7950fe03ecd615397d1c722b053f0be129e4130
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
752f7ac3d0c1dbd8f9a39cd1a3594da6d286990aa2ecd4744f45963a1110406e
MD5 hash:
339f392a1f3db6a28e89e91155020c7b
SHA1 hash:
5955fd0d6e99f5f16c57703a4f4efc51b39ccc09
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
Parent samples :
b16be5d71f0bfd28ed7356bd84c3b61d1c7b2590bd2c485530060f8900182789
34a87671d9a7225ad9aafdca0bdff858b9ae1c8fcdf834c505268507052a7a80
4eacffcd6994f9d6700edc6d1082268e52fbd92fda820e49ef209c23794d564c
8fc47c0972e855f0866d9cf9cba29d56210fc709f13214e6ae6687ca40ca51b8
fce7f7ad1d7b17e7106639ca23cc49d2cf642bcea024d8ba838f3f559c99e34c
0259075adca93861dd02c548ece119844d3a790548e892be43d5a526690725cd
93ed94372d167e22ddd847916b3a26bad5293cc54433244927877a3ecf95d0cf
9e111d882a508e8b2f1137356222296212389f15b72a723e8cca59c6ab0a9e8f
1c88f34e755b2e9cc5766f2787b49ce2223d2a26487738869a8ba05d0e909d38
899cb424a250e13191b2d85de9a380c9a2e1ce316c4f46ad0db88d46a01aa8ab
5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d
6f1ee980a51431b5d1c826aad3fe0bef10f9c17b92c12a6be93c7bd0dc86b761
SH256 hash:
1ce872ed466a8a3466c808a7babf3b597ec12e1cb84870e7a0cf00b2f5ef6df4
MD5 hash:
c848a2f5fa5feaa71409795e8e8c69d0
SHA1 hash:
9074f5b0ca107ab915164f790533bd672048c7b4
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
63d50dbe094bbce5d7bf8af08c0d919cfa5e057ca05ae7b27704a8477c8b348f
MD5 hash:
2ace85429eee9e8320c82d878e5562b4
SHA1 hash:
77ed8b89210930d1de2495ba363519b696d0b6e2
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
4a2438ecfcad3e6e7bb942acf2c40fbe2c0d72e4982df303ab5828af26ca753e
MD5 hash:
810105219d96749674c5bf31c82a3b09
SHA1 hash:
0de6e8b9834b4bb742e8ca90bdb02019a355a422
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
e597d9dd3e6bcf2e591a99b290d79005b01d3898185af4f07250c95b88c1dd6f
MD5 hash:
d3112f62cfa346a6b2559be6ef3ac864
SHA1 hash:
b747c3a66e1f31e00a517c4fda35aeaa3ddbcb2e
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
f81ba0dd987d46a67b1879ef4ee11c14f32940ff211eace347a68e42bf272554
MD5 hash:
2e77f841dbf271fd1ffc460bfd87a1d5
SHA1 hash:
18125861f0519cdf643560c0a988bf70c87d47b3
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
15cdb172fb98d5e50211a19c2fb6b4bc5616ef8acfc77d9e41f7e3dbcd083449
MD5 hash:
415b54fc81daf4379f32d80d37b9f377
SHA1 hash:
01b7a79cedfa5dbfe3b8e490f47213a9f1afe884
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
5fe7615921d443130e35b94953d61afbf04d7008eb48c3a16bac6b28800f44e0
MD5 hash:
d6c8dfb5d44069e7905659e792b314af
SHA1 hash:
fcded50181052a7ad3484f072b234d976f684575
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
d2172a2e13553e320dccfed139b1f224f8c86917c2a3d5efc7f21f9bb04ed58b
MD5 hash:
810841c1debe146b909d0ddbffa1e5eb
SHA1 hash:
aa33f785d8e79f32af748f37ce871c222eae6c45
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
e448675e24d9b7bafede8416af1a132008d83dc3b88ff648f1e998562c743fc4
MD5 hash:
f541a94cb9913b8ab96a4371aec3fe36
SHA1 hash:
c165075f01ebd1bbfd55f530c5f1b71f8bc8cda3
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
53c95fa5740730294805c5a54639aa67d481c57c14c025bbf60c21a1ea007a0f
MD5 hash:
c6a7383826df4f315997f1ae4f0fca70
SHA1 hash:
c05a9f93c84304fd564640b61f050641850e6736
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
b4787d3ba3f052aab344dc8ef499df93778c15bd21bcae917f4bbc27be8ed3ce
MD5 hash:
f3a0b30420e762ca7d029a36c66f67da
SHA1 hash:
61488100d168cac12eba9141b0b507bc542b63fa
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
f3b14defbd05493b8573016b08b86e5b5d53b486b0457fd75f67bf8bff04be38
MD5 hash:
6a3b9e46c41e42e7b8e1479468d892af
SHA1 hash:
e31c05ae685e51d07808b1dd24ceced9d299ed81
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
9b7079ccdf1e7b446f2300e513cda80334628d6c1258405e06a434727a819f7e
MD5 hash:
cf01542440e76d919236fb46321f17e4
SHA1 hash:
d770888ef8a59d885731f6e4ee2f0414c469ef71
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
45134be6f92f49e30625349c8dbaa2e307f07f03961eb0cac4bd4c97383f650f
MD5 hash:
d5377aa8b9b27902ff86132c9a7cb5c9
SHA1 hash:
b4075457e6dd45683e20f1774892e152b86c9952
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
7648b3c6fe244420b02ad9f578c4b9302964ab6999f2aaca7b5f69586da6d612
MD5 hash:
4f939bd788d87880419a6918b2f7b68a
SHA1 hash:
a7f35e6b3ce8af1775168b7123ada4f1b078e697
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
88e79c4218ae7c0914aa1db372926f3c0951071839e4b364251797509203e661
MD5 hash:
4d0c6b104b83ee00d34d244ed3259d5f
SHA1 hash:
4ab118d0e77c5ca31571c8e87a2f1e9802be0a2e
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
df93465a7b3a3fb26e4ce3208b6d65b9d1798891c6fc20bd9e318865cc170277
MD5 hash:
722e4db5045afe393a672fe1bc0e63bb
SHA1 hash:
68c14af3ab488bdd84ea37a96e73ea43c04d16ac
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
cdee95384abd85f682ab93a6033bbb10787b96dc53cc22a3bf4e4901f77b713a
MD5 hash:
f5c83bb2ef3b4568869459dbfdd50855
SHA1 hash:
bd32c4670f80aa99c6e53bbc5456585dc0589912
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
69fe41559951345d056ff432785bc234d02cad6e0fcd007ed9be7953b32c560c
MD5 hash:
56692d6a0c6b583d2cc3006a6c6c431f
SHA1 hash:
69340eac05b5bf58ef5a0b0e9b8127a5e933437c
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
9319068691713550060034c4f4f7442e41a4a1f36e67e6d1014370d6980f0369
MD5 hash:
37e4f602718d6da9245d6858c85e2a8d
SHA1 hash:
998e648df87dc4cab1f20336785c3be3e78e767b
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
90cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9
MD5 hash:
dc80f588f513d998a5df1ca415edb700
SHA1 hash:
e2f0032798129e461f0d2494ae14ea7a4f106467
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3
MD5 hash:
6cd3ed3db95d4671b866411db4950853
SHA1 hash:
528b69c35a5e36cc8d747965c9e5ea0dc40323b8
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7
MD5 hash:
c8f36848ce8f13084b355c934fc91746
SHA1 hash:
8f60c2fd1f6f5b5f365500b2749dca8c845f827a
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
7744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e
MD5 hash:
7546acebc5a5213dee2a5ed18d7ebc6c
SHA1 hash:
b964d242c0778485322ccb3a3b7c25569c0718b7
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
032d38bb6487768f96fe578f353aa98c3dfbc27e484f1c7500e6ddf7e9c062db
MD5 hash:
9cef6428a76dc2652c5a09794507539f
SHA1 hash:
8a8899b13f02fb24f4f993a5ef0474de3b243db9
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
c4d5f27d397b627a66b385a571f63b327f086b0c10eadd90ada70474097443c7
MD5 hash:
c29d753ab575ba590dee09d9951fe391
SHA1 hash:
06514982da9ebd5a13d13808abbc475260b0b566
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
96dd4ca59c9b24f381d585defda8759a33760dacb1d8ae8db887ea727bf049c7
MD5 hash:
67176b46f5ad635a32b842abfa9f91a9
SHA1 hash:
0903955291448850074f9230dfb087fedfe74f59
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
f145a9091435a7499fb3b15ee202c192b27484ffb2d61932bae01a849aa042c4
MD5 hash:
1a0d59997741a4206bbb729e770cf1c1
SHA1 hash:
bdf6c86b3cfbea0818913bea416b2fd67d764574
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
5f8a73955c99ad3b370bec13fc037a80260e4b25dadf2607e642c20b0fbd0057
MD5 hash:
f04d280294d19178131f4f77a6af7afb
SHA1 hash:
6a5bb874d8b7f28821a11822db8f3c8dfda9eb97
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
8b8393db3da5d00535dd259ba2adfd1e76cd2fc2cbfaa170207cbad514b3895b
MD5 hash:
998fed74ff2d4f7600c68f7da997fc16
SHA1 hash:
739f44c91f26b35e3f5cb27eb092bbc8d523c3b9
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
a123485502527a230c9363cdd419c4056f350c9f3867fb309898a725bec801ad
MD5 hash:
fdb2d1ff9b91ffe62047856cf6ac98c7
SHA1 hash:
7c8a94febffb90fb73a0e906d377f508ddb77841
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
3d2ed8e186f124f988ebdb45d0354185b424357be2433bba0033ab9ec31bd25b
MD5 hash:
26cbe846decab0836717301f0bc6ec0e
SHA1 hash:
a3902cfce95dd0756bcd22c51dbf9e69b1205be8
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
1ac26220d62c98a62129aa9d92d9011edf930d5ed49bcd3d209df4d204a4b2bf
MD5 hash:
40d6cb7ca91ed54b50b2b455972ab1f8
SHA1 hash:
29fbfec4aba1c6857d903b4e98a0aba0161896d1
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
97a9f37f5701b19bb89503bf708b5b93a2426c176292d84778a63c3005afb460
MD5 hash:
20a73d16e6cb948646890711b8613266
SHA1 hash:
3c4ab0ce56ffba52680c3c1735227eec0a02a214
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
14c162a7c0dd68a9913ab0dcc87678d207c87888a2b657710e4db4bf83e0559d
MD5 hash:
2623108f7f74d2d4f71f41a8c64e2b84
SHA1 hash:
1dbac50e3ff49981d20bdf4757d6b515dba0f1d2
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
b3da9268ac606fb39e7094e2203a5a30af2b681d98824ccecaee80462ca0f03a
MD5 hash:
ed26bd2e7a69fc2b65d60f9265b2eda1
SHA1 hash:
93eed8d96d1548bd4bdc0e722e6318a1db41048c
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
21d9b05a5c703f6754b8fbd6e3d0d58fc6dd31215d1118af64d4305f7d92d585
MD5 hash:
c549482f392b4a426d293121bd26ebe2
SHA1 hash:
cd30ba0c9b94b2d8453e94614bac8f9943f6e01c
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
2692ee66aa8389d35048bd29dd1662be1fb388c11ea1bebbe47c01ee6f530c11
MD5 hash:
b7bcd53d8993ba55c3a754baaf04b843
SHA1 hash:
857c16bdd99021f3d826ff3aa758be0aea1279a3
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
9863a8ca0fd55fdf1de8d64cb89d034fc009a58220d45c5f4f83c6cdd0c5cbfd
MD5 hash:
bbea7769de6a008c3156141c52fdc18e
SHA1 hash:
7d9f90e8da62f9834f532e9a0aba54969c14ec28
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
9f1533b23bfc95aaabcd9bc9c09673c7457e7cfc0cc38589e0e198829cd274d0
MD5 hash:
31bb7d830aa8a5074ceab4f1fc386254
SHA1 hash:
cd4a135e89ad9a472996c933616f5307bee02066
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
77a5d1619f9f07262e8ce98bb235ff961fafcecd3335922372de65cdd8877c4d
MD5 hash:
2e71c6394a6ab152139e2977c48440ff
SHA1 hash:
d4557ed90d8ac11606e0f36aea100bffcb5b3540
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
7c5e02a9c97196203defa3a4225cb35ac9b55df6567cb828d5302627733bd107
MD5 hash:
20bc40896204571d594cb72baca59a6e
SHA1 hash:
1c44e396b5236b9965b1b1c392ad9a4ae1b67a18
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
654b227b465946cd29d28877f915fbe6018634ef24e1436ebc163fce078d7563
MD5 hash:
5a016aedd7b9964f5fad2e0576acc218
SHA1 hash:
179bd6d735ace0391c301101bf5a6eafd39c7697
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
9030de8fd918cf5aebdb6634537db1df111bea3808ab7fd77dc71630747be4f0
MD5 hash:
b2d5332209a01fa064e3fcc01be0da85
SHA1 hash:
949a59c106faf0bcdfd22aae93f57f15a034c4c8
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
8e3b0b1ca9338ede77abfd7ceddbe9427fef69cc70e3698a52b87b3e70270dce
MD5 hash:
dd92138cbcccc7008e8fffc806c8cc9c
SHA1 hash:
056af811010e290980bf991aecda27705160a4fb
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
46ef947b9f5c2bb4dbac39bfab117a257b81928d14636ae037d18ff7987170bd
MD5 hash:
26d7c945b76f91f94d31cb8da41dbb72
SHA1 hash:
d7ee94a83b8a82cc61e5e49bb93d9246afedb604
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
8d32110904072d68920362d707aa748192a3aa6133e7ae44f369365512cc6c8e
MD5 hash:
fc65207cedd77e0eb4a1bed6f9a775f8
SHA1 hash:
7834979598f6d13ed48b48d14fe9c271b6ef93fb
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
e152a2e05114ee7f1d4d6933723722588551b817fc3baccd76451c0a487528ed
MD5 hash:
e5895856a6964160ba40c1a6a34e00ae
SHA1 hash:
6448042bc294ad5a40238c60876d9647c0687a73
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
cb6b6f352042d12c2117cacee053d99655beca8421a2d612ee1946de74682841
MD5 hash:
0380523c3793abb53359e212e9984c4e
SHA1 hash:
57a6b98e14f8a078cb1c63e2be71e4ec6d42351b
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
f437bc5f0aa9f3ebc8403fa4d5bbe22c6e5e346e00e3390b65772ee19e0d09f1
MD5 hash:
143826fedf607a924290ef997542f6d1
SHA1 hash:
d5f6044f8c1d48f98d5e99d1c67a143e7ee1caba
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
SH256 hash:
7735ad9b8eeec4d4f18fc44f0120ea0bf5f5296a99caeaed65478cd1fac33183
MD5 hash:
251792b503c1376eda3f97c5d0a8b432
SHA1 hash:
edaa083e936cc20f6cbc5b3dca330ac40e706c87
Link:
https://www.unpac.me/results/61567597-7d7c-4f6d-932c-43d5ac6598fb/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5339fc6da52c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5339fc6da52c8f2f18648e1780fd195dcdfb88664e00d1cd51d556f6208b0f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46287/

Comments