MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53418b805cd49091163bcffa2434caacfcb6f2a435ca609969193ad025f17842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash: 53418b805cd49091163bcffa2434caacfcb6f2a435ca609969193ad025f17842
SHA3-384 hash: cfa3f7e977fbd299fc67e2f22afebb64e719529c16bc0a22f969488f8a5080bad899d40efe2b070f7fb3aee5f2be79d0
SHA1 hash: 368248e483a52a34d36b54f8bf6f34228d8e2966
MD5 hash: e174ad9f181abeb71892deaa70c3d0e9
humanhash: mockingbird-jupiter-bravo-lactose
File name:E174AD9F181ABEB71892DEAA70C3D0E9.exe
Download: download sample
Signature ValleyRAT
File size:2'025'108 bytes
First seen:2026-04-27 04:44:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 039d1617d5f0788dacbd04b35a141ebe (34 x ValleyRAT)
ssdeep 49152:+K9fnP/sPe0a9Y63mFeGjkUWQnyjoNu07KFaQ/oX3r:3PsG0aHmjkU5niV0+FaQgnr
TLSH T160953387E522EC87D0E9493588F79DB1A3D2E92CB0F21B6747846F2FF538D621062653
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 69ccd4d49696cc71 (22 x ValleyRAT, 13 x Adware.Adload, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
103.12.148.79:443

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.12.148.79:443 https://threatfox.abuse.ch/ioc/1800664/

Intelligence


File Origin
# of uploads :
1
# of downloads :
150
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_53418b805cd49091163bcffa2434caacfcb6f2a435ca609969193ad025f17842.exe
Verdict:
Malicious activity
Analysis date:
2026-04-27 04:44:39 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
injection virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
DNS request
Creating a window
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis powershell
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-24T18:21:00Z UTC
Last seen:
2026-04-27T05:35:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.PowerShell.nnv Trojan.Win32.Dllhijack.agee
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw
Score:
88 / 100
Signature
Adds a directory exclusion to Windows Defender
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1904910 Sample: 8tvkJS9p4d.exe Startdate: 27/04/2026 Architecture: WINDOWS Score: 88 84 Suricata IDS alerts for network traffic 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 4 other signatures 2->90 8 8tvkJS9p4d.exe 10 2->8         started        11 GameBox.exe 2->11         started        14 GameBox.exe 2->14         started        process3 file4 72 C:\Program Files (x86)\Utility.dll, PE32 8->72 dropped 74 C:\Program Files (x86)behaviorgraphameBox.exe, PE32 8->74 dropped 76 C:\Program Files (x86)\DuiLib_u.dll, PE32 8->76 dropped 78 C:\Program Files (x86)\BrowserModule.dll, PE32 8->78 dropped 16 GameBox.exe 3 6 8->16         started        98 Adds a directory exclusion to Windows Defender 11->98 21 powershell.exe 11->21         started        23 powershell.exe 11->23         started        25 powershell.exe 11->25         started        33 13 other processes 11->33 27 powershell.exe 14->27         started        29 powershell.exe 14->29         started        31 powershell.exe 14->31         started        35 12 other processes 14->35 signatures5 process6 dnsIp7 80 103.12.148.79, 443, 49701, 49702 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 16->80 66 C:\Users\user\AppData\...\Utility.dll (copy), PE32 16->66 dropped 68 C:\Users\user\AppData\...behaviorgraphameBox.exe (copy), PE32 16->68 dropped 70 C:\Users\user\AppData\...\DuiLib_u.dll (copy), PE32 16->70 dropped 92 Adds a directory exclusion to Windows Defender 16->92 94 Installs a global keyboard hook 16->94 49 30 other processes 16->49 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        96 Loading BitLocker PowerShell Module 27->96 43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        52 12 other processes 33->52 54 12 other processes 35->54 file8 signatures9 process10 signatures11 56 conhost.exe 43->56         started        82 Loading BitLocker PowerShell Module 49->82 58 conhost.exe 49->58         started        60 conhost.exe 49->60         started        62 conhost.exe 49->62         started        64 26 other processes 49->64 process12
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution installer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
53418b805cd49091163bcffa2434caacfcb6f2a435ca609969193ad025f17842
MD5 hash:
e174ad9f181abeb71892deaa70c3d0e9
SHA1 hash:
368248e483a52a34d36b54f8bf6f34228d8e2966
SH256 hash:
30e897a717f2a2d2bd05c0ad28623f301fec5bc90fc9fcf8b6fbf87d086731b3
MD5 hash:
fc291989c684c346265138cec3984956
SHA1 hash:
27737078886f2d3c0e5c199b80e044273ff7e1cb
SH256 hash:
0d736122944aedb00200c6bd5b82c0ff6f2f5579dfe17b6b7f00404e11c43f19
MD5 hash:
ce7f0e168c2527a4fa6c878a2ce5e33f
SHA1 hash:
7291ff0ae8c4dd086c51e28396b83662cc155693
SH256 hash:
1c3eb0cc308cc30fc90fc2a973eb1f800c430281b3eb111ace18370ab0b65e15
MD5 hash:
9b3ddb9b8a3018119f811831f7108e8c
SHA1 hash:
c92c036254748dbd89c9952f3db97b5bf0e51fb0
SH256 hash:
a176924f1e9b449bed808277994d722310742ac2cd19fbf562d8bf3e3a7b353a
MD5 hash:
b08829f2459bbac0ac73eec5ec834901
SHA1 hash:
de39c7d533be3dae0551d93f1f21ab0126d2ba3c
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments