MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
SHA3-384 hash: 3eda044b928838252df8e22eeff04dd4ff660ff0aef8f7fe162c5cbe51682eee27fc2935967d7c697e614412442976b2
SHA1 hash: 1464786ea67bf21e7232903072a03de12fe2fdfc
MD5 hash: 9456d30ff1d38dbdc74f5e1b83ac1d4d
humanhash: mockingbird-indigo-seven-fourteen
File name:xrkbdsuaX64.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:77'868'032 bytes
First seen:2025-08-04 00:31:15 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:2k9kUrfSTPO5q7j38hGHNVFdx+n48gEHcLJTWDrtxpvO790/b:20kUrarO5ubD7FLWMEHcJWfDD
Threatray 642 similar samples on MalwareBazaar
TLSH T12A08333676C78033D2AF193BA964EE2A1039BFA3476145DBB3E97C2A85B4CC06374547
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter zhuzhu0009
Tags:FakeApp msi ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
JP JP
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688fff9f0b4775fb2135ccc6
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint lolbin msiexec short-lived-cert wix
Link:
https://www.filescan.io/uploads/688fff6f73b8ef6f4afca4d3/reports/cbb23b65-73e9-47ff-83d1-117eff86ab20/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
94%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
Gathering data
Verdict:
Malicious
Threat:
Win32.Infostealer.Heuristic
Link:
https://tip.neiki.dev/file/573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k46arxwq5oq3pqbmto2wltbzgz3bky62m4f6zgdmffdukmws2q7a._file
Verdict:
suspicious
Label(s):
winos
Create hunting rule
Similar samples:
03abe77075350d256415697f4401fac04929ab5fd30ac1c8e49dfc888ee7934d
ValleyRAT
090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
ValleyRAT
45a7c031e4d003512d6c08710e89ba57d9e5a0aeb6af1d26326ad3c0b2a1755d
ValleyRAT
573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
ValleyRAT
8d647bb52fdba0ecde498b989dd96bdfdbd9f9fb657666408296d035468b294d
ValleyRAT
error
ValleyRAT
fb619d64ccfb1ec19658cbffe49a7b742ae4f279898cf330c60a5f251ade89bd
ValleyRAT
+ 632 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250804-aveeqstrv9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Malicious
Tags:
Revoked.CRT.HookSignTool-9999979-1
YARA:
n/a
Link:
https://app.threat.zone/submission/73f3c7dd-5dad-44f2-ae67-a9f663759249
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/573c08ded0eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments