MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
SHA3-384 hash: d51c9cc1bdb782c199ec9680420ec77c3a4c377dcdf85d07094e3c41bdf2f060cbe54a77968e5600ee7c0b6dae608412
SHA1 hash: c61c604cd8d28c97a56d149ae7ba70a077cbb890
MD5 hash: e4c9215ceac03dde05155c4fb667f69c
humanhash: blue-magazine-salami-winner
File name:E4C9215CEAC03DDE05155C4FB667F69C.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'921'384 bytes
First seen:2025-11-06 14:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c4c69111630d8599dacdb4710373322 (2 x ValleyRAT, 1 x CoinMiner)
ssdeep 49152:8WBj/clJYeXD2liBL7G3eCt0cAvbfVQOlgya:w1XDo0Lq3ft0cybfVQOlgya
Threatray 60 similar samples on MalwareBazaar
TLSH T1FA9533A2357849B0F90BA071011935E5C2B5B710BF896BFCC01B9A59DEFB6C0E34DA9D
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT UPX ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
16.163.24.117:443
File size (compressed) :1'921'384 bytes
File size (de-compressed) :2'336'616 bytes
Format:win32/pe
Unpacked file: 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88.exe
Verdict:
Malicious activity
Analysis date:
2025-11-06 14:21:57 UTC
Tags:
auto-reg upx valley winos rat silverfox
Link:
https://app.any.run/tasks/daefeeca-75d7-406e-a9dd-b30b7b34bbfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36367/
Detection(s):
Win.Trojan.Sofacy-5
Create hunting rule

Win.Trojan.Mikey-9862566-0
Create hunting rule

Win.Trojan.Mikey-9862598-0
Create hunting rule

Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Win.Malware.Bulz-10016535-0
Create hunting rule

Win.Malware.Vindor-10034624-0
Create hunting rule

Win.Malware.Vindor-10034625-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690caec0ea0f3e915c23a4b5
Tags:
emotet zegost
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Searching for synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the drivers directory
Creating a window
Loading a system driver
Connection attempt
Searching for the window
Sending a custom TCP request
Launching a process
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Restart of the analyzed sample
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T11:44:00Z UTC
Last seen:
2025-11-03T22:04:00Z UTC
Hits:
~10
Detections:
Trojan-Spy.Win64.Agent.sb Backdoor.Win32.Zegost.sb Backdoor.Win32.Xkcp.bed Backdoor.Win32.Agentb.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Antavmu.sb PDM:Trojan.Win32.Generic HEUR:Backdoor.Win32.Generic HEUR:Backdoor.Win32.Farfli.gen Backdoor.Win32.Xkcp.a Backdoor.Win32.Farfli.sb Trojan-Spy.Win32.Agent Trojan.Win32.Inject.sb Rootkit.Win64.Agent.bgp HEUR:Trojan.Win32.Agent.gen Backdoor.Win32.Lotok.sbc Trojan-Spy.Win32.Agent.sb PDM:Exploit.Win32.Generic Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Trojan-Clicker.Win32.Cycler.sb Trojan.Win32.Vimditator.sb Backdoor.Win32.Androm
Link:
https://opentip.kaspersky.com/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88/results?tab=lookup
Result
Threat name:
GhostRat, Mimikatz, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1809322
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Contains functionality to register a low level keyboard hook
Contains functionality to start reverse TCP shell (cmd.exe)
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected GhostRat
Yara detected Mimikatz
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1809322 Sample: O4r2ZH0LNH.exe Startdate: 06/11/2025 Architecture: WINDOWS Score: 100 62 ax-0003.ax-msedge.net 2->62 64 api.msn.com 2->64 66 2 other IPs or domains 2->66 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 10 other signatures 2->88 9 O4r2ZH0LNH.exe 10 2->9         started        13 Dumdu.exe 2->13         started        15 explorer.exe 125 2->15         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 60 C:\Users\user\AppData\Local\Temp\...\sg.tmp, PE32 9->60 dropped 110 Contains functionalty to change the wallpaper 9->110 112 Contains functionality to infect the boot sector 9->112 114 Contains functionality to start reverse TCP shell (cmd.exe) 9->114 126 2 other signatures 9->126 20 setup223.exe 1 1 9->20         started        24 16data.exe 1 9->24         started        26 sg.tmp 3 9->26         started        31 2 other processes 9->31 116 Antivirus detection for dropped file 13->116 118 Multi AV Scanner detection for dropped file 13->118 120 Drops executables to the windows directory (C:\Windows) and starts them 13->120 28 Dumdu.exe 14 1 13->28         started        74 ax-0003.ax-msedge.net 150.171.27.12, 443, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->74 122 System process connects to network (likely due to code injection or exploit) 15->122 124 Query firmware table information (likely to detect VMs) 15->124 file6 signatures7 process8 dnsIp9 52 C:\Windows\SysWOW64\Dumdu.exe, PE32 20->52 dropped 90 Antivirus detection for dropped file 20->90 92 Multi AV Scanner detection for dropped file 20->92 94 Found evasive API chain (may stop execution after checking mutex) 20->94 106 6 other signatures 20->106 33 cmd.exe 1 20->33         started        96 Changes memory attributes in foreign processes to executable or writable 24->96 98 Injects code into the Windows Explorer (explorer.exe) 24->98 100 Writes to foreign memory regions 24->100 108 2 other signatures 24->108 36 explorer.exe 32 2 24->36 injected 54 C:\Users\user\AppData\Local\...\setup223.exe, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\16data.exe, PE32+ 26->56 dropped 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->102 39 conhost.exe 26->39         started        70 103.115.64.80, 443, 49690 CLOUDIE-AS-APCloudieLimitedHK China 28->70 58 C:\Windows\System32\drivers\QAssist.sys, PE32+ 28->58 dropped 104 Sample is not signed and drops a device driver 28->104 41 cmd.exe 1 31->41         started        43 conhost.exe 31->43         started        file10 signatures11 process12 dnsIp13 76 Uses ping.exe to sleep 33->76 78 Uses ping.exe to check the status of other devices and networks 33->78 45 PING.EXE 1 33->45         started        48 conhost.exe 33->48         started        68 16.163.24.117, 443, 49694, 49695 unknown United States 36->68 80 System process connects to network (likely due to code injection or exploit) 36->80 50 conhost.exe 41->50         started        signatures14 process15 dnsIp16 72 127.0.0.1 unknown unknown 45->72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/e4c9215ceac03dde05155c4fb667f69c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88/
Verdict:
Malicious
Threat:
Family.GH0STRAT
Link:
https://tip.neiki.dev/file/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2025-11-03 20:19:24 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lahgyzf2og7tfxddynbajxci2f77rxuutsiw6ea6rfdseivudkea._file
Verdict:
malicious
Label(s):
fatalrat
Create hunting rule
valleyrat
Create hunting rule
Similar samples:
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
ValleyRAT
2e255b135e7d6b5689d00c77213d76ad7a81824398f1b6f896f708c7ff68dd26
ValleyRAT
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
ValleyRAT
ae5239ae5df40a18267753101fbcc518447d8cfc0a79c0a672e167451547382e
ValleyRAT
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
ValleyRAT
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
ValleyRAT
error
ValleyRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox family:valleyrat_s2 backdoor discovery persistence ransomware rat rootkit trojan upx
Link:
https://tria.ge/reports/251106-rnlc5sykgm/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in System32 directory
UPX packed file
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Drops file in Drivers directory
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
16.163.24.117:443
16.163.24.117:80
Verdict:
Malicious
Tags:
Win.Trojan.Sofacy-5
YARA:
n/a
Link:
https://app.threat.zone/submission/960303a9-37a5-404b-b6d5-eee06c7ee126
Unpacked files
SH256 hash:
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
MD5 hash:
e4c9215ceac03dde05155c4fb667f69c
SHA1 hash:
c61c604cd8d28c97a56d149ae7ba70a077cbb890
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
SH256 hash:
e3cf85ffd21acba0b9846b94b0257b1a68be9d8ddbaf150c2cc5db2e7477ec56
MD5 hash:
25bf9cae10fd9a823c14a51d12cb4c55
SHA1 hash:
3617555528b8401bef33a8d07c17f849e4e1f546
Detections:
Hidden
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Mimikatz_Strings
Create hunting rule
check_installed_software
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
SH256 hash:
cac7320c0c27c473855ed825988a8c091c9d7fb822f4b9eff946861ee1eb8f47
MD5 hash:
0d92b5f7a0f338472d59c5f2208475a3
SHA1 hash:
088d253bb23f6222dcaf06f7a2430e3a059a35e7
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
026cf8a46d414d23dee61703e8eae5acf97415c96e76512b09834e57eae32821
MD5 hash:
949cfe6fc7b65bdcd66ae73cb29324d7
SHA1 hash:
dfadd7138554297bf185797aba84e554fab2b1c3
Detections:
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
Parent samples :
798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
SH256 hash:
7feca2b22b4a82a65c648672e6be9596d32e0d6503cd08fc52e13f4026de623a
MD5 hash:
5e480fd1c0129d2b69d6e2c042edd8d4
SHA1 hash:
dc110a1189d0abca6295cbd77d0d336219fd8ebf
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
SH256 hash:
e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7
MD5 hash:
78d82a5020250476fa22b2bf47ec2834
SHA1 hash:
4291ce7e33e5c75f10c19308dd79772da45f2b45
Detections:
Hidden
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Mimikatz_Strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
Parent samples :
5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
a146e7b82dfe0cd15a523090bd3317b1e9dbf9192e59c5634b6fd95cf274cae8
MD5 hash:
5205b18ba6d61bd843685895adbeaa0d
SHA1 hash:
815aee23611e735056ca0531c7d2d3478c014c02
Link:
https://www.unpac.me/results/a1eabc79-336f-488a-ad38-05f38882da7b/
Malware family:
HiddenGh0st
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/580e6c64ba71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88

(this sample)

ValleyRAT

Executable exe 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8

  
Dropping
SHA256 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
  
Dropping
MD5 548488410b5fdabb1202d1166a420c74
Cape
Cape
https://www.capesandbox.com/analysis/36367/

Comments