MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff
SHA3-384 hash: 78aef1aec5412780e738b06cc1a8973c5087b9dc6e53de0de9bbf9b92cbdbc01ab4692a215ad88749940c608b98d392e
SHA1 hash: 36ac47e0969e3eab698717db58beea55bb4d03f1
MD5 hash: 77f1d47284441d7ffb9b5f0daf6fa7bc
humanhash: network-fruit-delaware-east
File name:77F1D47284441D7FFB9B5F0DAF6FA7BC.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:111'104 bytes
First seen:2025-07-18 05:30:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8bf08fa843a9ec1ce10d80fbf550c26 (90 x ValleyRAT, 1 x Gh0stRAT)
ssdeep 3072:zbWjdIPbcia0NFtwwnILn3py6D265hizx62:zbWjMbcCtwwnchx6N
Threatray 494 similar samples on MalwareBazaar
TLSH T182B36B2172A0C072C097253199F9EBB24E7EF93117B844CBB7E416BA5F603C16A7539B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
43.143.4.38:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
43.143.4.38:443 https://threatfox.abuse.ch/ioc/1557432/

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
77F1D47284441D7FFB9B5F0DAF6FA7BC.exe
Verdict:
Malicious activity
Analysis date:
2025-07-18 05:33:57 UTC
Tags:
silverfox backdoor valleyrat winos rat
Link:
https://app.any.run/tasks/55596242-89a6-45ba-889a-4fd570eb5804

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15146/
Detection(s):
Win.Malware.Fragtor-10028386-0
Create hunting rule

Win.Trojan.Farfli-10038362-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6879dc202f623871a5ef7ebb
Tags:
emotet farfli cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypt farfli fatalrat microsoft_visual_cc xpack zusy
Link:
https://www.filescan.io/uploads/6879dbf07bc45bdee1b09401/reports/a9bd9bf7-073e-4cd1-8d01-c1ce5ffafe06/overview
Verdict:
Malicious
Labled as:
Trojan.Farfli
Link:
https://www.hybrid-analysis.com/sample/58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5fc21e4-02db-4bc4-9809-53170bd437fe
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1739352
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Suspect Svchost Activity
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected QueryWinSAT ClassID
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739352 Sample: mrh3axXw3g.exe Startdate: 18/07/2025 Architecture: WINDOWS Score: 100 31 alipay-1325772578.cos.ap-guangzhou.myqcloud.com 2->31 33 gz.file.myqcloud.com 2->33 35 bg.microsoft.map.fastly.net 2->35 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 8 mrh3axXw3g.exe 2 2->8         started        signatures3 process4 dnsIp5 37 43.143.4.38, 443, 49713, 49717 LILLY-ASUS Japan 8->37 55 Contains functionality to inject code into remote processes 8->55 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 12 tracerpt.exe 3 16 8->12         started        signatures6 process7 dnsIp8 39 gz.file.myqcloud.com 159.75.57.35, 443, 49723, 49728 TELE2EU China 12->39 41 159.75.57.69, 443, 49737, 49743 TELE2EU China 12->41 61 Writes to foreign memory regions 12->61 63 Allocates memory in foreign processes 12->63 65 Creates a thread in another existing process (thread injection) 12->65 16 svchost.exe 1 2 12->16         started        21 svchost.exe 12->21         started        23 svchost.exe 1 12->23         started        25 7 other processes 12->25 signatures9 process10 dnsIp11 29 27.124.4.102, 443, 49724, 49725 BCPL-SGBGPNETGlobalASNSG Singapore 16->29 27 C:\ProgramData\kernelquick.sys, data 16->27 dropped 43 Sample is not signed and drops a device driver 16->43 45 System process connects to network (likely due to code injection or exploit) 21->45 file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/77f1d47284441d7ffb9b5f0daf6fa7bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff/
Threat name:
Win32.Trojan.FraudLoad
Create hunting rule
Status:
Malicious
First seen:
2025-07-15 15:48:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lc2b2ygqmcgtlpqf4kq6tckrtdmrrlvd2n2co7j5ypgbzddaax7q._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
19fb75e48b19415cf3619e857ebad5a850a85b5f1e3b6fe54a8ef025fee4504e
ValleyRAT
44e62e4a2b6ce72ff7d58bd772aa1fe7a66a8a6bae8b1cb2c19c9507f16cc225
ValleyRAT
4eb3c275bed7f9fff3f94b82c81f2d41e34e6a2ee9a7a585666358b514d8f4b0
ValleyRAT
58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff
ValleyRAT
beb7a17f415917488539b51d1bc69b2d2c96735cb2e5a428dc742a563fd38e1b
ValleyRAT
e17ba8ad94ed55f391b3bb10704099620601625043f76a923bd9d5673b5f751f
ValleyRAT
eed7dafbcbab29a94b6092fb5a88b17eb6fc6e8430458e8b31b348d6864c212c
ValleyRAT
error
ValleyRAT
+ 484 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 discovery
Link:
https://tria.ge/reports/250718-f69b5sgq3x/
Behaviour
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
43.143.4.38:443
127.0.0.1:80
Verdict:
Malicious
Tags:
Win.Malware.Fragtor-10028386-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e185f46a-013e-4b92-92f4-e05b08eb6b4f
Unpacked files
SH256 hash:
58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff
MD5 hash:
77f1d47284441d7ffb9b5f0daf6fa7bc
SHA1 hash:
36ac47e0969e3eab698717db58beea55bb4d03f1
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea60a970-1c94-4851-826b-43efe82cfa6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58b41d60d0608d35be05e2a1e9895198d918aea3d374277d3dc3cc1c8c6005ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15146/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAIoctl
WS2_32.dll::WSAResetEvent
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW

Comments