MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58ce0599f2f8d7754c7c469a689bdfa96ef9adcba26dfd4150ca41b63a9ed818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58ce0599f2f8d7754c7c469a689bdfa96ef9adcba26dfd4150ca41b63a9ed818
SHA3-384 hash: 45c063682a498d3bd7af8af1396cd8fcc4d6ab0c80cdecf90e148685c7819cc5661fac0b76dd46061bfa2b3f1513ffe4
SHA1 hash: 373cf837b6300ca15929a260ab79fee5fe140153
MD5 hash: a2cbc5a92f0149b9ac062fbc37b30f5a
humanhash: ohio-jersey-mango-arkansas
File name:26532748-873258734.03.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:30'933'052 bytes
First seen:2025-02-07 02:37:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4804f867be40818e34c9c9664898bfd6 (1 x ValleyRAT)
ssdeep 3072:vBt5672UpzxlNjI+s4A83UBm0rxMCl8febeuhMXBNYmjQrVGq1nyQQjDNnRkijxd:34Pphzs4A8R0rOiekMXGTU7NniEh
TLSH T10C678C5333E8B0E9E4774A74D9A5460B9B317CB20B219BAF12443D49FE376C06E39B61
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon f0dcdcccece868b2 (1 x ValleyRAT)
Reporter zhuzhu0009
Tags: ValleyRAT backdoor exe SilverFox winos

Intelligence

File Origin
# of uploads :
1
# of downloads :
719
Origin country :
SG SG
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
26532748-873258734.03.exe
Verdict:
Malicious activity
Analysis date:
2025-02-07 02:38:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cdd8fd5-b6eb-4462-af4f-1aba387ea424

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a57290ab8a2d1c6bcd5c20
Tags:
shellcode virus small
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt to an infection source
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the drivers directory
Creating a process from a recently created file
Searching for synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context lolbin microsoft_visual_cc obfuscated overlay remote
Link:
https://www.filescan.io/uploads/67a5721687d74f48703f8258/reports/6ca093bb-36dc-4db0-be06-fbf240799bb9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/58ce0599f2f8d7754c7c469a689bdfa96ef9adcba26dfd4150ca41b63a9ed818
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1608944
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608944 Sample: 26532748-873258734.03.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 62 sc-2skj.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com 2->62 64 sc-2skj.cn-beijing.oss-adns.aliyuncs.com 2->64 66 5 other IPs or domains 2->66 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->76 78 2 other signatures 2->78 8 LVXl5j.exe 19 2->8         started        13 26532748-873258734.03.exe 1 24 2->13         started        15 LVXl5j.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 68 sc-2b2o.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 118.178.60.43, 443, 65156, 65157 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 8->68 54 C:\Program Files (x86)\jWhabJ\jWhabJ.exe, PE32 8->54 dropped 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->86 88 Found direct / indirect Syscall (likely to bypass EDR) 8->88 19 cmd.exe 1 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        32 2 other processes 8->32 70 sc-2skj.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com 39.103.20.108, 443, 65021, 65036 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 13->70 56 C:\Windows\System32\drivers\189atohci.sys, PE32+ 13->56 dropped 58 C:\Users\user\Documents\eToken.dll, PE32+ 13->58 dropped 60 C:\Users\user\Documents\LVXl5j.exe, PE32+ 13->60 dropped 90 Drops PE files to the document folder of the user 13->90 92 Sample is not signed and drops a device driver 13->92 94 Tries to detect virtualization through RDTSC time measurements 13->94 96 Uses cmd line tools excessively to alter registry or file data 17->96 26 reg.exe 1 1 17->26         started        28 reg.exe 1 1 17->28         started        30 reg.exe 1 1 17->30         started        34 7 other processes 17->34 file6 signatures7 process8 signatures9 80 Uses cmd line tools excessively to alter registry or file data 19->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 19->82 36 conhost.exe 19->36         started        46 3 other processes 19->46 38 conhost.exe 22->38         started        48 3 other processes 22->48 40 conhost.exe 24->40         started        50 3 other processes 24->50 84 Adds extensions / path to Windows Defender exclusion list (Registry) 26->84 42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        52 6 other processes 32->52 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/58ce0599f2f8d7754c7c469a689bdfa96ef9adcba26dfd4150ca41b63a9ed818
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-07 02:38:16 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldhalgps7dlxktd4i2ngrg67vfxptlolujw72qkqzja3mou63ama._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250207-c4s1lawjax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Informative
Tags:
ta_abused_service
YARA:
n/a
Link:
https://app.threat.zone/submission/6000d6b8-79e3-485e-a412-116261df424b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/58ce0599f2f8d7754c7c469a689bdfa96ef9adcba26dfd4150ca41b63a9ed818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments