MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a
SHA3-384 hash: a94ac5f82dc36f182185d4e6e6c1809aa5f6612b3328f1de27b4e0f76013809396fb3bff306a1620ccb3d51d6004d594
SHA1 hash: f10b392467bcec79dba3a2156257c3f6a1d2ba4b
MD5 hash: 3934450dcf981b58977b9bfc8fb1884c
humanhash: green-seventeen-uncle-nevada
File name:3934450DCF981B58977B9BFC8FB1884C.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:67'718'424 bytes
First seen:2026-02-09 17:40:36 UTC
Last seen:2026-02-09 18:33:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (3 x Gh0stRAT, 2 x OffLoader, 1 x XWorm)
ssdeep 1572864:YLfjEqs8SpVysoCPordnEnr0dlp/7tD3umPfjVr:YLL1sRVoCJrEHTtzumHV
TLSH T166E733FFA38A243FD4690B3526B69E1536F72E50E5024842B6F5F818DF360702E6E356
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:45-119-55-56 exe RAT signed ValleyRAT

Code Signing Certificate

Organisation:Yangzhou Dadaxing Internet Information Service Co., Ltd.
Issuer:Certum Extended Validation Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-02T09:11:42Z
Valid to:2026-09-02T09:11:41Z
Serial number: 567e1fa7b741e453dee4cbfaad7d8062
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 3c09fcf8f6611da259ca05d622843460690b042f6d8a32e22b14ef260a7b7e8f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ValleyRAT C2:
45.119.55.56:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.119.55.56:443 https://threatfox.abuse.ch/ioc/1744076/

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1d37b76a-8acd-490e-b927-38a8289a516a/
Malware family:
n/a
ID:
1
File name:
3934450DCF981B58977B9BFC8FB1884C.exe
Verdict:
Malicious activity
Analysis date:
2026-02-09 17:41:33 UTC
Tags:
auto-sch inno installer delphi
Link:
https://app.any.run/tasks/d4df1fb5-c270-44c2-9284-470819e24444

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698a1ce44c8b031249cdc665
Tags:
ransomware autorun sage blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug embarcadero_delphi expand fingerprint inno installer installer installer-heuristic lolbin packed revoked-cert signed soft-404
Link:
https://www.filescan.io/uploads/698a1c41930564ff3c94d422/reports/4e27678e-9e56-414d-8fc3-c8a7d5296bc6/overview
Verdict:
Malicious
Labled as:
TrojanDldr.OffLoader.gen
Link:
https://www.hybrid-analysis.com/sample/5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-06T15:57:00Z UTC
Last seen:
2026-02-10T03:12:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Poison.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.Pakes.PePatch.dk Trojan.Win32.Yakes Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Packed.Win32.PePatch.dk
Link:
https://opentip.kaspersky.com/5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1866240
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866240 Sample: IkFvyZBnuM.exe Startdate: 09/02/2026 Architecture: WINDOWS Score: 76 77 tuu.tfuuuk.com 2->77 89 Suricata IDS alerts for network traffic 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 9 other signatures 2->95 9 IkFvyZBnuM.exe 2 2->9         started        12 Game.exe 4 2->12         started        15 cmd.exe 2->15         started        17 41 other processes 2->17 signatures3 process4 file5 73 C:\Users\user\AppData\...\IkFvyZBnuM.tmp, PE32 9->73 dropped 19 IkFvyZBnuM.tmp 5 62 9->19         started        75 C:\Windows\System32\driverssDRxXEUBT.sys, PE32+ 12->75 dropped 107 Injects code into the Windows Explorer (explorer.exe) 12->107 109 Writes to foreign memory regions 12->109 111 Allocates memory in foreign processes 12->111 119 4 other signatures 12->119 113 Adds a directory exclusion to Windows Defender 15->113 23 powershell.exe 24 15->23         started        115 Creates files in the system32 config directory 17->115 117 Bypasses PowerShell execution policy 17->117 25 powershell.exe 17->25         started        27 powershell.exe 17->27         started        29 netsh.exe 2 17->29         started        31 14 other processes 17->31 signatures6 process7 file8 65 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->65 dropped 67 C:\...\vcruntime140.dll (copy), PE32 19->67 dropped 69 C:\...\msvcr100.dll (copy), PE32 19->69 dropped 71 97 other files (53 malicious) 19->71 dropped 97 Uses schtasks.exe or at.exe to add and modify task schedules 19->97 33 Game.exe 2 4 19->33         started        37 schtasks.exe 1 19->37         started        99 Creates files in the system32 config directory 23->99 101 Loading BitLocker PowerShell Module 23->101 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 31->49         started        51 12 other processes 31->51 signatures9 process10 file11 59 C:\Windows\System32\drivers\jcZkhdkhrw.sys, PE32+ 33->59 dropped 61 C:\Users\user\...\TemporaryFile (copy), PE32 33->61 dropped 63 C:\Program Files (x86)\zqufw\nfapi.dll, PE32 33->63 dropped 81 Injects code into the Windows Explorer (explorer.exe) 33->81 83 Writes to foreign memory regions 33->83 85 Allocates memory in foreign processes 33->85 87 4 other signatures 33->87 53 explorer.exe 40 1 33->53 injected 57 conhost.exe 37->57         started        signatures12 process13 dnsIp14 79 tuu.tfuuuk.com 45.119.55.56, 443, 49731, 49734 CLOUDIE-AS-APCloudieLimitedHK China 53->79 103 System process connects to network (likely due to code injection or exploit) 53->103 105 Unusual module load detection (module proxying) 53->105 signatures15
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a
Gathering data
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ln5kr3osh4w7fvqrnmch4cluna4rg3l54m7geyh5jtont22lsqna._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution installer persistence ransomware
Link:
https://tria.ge/reports/260209-v9lgtacz2f/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
tuu.tfuuuk.com:443
bei.tfuuuk.com:80
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b7aa8edd23f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments