MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057
SHA3-384 hash: 0d07a6f50065b5e5dec0ce4a51d58f7ca291be4e6f6f6ff8916015db0fa282b81196b642c281595966bf97398112bf28
SHA1 hash: efb7c3bdd5b647ff5dd401de24a7721b7c1c7898
MD5 hash: 32c1ea0f9475409ed8eea000bee1e8a8
humanhash: maine-muppet-robert-fifteen
File name:32C1EA0F9475409ED8EEA000BEE1E8A8.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'994'628 bytes
First seen:2026-04-04 08:50:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (32 x GuLoader, 17 x RemcosRAT, 16 x VIPKeylogger)
ssdeep 49152:cIEncbQ23PfohrxKobbW8IWHVtcakqQ66+syDITuTGpvlz7VQWs5o:cIEnYQ23nohrUkb9IWWvfWITQGpvlzKm
TLSH T161D533B817C4C055E872583B4DE1C6939CE9B53E8071094773D027DC3CBA79A8BEAE96
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 18 x ValleyRAT, 17 x LummaStealer)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
52.74.12.195:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
52.74.12.195:80 https://threatfox.abuse.ch/ioc/1780960/

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057.exe
Verdict:
Malicious activity
Analysis date:
2026-04-04 08:51:05 UTC
Tags:
auto-reg valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/93cef937-cdf5-45ba-bacb-01279f7f0e74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60412/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.17425133.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d0d0f76a61012f6ace9c58
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file
Creating a service
Launching a service
Loading a system driver
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Connection attempt
Sending a custom TCP request
Creating a window
Launching a process
Enabling autorun for a service
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole crypto installer installer installer-heuristic microsoft_visual_cc nsis packed soft-404 unsafe valleyrat
Link:
https://www.filescan.io/uploads/69d0d1062346b9da57bc8339/reports/010ad60a-6331-4c68-b834-6372c873b04c/overview
Verdict:
Malicious
Labled as:
Win64_Aotera_DV_trojan
Link:
https://www.hybrid-analysis.com/sample/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-31T22:23:00Z UTC
Last seen:
2026-04-04T07:44:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Injector.sb Backdoor.Agent.TCP.C&C Trojan.Win64.Agent.sb HEUR:Trojan.Win64.Generic HEUR:Backdoor.Win32.Farfli.gen Backdoor.Win32.Xkcp.a Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057/results?tab=lookup
Malware family:
Tor
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/facbbbe0-dd5f-4b5b-9d9c-e3563d784827
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1893442
Signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Disable Task List ballon tips (likely to surpress security warnings)
Disable Windows Toast Notifications
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Unusual module load detection (module proxying)
Yara detected UAC Bypass using CMSTP
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893442 Sample: XwKuSvLErd.exe Startdate: 04/04/2026 Architecture: WINDOWS Score: 100 49 whatfuck000.intermediate.icu 2->49 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 14 other signatures 2->61 8 XwKuSvLErd.exe 1 21 2->8         started        11 krita.exe 2->11         started        14 krita.exe 1 2->14         started        16 5 other processes 2->16 signatures3 process4 file5 41 C:\Users\user\AppData\Local\...\System.dll, PE32 8->41 dropped 43 C:\Program Files (x86)\...\krita.exe, PE32+ 8->43 dropped 45 C:\Program Files (x86)\...\krita.dll, PE32+ 8->45 dropped 18 krita.exe 3 6 8->18         started        73 Found stalling execution ending in API Sleep call 11->73 75 Contains functionality to inject threads in other processes 11->75 77 Found hidden mapped module (file has been removed from disk) 11->77 87 2 other signatures 11->87 47 0c6a7185-0813-4d70-8aff-eddba4a3cea6.exe, PE32+ 14->47 dropped 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Found direct / indirect Syscall (likely to bypass EDR) 14->83 22 krita.exe 14->22         started        85 Changes security center settings (notifications, updates, antivirus, firewall) 16->85 25 MpCmdRun.exe 1 16->25         started        signatures6 process7 dnsIp8 33 C:\Users\user\AppData\Roaming\...\krita.exe, PE32+ 18->33 dropped 35 C:\Users\user\AppData\Roaming\...\krita.dll, PE32+ 18->35 dropped 37 C:\Users\user\AppData\Local\...behaviorgraphoFlyDrv.sys, PE32+ 18->37 dropped 39 09f7d425-29df-4a11-87e7-f3a8ec3fe02a.exe, PE32+ 18->39 dropped 63 Disable Task List ballon tips (likely to surpress security warnings) 18->63 65 Changes the view of files in windows explorer (hidden files and folders) 18->65 67 Modifies the context of a thread in another process (thread injection) 18->67 71 4 other signatures 18->71 27 krita.exe 1 18->27         started        51 52.221.112.64, 49732, 49734, 49736 AMAZON-02US United States 22->51 69 Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT) 22->69 31 conhost.exe 25->31         started        file9 signatures10 process11 dnsIp12 53 whatfuck000.intermediate.icu 52.74.12.195, 49725, 49726, 49727 AMAZON-02US United States 27->53 89 Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT) 27->89 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057
Threat name:
Win32.Trojan.GiantMidie
Create hunting rule
Status:
Malicious
First seen:
2026-03-31 20:25:57 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2sxt2h2nfnsgexndgp7ekdyjzf6hkhtggnpuggebfk7sjrtmblq._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery persistence ransomware
Link:
https://tria.ge/reports/260404-kr93cacz4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
whatfuck000.intermediate.icu:80
52.221.112.64:80
whatfuck000.intermediate.cyou:80
Unpacked files
SH256 hash:
5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057
MD5 hash:
32c1ea0f9475409ed8eea000bee1e8a8
SHA1 hash:
efb7c3bdd5b647ff5dd401de24a7721b7c1c7898
Link:
https://www.unpac.me/results/7e46fc95-befb-439e-96d4-454dd03f3f3a/
SH256 hash:
44b1d70219f88564d94da9fc8a7ca4d25d103575519c84a44df3057b8af98f71
MD5 hash:
cfc7c53e282b0a7c527e4ed091f17fcd
SHA1 hash:
3f3fb2dfaa9a0576803c5fd693f5c4c288ae4f1e
Link:
https://www.unpac.me/results/7e46fc95-befb-439e-96d4-454dd03f3f3a/
SH256 hash:
5e88f10fe314607290ee1a3339d973eb440cff11ea7d4b1e0bf02e00bfed4182
MD5 hash:
9cc18f6e98f31c872d45b8e23a204d54
SHA1 hash:
ebfbfaaeaeb072e1115cd0f6bdac3c5642432611
Link:
https://www.unpac.me/results/7e46fc95-befb-439e-96d4-454dd03f3f3a/
SH256 hash:
a3fc74d3fd484bc6bc76e36306f375c8f8d8374a70165e18ff46d6753d6c9791
MD5 hash:
5af269d506002487019b61aacb490330
SHA1 hash:
4f20dcd7deee92b7d0bf3c1814b5ae145578e351
Link:
https://www.unpac.me/results/7e46fc95-befb-439e-96d4-454dd03f3f3a/
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/7e46fc95-befb-439e-96d4-454dd03f3f3a/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ea579e8fa69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ea579e8fa695b2312ed199ff228784e4be3a8f3319afa18c40955f926336057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60412/

Comments