MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
SHA3-384 hash: 129893db87cb36a046f3397027e0be7d9051091e671fe55a744cdee6f563595daeb19d4c9b434525ad6def68648e5edd
SHA1 hash: 7811f68dea28c7baab6c99c408bef04f37f896b9
MD5 hash: e11c298b40d712029a3de9280fd777ac
humanhash: undress-low-earth-carolina
File name:2aa8665670e5b543e40f5fbc8bd672f8.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'826'816 bytes
First seen:2026-02-20 07:50:28 UTC
Last seen:2026-02-20 08:35:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d457ad8ac36fc9f18d45bffcd450c2 (24 x CobaltStrike, 8 x Sliver, 5 x Lazarus)
ssdeep 24576:VcHRxnp8GLzMP2w8UI167b/AzF5Y1FTbEdl+:Sxxp8AzMP2xUjsk3Ed
TLSH T164853A07BCE158B5D4AE92318A6651927A31BC840F3223DB3E90F77C2FB2BD06A75754
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec ValleyRAT


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
File size (compressed) :724'480 bytes
File size (de-compressed) :1'826'816 bytes
Format:win64/pe
Packed file: 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
x5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba.exe
Verdict:
Malicious activity
Analysis date:
2026-02-19 04:47:07 UTC
Tags:
anti-evasion auto-sch auto-reg golang antivm
Link:
https://app.any.run/tasks/3d5a24b9-4272-4e81-852c-22497820ea69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53900/
Detection(s):
PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699695c9c950ab5d9aaf446c
Tags:
vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 fingerprint golang
Link:
https://www.filescan.io/uploads/6998127197feb4afd64e47a8/reports/ea2a7bf7-35c6-40f2-8936-39b732fe9afe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Downloader.Win32.Gomal.sb Trojan.Win32.Vimditator.sb PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.TCP.C&C Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Tasker.cust HEUR:Trojan.Win64.Goshell.gen HEUR:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba/results?tab=lookup
Gathering data
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1872344
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates multiple autostart registry keys
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1872344 Sample: 2aa8665670e5b543e40f5fbc8bd... Startdate: 20/02/2026 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected ValleyRAT 2->63 65 2 other signatures 2->65 7 2aa8665670e5b543e40f5fbc8bd672f8.exe 1 2->7         started        12 mptknop.exe 2->12         started        14 mptknop.exe 2->14         started        16 8 other processes 2->16 process3 dnsIp4 57 192.163.162.194, 447 LEASEWEB-USA-LAX-11US United States 7->57 55 C:\Users\user\AppData\Roaming\...\mptknop.exe, PE32+ 7->55 dropped 69 Uses cmd line tools excessively to alter registry or file data 7->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 7->73 18 reg.exe 1 1 7->18         started        29 2 other processes 7->29 75 Multi AV Scanner detection for dropped file 12->75 77 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 12->77 79 Potentially malicious time measurement code found 12->79 21 reg.exe 1 1 12->21         started        31 2 other processes 12->31 23 reg.exe 1 1 14->23         started        33 2 other processes 14->33 25 reg.exe 1 1 16->25         started        27 reg.exe 1 1 16->27         started        35 16 other processes 16->35 file5 signatures6 process7 signatures8 67 Creates multiple autostart registry keys 18->67 37 conhost.exe 18->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 2 other processes 29->47 49 2 other processes 31->49 51 2 other processes 33->51 53 16 other processes 35->53 process9
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba/
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
Threat name:
Win64.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2026-02-13 20:51:50 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l353cidhp2vgcvift74pbph47fzfb5m7ldpoyfovyfaukugddc5a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260220-jqfxfaez9b/
Behaviour
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Executes dropped EXE
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Unpacked files
SH256 hash:
5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba
MD5 hash:
e11c298b40d712029a3de9280fd777ac
SHA1 hash:
7811f68dea28c7baab6c99c408bef04f37f896b9
Link:
https://www.unpac.me/results/a481e949-2e5d-4c35-b731-57de37dc3aeb/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5efbb120677e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8

ValleyRAT

Executable exe 5efbb120677eaa6155059ff8f0bcfcf97250f59f58deec15d5c1414550c318ba

(this sample)

  
Dropped by
SHA256 4af534fee9e556c7ce1c6493cceba19b5979ead53991faefd4dd01308591afa8
  
Dropped by
MD5 2aa8665670e5b543e40f5fbc8bd672f8
Cape
Cape
https://www.capesandbox.com/analysis/53900/

Comments