MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e
SHA3-384 hash: 8642486bc49e07d4786df007f46a151be7839380cf008780d06210a329d24a2d24c80606852189818cbc92e98bdf156e
SHA1 hash: b873aade71a3fe6bf22cf6ed0d4a6f27dbd26c3f
MD5 hash: d6b65cbb0ad239b1114eca75ad7f4238
humanhash: network-double-finch-muppet
File name:D6B65CBB0AD239B1114ECA75AD7F4238.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:17'951'400 bytes
First seen:2025-12-28 06:25:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 039d1617d5f0788dacbd04b35a141ebe (28 x ValleyRAT)
ssdeep 393216:6kEol0mN48TipHULzJ6PoPl8IO+xE0/yj19:6kEol0so5ULV6APhx12L
TLSH T1B6073359C91F41C7D471127D401B50AAA08BBE9F2C32D75AE6C8FFE2B53B60646BB10E
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT signed ValleyRAT

Code Signing Certificate

Organisation:RichQuest Network Technology Ltd.
Issuer:Certum Extended Validation Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2025-12-23T10:22:37Z
Valid to:2026-12-23T10:22:36Z
Serial number: 52af7661636c0c9bef328c7f13a32230
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f1dbe289d0b4218eefa79767c298becc0096fd478b29003ff79fdffae4c37f8a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ValleyRAT C2:
203.91.74.3:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.91.74.3:443 https://threatfox.abuse.ch/ioc/1687166/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e.exe
Verdict:
Malicious activity
Analysis date:
2025-12-28 06:29:02 UTC
Tags:
auto-sch
Link:
https://app.any.run/tasks/9c2d9900-28cd-4d08-af18-8b2673f2b62c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46261/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6950cd584503237b77fbe7f6
Tags:
autorun virus micro sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay revoked-cert signed
Link:
https://www.filescan.io/uploads/6950cd53e126b9ff4393b42f/reports/c53fef14-d22e-4bc1-aa6a-df600781c95a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-25T02:32:00Z UTC
Last seen:
2025-12-26T04:51:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Agent.sb Backdoor.Win32.Agent.myxbxr
Link:
https://opentip.kaspersky.com/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e/results?tab=lookup
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1840684
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
AI detected suspicious PE digital signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840684 Sample: tXbwYHGeXA.exe Startdate: 28/12/2025 Architecture: WINDOWS Score: 72 124 yandex.com 2->124 126 www.yandex.com 2->126 128 10 other IPs or domains 2->128 138 Suricata IDS alerts for network traffic 2->138 140 Multi AV Scanner detection for submitted file 2->140 142 Yara detected ValleyRAT 2->142 144 5 other signatures 2->144 12 tXbwYHGeXA.exe 12 2->12         started        15 lMpVfX.exe 2->15         started        18 svchost.exe 2->18         started        20 9 other processes 2->20 signatures3 process4 file5 118 C:\Users\adminadmin6\msconfig\micorsoft.exe, PE32 12->118 dropped 120 C:\Users\adminadmin6\...\cef_frame_render.exe, PE32 12->120 dropped 122 C:\Users\adminadmin6\msconfig\cef_frame.dll, PE32 12->122 dropped 22 cef_frame_render.exe 1 1 12->22         started        174 Detected unpacking (creates a PE file in dynamic memory) 15->174 176 Found evasive API chain (may stop execution after checking mutex) 15->176 178 Contains functionality to capture and log keystrokes 15->178 180 Unusual module load detection (module proxying) 15->180 27 drvinst.exe 18->27         started        29 drvinst.exe 18->29         started        182 Changes security center settings (notifications, updates, antivirus, firewall) 20->182 184 Modifies the DNS server 20->184 31 MpCmdRun.exe 20->31         started        33 LetsPRO.exe 20->33         started        signatures6 process7 dnsIp8 130 ak1.xingxings8.org 203.91.74.3, 443, 49728, 49729 ENTRUSTICT-AS-APQRHUBPTYLTDTAEntrustICTAU Australia 22->130 108 C:\Users\adminadmin6\...\lMpVfX.exe (copy), PE32 22->108 dropped 150 Detected unpacking (creates a PE file in dynamic memory) 22->150 152 Found evasive API chain (may stop execution after checking mutex) 22->152 154 Contains functionality to capture and log keystrokes 22->154 158 2 other signatures 22->158 35 micorsoft.exe 10 304 22->35         started        39 schtasks.exe 1 22->39         started        110 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 27->110 dropped 112 C:\Windows\System32\drivers\SET320B.tmp, PE32+ 27->112 dropped 156 Accesses sensitive object manager directories (likely to detect virtual machines) 27->156 114 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 29->114 dropped 116 C:\Windows\System32\...\SET2A3D.tmp, PE32+ 29->116 dropped 41 conhost.exe 31->41         started        file9 signatures10 process11 file12 96 C:\Program Files (x86)\...\LetsPRO.exe, PE32 35->96 dropped 98 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 35->98 dropped 100 C:\...\AddWindowsSecurityExclusion.ps1, ASCII 35->100 dropped 102 223 other files (none is malicious) 35->102 dropped 146 Bypasses PowerShell execution policy 35->146 148 Modifies the windows firewall 35->148 43 LetsPRO.exe 35->43         started        45 cmd.exe 35->45         started        48 powershell.exe 23 35->48         started        52 9 other processes 35->52 50 conhost.exe 39->50         started        signatures13 process14 file15 55 LetsPRO.exe 43->55         started        166 Uses netsh to modify the Windows network and firewall settings 45->166 168 Uses ipconfig to lookup or modify the Windows network settings 45->168 170 Performs a network lookup / discovery via ARP 45->170 59 conhost.exe 45->59         started        61 netsh.exe 45->61         started        172 Loading BitLocker PowerShell Module 48->172 63 conhost.exe 48->63         started        104 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 52->104 dropped 106 C:\Users\user\AppData\Local\...\SET27AD.tmp, PE32+ 52->106 dropped 65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        69 conhost.exe 52->69         started        71 10 other processes 52->71 signatures16 process17 dnsIp18 132 119.29.29.29, 49734, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 55->132 134 23.98.101.63, 443, 49746, 49763 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->134 136 10 other IPs or domains 55->136 160 Loading BitLocker PowerShell Module 55->160 73 cmd.exe 55->73         started        76 WMIC.exe 55->76         started        78 cmd.exe 55->78         started        80 cmd.exe 55->80         started        signatures19 process20 signatures21 162 Performs a network lookup / discovery via ARP 73->162 82 conhost.exe 73->82         started        84 ARP.EXE 73->84         started        164 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 76->164 86 conhost.exe 76->86         started        88 conhost.exe 78->88         started        90 ipconfig.exe 78->90         started        92 conhost.exe 80->92         started        94 ROUTE.EXE 80->94         started        process22
Score:
35%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-25 09:04:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mosoeb7f2wmrfgutroimekp6glk5mtqk3zwhpr2gsxjjbzy4ufpa._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution installer persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/251228-g6s6labr2x/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/61d213bd-4b6d-4d21-b37b-29ada4b6b88c
Unpacked files
SH256 hash:
63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e
MD5 hash:
d6b65cbb0ad239b1114eca75ad7f4238
SHA1 hash:
b873aade71a3fe6bf22cf6ed0d4a6f27dbd26c3f
Link:
https://www.unpac.me/results/b99bc9f0-b00c-4274-834e-2712e6991faa/
SH256 hash:
5db5452e7e56490399ef6c4b3a4869eac6a40645bb9ba235dba14c6e5cba5700
MD5 hash:
da83cf6e8815fd602ac385454f91e37d
SHA1 hash:
4472a82e4738d50b1a17d81f3570fa144247c3f7
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/b99bc9f0-b00c-4274-834e-2712e6991faa/
SH256 hash:
cd09e7027422446b58e8fa83b66b7ce6a8e01db5be9a4040123aae9fa29a600b
MD5 hash:
47340bf27036972d836db6af989c618d
SHA1 hash:
6e7d9d175f9805421cbd97e4aa0b563ecbeaa38e
Link:
https://www.unpac.me/results/b99bc9f0-b00c-4274-834e-2712e6991faa/
SH256 hash:
4e74773e39699b952780747a48a308c1d77d4f32f1701fd9da9a1b9bf78687ce
MD5 hash:
75628f89530360baa941c52edb1647cb
SHA1 hash:
d019881cb80b818dac20fc10083bb5c6c2f03ae3
Link:
https://www.unpac.me/results/b99bc9f0-b00c-4274-834e-2712e6991faa/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63a4e207e5d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/63a4e207e5d599129a938b90c229fe32d5d64e0ade6c77c74695d290e71ca15e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46261/

Comments