MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8
SHA3-384 hash:	5d9c756effa30e541c7dfef35909001a61f35036d47ce4e540f640b5fb0ff24da8f94e8c8e762d0ad188ac318469bff2
SHA1 hash:	5ca48eb4dfbd6f50bde448b33c70dd24bced8586
MD5 hash:	87134b25d9ec6bb3430d89ace378fe78
humanhash:	sierra-delta-avocado-texas
File name:	108.exe
Download:	download sample
Signature	ValleyRAT Alert Create hunting rule
File size:	95'760'702 bytes
First seen:	2025-10-29 22:57:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d221b1dc8c3a08622f6512e7876527c8 (3 x ZhongStealer, 2 x ValleyRAT, 1 x CoinMiner)
ssdeep	1572864:UUdvya282POfqcgzmIONIcP4dljPRFbqCejjlznmkU1zZvIUd:RKa28qcbNXSljPRQCamN1zZwUd
TLSH	T11E28339D4883784FF93796718ABB7BF8BCE01C82D611B5C79AE635075CF1D8248DA206
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	GDHJDSYDH1
Tags:	backdoor dropper exe SilverFox ValleyRAT

GDHJDSYDH1

C2:
103.235.46.102
137.220.136.4

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

192

Origin country :

US

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

108.exe

Verdict:

Malicious activity

Analysis date:

2025-10-29 22:48:40 UTC

Tags:

anti-evasion qrcode

Link:

https://app.any.run/tasks/c69d1ae8-c252-445e-9745-6a1153f5e73f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CyberFortress Malicious

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690299ca706befaf4eca229b

Tags:

emotet cobalt madi

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Сreating synchronization primitives

Creating a file in the Program Files subdirectories

Launching a process

Loading a suspicious library

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Running batch commands

Creating a process with a hidden window

Forced system process termination

Creating a file in the system32 directory

Creating a file in the system32 subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a window

Deleting a recently created file

Moving a file to the Program Files subdirectory

Searching for synchronization primitives

Enabling autorun for a service

Unauthorized injection to a system process

Enabling autorun by creating a file

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

installer installer installer-heuristic microsoft_visual_cc overlay overlay packed

Link:

https://www.filescan.io/uploads/69029c2321d55ed90d42313e/reports/fd4c8028-7c0f-41ef-bf34-c4e9adfca2cf/overview

Hybrid Analysis Malware_51.0

Verdict:

Malicious

Labled as:

Malware_51.0

Link:

https://www.hybrid-analysis.com/sample/63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8

Kaspersky OpenTIP Malicious

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-29T18:48:00Z UTC

Last seen:

2025-10-30T05:26:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Loader.cjm Trojan.Win64.Loader.cjl

Link:

https://opentip.kaspersky.com/63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8/results?tab=lookup

Nucleon Malprob Benign

Score:

27%

Verdict:

Benign

File Type:

PE

Link:

https://malprob.io/report/63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8

CERT.PL MWDB

Gathering data

Neiki Trojan.Win64.Loader

Verdict:

Malicious

Threat:

Trojan.Win64.Loader

Link:

https://tip.neiki.dev/file/63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8

ReversingLabs TitaniumCloud Win32.Trojan.Malgent

Threat name:

Win32.Trojan.Malgent

Alert

Create hunting rule

Status:

Malicious

First seen:

2025-10-29 22:22:29 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

9 of 24 (37.50%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mosxdonbeoemchdbxg4xcqfg3c226eignm3batzodboxrelg4hma._file

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/251029-2x6qjscx2b/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Enumerates processes with tasklist

Checks installed software on the system

Checks whether UAC is enabled

Indicator Removal: File Deletion

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

VMRay ValleyRAT

Malware family:

ValleyRAT

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/63a571b9a123/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

exe 63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8

(this sample)

any.run

https://app.any.run/tasks/c69d1ae8-c252-445e-9745-6a1153f5e73f

  

Link

https://tria.ge/251029-2rdsksdj9x/behavioral2

  

Link

https://hybrid-analysis.com/sample/63a571b9a12388c11c61b9b97140a6d8b5af11066b36104f2e185d789166e1d8/690298b4b56e0aceab091cb3

  

Link

https://hunting.abuse.ch/hunt/137.220.136.4/#threatfox

  

Delivery method

Distributed via web download