MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
SHA3-384 hash: ba98b8dc35d674c73f2d9485d14d0d5b2631cca6aa8a1bee9bc186245aa254d92839598f1e37ce25b2488d6f57dcaeed
SHA1 hash: afde7e557e21ee0c85613d6a9b85f760920fd135
MD5 hash: c635acc81450b3c47bae36ec02762a77
humanhash: may-blossom-florida-paris
File name:e57e1361.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'334'720 bytes
First seen:2026-02-03 16:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58df836f6788615dd5d90fd175be31c9 (1 x ValleyRAT)
ssdeep 24576:1yIaYPJBicbZabh2bXHrJdJ677eTxywgy:oIaYP7L9z6neTxywz
Threatray 4 similar samples on MalwareBazaar
TLSH T12FB56EDAA70D41E5CDDB32B8DB564A73AA84A924077486CFFBAEC91FF00F81540F1916
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
156.254.21.227:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.254.21.227:6666 https://threatfox.abuse.ch/ioc/1740818/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
失足缅北女猪仔被男友骗到园区后遭到主管暴力殴打强奸.7z
Verdict:
Malicious activity
Analysis date:
2026-02-03 16:02:56 UTC
Tags:
arch-exec silverfox backdoor valleyrat rat winos
Link:
https://app.any.run/tasks/78cc8262-7874-47b0-a116-0ac4c9e01cc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51517/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69821ae087f81e55ffef0265
Tags:
shellcode emotet small hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-03T10:17:00Z UTC
Last seen:
2026-02-03T10:31:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.HTTP.C&C Trojan.Win32.Zenpak.sb Exploit.Win64.Crun.b PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Backdoor.Win32.Agentb.sb HEUR:Exploit.Win32.ShellCode.gen
Link:
https://opentip.kaspersky.com/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c0bcf7c-0572-4ee7-b390-18d56b2d6457
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1862583
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=myaophnacjixrh4m7vsztwpsf3pru3coh2h3rjasg5l33tbg3zlq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
smartloader
Create hunting rule
Similar samples:
119625d933112080625fdb40809e611476d5572d4bbe375fec56926c4427a8cc
ValleyRAT
6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
ValleyRAT
ba428296fa14cc6d18ef2f26c2706aa7504a2f4b4caed92805e64e803bb7de27
ValleyRAT
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Link:
https://tria.ge/reports/260203-tmjt2ahv3c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Program crash
System Location Discovery: System Language Discovery
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57
MD5 hash:
c635acc81450b3c47bae36ec02762a77
SHA1 hash:
afde7e557e21ee0c85613d6a9b85f760920fd135
Link:
https://www.unpac.me/results/05e4bfd0-086b-48ea-94cf-19e226e67655/
SH256 hash:
f261cc18252673fe68bb4819325e7378665d2f7a9d54fa100e024d6097a1a15c
MD5 hash:
44a76ddfd505240163b9b792c0b6d227
SHA1 hash:
f024ea34a8d6764c1ec957354b1c0fce9dc638a2
Link:
https://www.unpac.me/results/05e4bfd0-086b-48ea-94cf-19e226e67655/
SH256 hash:
5d3552a945b99cb2a5bb23e2472252631bee5012dacc1159817279f19403687c
MD5 hash:
df3a554a2ce746075d60a7f99abb3fc5
SHA1 hash:
2c78873eae162f19c4ee82b88ce4702fdcc18b1e
Link:
https://www.unpac.me/results/05e4bfd0-086b-48ea-94cf-19e226e67655/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6600e79da012/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Capability_Embedded_Lua
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51517/

Comments