MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836
SHA3-384 hash: 98769fd81926dac8757324d7a754ed92479f2137726d68d0002ee2811b1ea5014d625dd677190b357d1dd54061ca5ad3
SHA1 hash: d65682305c93976b87becdc0f55d5aeb36b2805f
MD5 hash: f4f530a8c6adb2fb16995120dd6a0cd5
humanhash: rugby-freddie-romeo-red
File name:yiwaiwai build version (126).msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:65'369'088 bytes
First seen:2025-07-26 20:10:23 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:pXH/KKIAAOZhwuqmCaLlSgfQQLfAhEDXEs1660Dtgc7:pXfLIAAOZhamC2SgrfmLDPDtJ7
TLSH T17EE733313E998630CBA9787B1AFACF3DE7A51D021178D59DA3103D3BD19B794A8B12C1
TrID 86.3% (.MSI) Microsoft Windows Installer (454500/1/170)
8.4% (.MSP) Windows Installer Patch (44509/10/5)
3.7% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika ppt
Reporter GDHJDSYDH1
Tags:backdoor dropper msi SilverFox UPX ValleyRAT


Avatar
GDHJDSYDH1
C2:
154.23.176.40

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688533320b4775fb2131b142
Tags:
philis virus hello
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm fingerprint fingerprint wix
Link:
https://www.filescan.io/uploads/6885364213488cfd44d9b248/reports/35aca492-007c-4f2c-9dd2-b380fd5b2c00/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836
Gathering data
Verdict:
Malicious
Threat:
BSS:Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-26 17:41:23 UTC
File Type:
Binary (Archive)
Extracted files:
21814
AV detection:
12 of 37 (32.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5jwdwcmfaygjrv645fxkdcivlzghioveazkb273ozp3pty4ha3a._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery ransomware upx
Link:
https://tria.ge/reports/250726-yx3gcacl3t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Enumerates connected drives
Verdict:
Malicious
Tags:
Win.Ransomware.Msilzilla-10014498-0
YARA:
n/a
Link:
https://app.threat.zone/submission/3eb96c41-4e34-4f46-9002-3de33b73f74b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 675361d84c283064c6bee74b750c48aaf263a1d52032a0ebfb765fb7cf1c3836

(this sample)

  
Link
https://tria.ge/250726-yphf7sck2v/behavioral1
  
Delivery method
Distributed via web download

Comments