MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33
SHA3-384 hash: d1e15036ca12aa1c6eb3f7b8cda8598e1b9449ce50ac99536f3350f86a2b7693d645d299bc1a4fa12f72c2081beaac61
SHA1 hash: 2d3769a8db9e187765c690c6070c9a37343f31e0
MD5 hash: 662b5ce37b3e1f271dc24973a0c4fc4f
humanhash: iowa-lake-one-kitten
File name:E-Invoice.rar.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'597'440 bytes
First seen:2026-02-03 01:00:12 UTC
Last seen:2026-02-03 01:20:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 487c7f5429c773e1f4085ee06226b9a9 (1 x ValleyRAT)
ssdeep 24576:cIl7OVj8lbr2dqo/SisiLUl9yUX2nUvNX4:91yjOmzsP2i
TLSH T1A4757D06B6A814F5E1B38379C8A38A46E6757C469360E3CF1399165B2F376D08E3F721
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:dll exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
47.76.86.151:23156

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
47.76.86.151:23156 https://threatfox.abuse.ch/ioc/1739987/

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
ValleyFall
Details
Link:
https://research.acce.ciphertechsolutions.com/results/efeaebd5-a717-47d7-8032-286f9f5db021/
Malware family:
n/a
ID:
1
File name:
https://ophkeims.com/
Verdict:
Malicious activity
Analysis date:
2026-02-03 00:39:48 UTC
Tags:
uac payload valleyrat silverfox rat winos
Link:
https://app.any.run/tasks/75ce9591-022e-4ce6-bab6-27be389658af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51369/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698147082198a42a68054ae5
Tags:
dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd evasive evasive exploit explorer fingerprint lolbin masquerade microsoft_visual_cc neshta packed virus
Link:
https://www.filescan.io/uploads/698148c4c9bfb60ece1ab0d2/reports/fe53276e-4e95-4cd3-96b5-af86fd5b2c79/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-02-02T21:38:00Z UTC
Last seen:
2026-02-04T22:25:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Kryplod.sb Trojan.Win32.Kryplod.sb Backdoor.Xkcp.TCP.ServerRequest Trojan.Win32.DLLhijack.sb Trojan.Win32.Agent.sb HEUR:HackTool.Win64.UACme.gen Backdoor.Win32.Xkcp.a Backdoor.Agent.TCP.C&C Trojan-Dropper.Win32.DLLhijack.sb Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Inject.sb VHO:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9acfdec3-3341-4190-b108-df54bdd44fb3
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1862104
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1862104 Sample: E-Invoice.rar.dll.exe Startdate: 03/02/2026 Architecture: WINDOWS Score: 68 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected MetasploitPayload 2->56 58 Initial sample is a PE file and has a suspicious name 2->58 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 1 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 2 other processes 9->18 file5 46 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 11->46 dropped 20 cmd.exe 1 11->20         started        22 rundll32.exe 14->22         started        24 cmd.exe 1 16->24         started        process6 process7 26 setup.exe 2 20->26         started        31 conhost.exe 20->31         started        33 cmd.exe 1 22->33         started        35 conhost.exe 24->35         started        37 setup.exe 24->37         started        dnsIp8 50 8.8.8.8 GOOGLEUS United States 26->50 48 C:\ProgramDatabehaviorgrapholden\Run_82017717.exe, PE32+ 26->48 dropped 60 Multi AV Scanner detection for dropped file 26->60 39 setup.exe 1 33->39         started        42 conhost.exe 33->42         started        file9 signatures10 process11 file12 44 C:\ProgramDatabehaviorgrapholden\Run_61316803.exe, PE32+ 39->44 dropped
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/662b5ce37b3e1f271dc24973a0c4fc4f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 00:53:28 UTC
File Type:
PE+ (Dll)
Extracted files:
38
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nis47dfckn46ffuylgd2wcbwgaponysvq2hpaezhnouogygm5mzq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/260203-bc5pmsft8a/
Behaviour
Suspicious use of WriteProcessMemory
Executes dropped EXE
Unpacked files
SH256 hash:
6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33
MD5 hash:
662b5ce37b3e1f271dc24973a0c4fc4f
SHA1 hash:
2d3769a8db9e187765c690c6070c9a37343f31e0
Link:
https://www.unpac.me/results/f9e4b917-39b1-478e-bbb7-a317bafcd6db/
SH256 hash:
e17af5b59ef8d1ea444577d5405c60056558a19faa84d353604b059fbcac95f6
MD5 hash:
d4ad6d3da222bbb7a96cc35e18c2fc63
SHA1 hash:
6193acb6c422d263a9db69e85a669c4bfe1f20b4
Link:
https://www.unpac.me/results/f9e4b917-39b1-478e-bbb7-a317bafcd6db/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a25cf8ca253/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a25cf8ca25379e296985987ab0836301ee6e255868ef013276ba8e360cceb33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51369/

Comments