MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded
SHA3-384 hash: edc0e294beb4dca4444e0040314f9faf041e6b4f1aca556fe3a4312807c7fdcf5f55047aaa29c3c5b7e0d248418131cb
SHA1 hash: d9e0c1c2d8b2ce3540d2e6cafbec555c9f8b37e5
MD5 hash: 79baba439c50d04b0da5d15659d8a5a9
humanhash: snake-four-nine-sink
File name:Makefile.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:176'200 bytes
First seen:2026-02-19 20:01:35 UTC
Last seen:2026-02-19 20:23:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a440b9508b1bc26bafce7157c2aa2e40 (1 x ValleyRAT)
ssdeep 1536:n4VNhRs2dQAHyN+R9GVYQ7608WL2t8fV9a3sQdtKq:KhR5QAHys3kYQ7p8WQ8f+tKq
Threatray 898 similar samples on MalwareBazaar
TLSH T16C045B25E651E07BE4D340FAD2E6C7B9B6686F30034420DBE3D0ADEA63391E5B63154B
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter R4ruk
Tags:exe ValleyRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.225.19.99:2324 https://threatfox.abuse.ch/ioc/1750932/

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
AL AL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Makefile.exe
Verdict:
Malicious activity
Analysis date:
2026-02-19 20:02:56 UTC
Tags:
payload silverfox backdoor valleyrat rat winos
Link:
https://app.any.run/tasks/d00c26b9-2d76-4fda-aee3-e1d0eeb3f055

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53883/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader49.33262.32089.27438.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69976c488fffa866e3af8832
Tags:
autorun emotet zbot
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Creating a window
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer lolbin microsoft_visual_cc overlay rozena schtasks
Link:
https://www.filescan.io/uploads/69976c46cd25bfe1dfd5c020/reports/1c7ef29f-1f3b-4132-bbb9-e39f2608b9ee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Spy.Win32.Stealer.sb HEUR:Trojan.Multi.ShellCode.gen Backdoor.Win32.Xkcp.a Trojan-Spy.Win32.KeyLogger.sba PDM:Trojan.Win32.Generic HEUR:Backdoor.Win32.Xkcp.gen Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c5d9480-4f5a-4acb-88f2-e35bfeb7210b
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-02-19 20:22:29 UTC
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkvay3a3jcyytamiyi63rjl63hywnnywovyl6f2orgrnh62kfxwq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
2e575672428aaaaefad64f5535cb2416c962db8a8ae060303ef765eec38ba2d2
ValleyRAT
5e30bba83c9011b8078e7cadc05a9fc8892b1fe096b3895f92ee2ebfbf75008b
ValleyRAT
65fbe7f58f0ebd08771be05db480cc107d35a764880d4480fe97a551f527d3f2
ValleyRAT
7bd055075eb686d64a347bbae78cc07f6e2937918cdd4136987ad1177906236e
ValleyRAT
c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b
ValleyRAT
error
ValleyRAT
+ 888 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution persistence
Link:
https://tria.ge/reports/260219-yr75mscx8e/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Enumerates connected drives
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
156.225.19.99:2324
127.0.0.1:8888
127.0.0.1:80
Unpacked files
SH256 hash:
6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded
MD5 hash:
79baba439c50d04b0da5d15659d8a5a9
SHA1 hash:
d9e0c1c2d8b2ce3540d2e6cafbec555c9f8b37e5
Link:
https://www.unpac.me/results/e1aefade-30c5-4ce4-90c7-b195bf40edbc/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6aaa0c6c1b48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:InstallShield2000
Create hunting rule
Author:malware-lu
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:win_winos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.winos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe 6aaa0c6c1b48b1898188c23db8a57ed9f166b7167570bf174e89a2d3fb4a2ded

(this sample)

DLL dll 388a0ed49bfce21840862df32c7ad0d7f5468b6a8d2152ac0c430271a7b7343d

Cape
Cape
https://www.capesandbox.com/analysis/53883/
  
Dropping
SHA256 388a0ed49bfce21840862df32c7ad0d7f5468b6a8d2152ac0c430271a7b7343d
  
Dropping
MD5 1b3a9e68bb76e963680d8b196dff81cd

Comments