MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 14 File information Comments

SHA256 hash:	6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288
SHA3-384 hash:	b1fe8753e5162f16f16d9a17c6203ca77e578773924e3187e14587942a866c20ec87b50bb3320fbfe15ffe3f690042fb
SHA1 hash:	475ab188e7e9d7673a34e1ea5364f483104380e8
MD5 hash:	5c4fda221d68b0863b65d8765ed2ebe7
humanhash:	lake-echo-quebec-lion
File name:	5C4FDA221D68B0863B65D8765ED2EBE7.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	3'510'272 bytes
First seen:	2026-02-07 19:55:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	59010c5840153cfa420aabe5bb8fa447 (1 x ValleyRAT)
ssdeep	49152:SGaJbNXZ2IsJ63+bEaJbNXZKIsJ63+bEs:zwb9gIsJ63+bEwb9gIsJ63+bE
TLSH	T17FF57C0577B89DAAFC022A3891CF23365A395C316B6249E7CB05BB6159333D56F3B702
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
45.194.37.221:18809

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.194.37.221:18809	https://threatfox.abuse.ch/ioc/1743173/

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

5C4FDA221D68B0863B65D8765ED2EBE7.exe

Verdict:

Malicious activity

Analysis date:

2026-02-07 19:56:33 UTC

Tags:

payload loader silverfox backdoor valleyrat rat winos

Link:

https://app.any.run/tasks/3c61731d-c2a6-45c7-b7f5-1e03ebcdbdad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52637/

Detection(s):

SecuriteInfo.com.Malware.PDB-843.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698798ac3cadc639ed8460b8

Tags:

shellcode emotet virus sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug barys cmd expired-cert lolbin mingw overlay packed

Link:

https://www.filescan.io/uploads/698798a82ffccda0976a3fa0/reports/1bdfc8d7-a32b-4552-97d2-5380c98ecc7c/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-05T03:24:00Z UTC

Last seen:

2026-02-05T05:36:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5d0bb8c4-5920-4fad-b0af-47573c86cef4

Result

Threat name:

ValleyRAT

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1865359

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Suricata IDS alerts for network traffic

Tries to delay execution (extensive OutputDebugStringW loop)

Unusual module load detection (module proxying)

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected UAC Bypass using CMSTP

Yara detected ValleyRAT

Behaviour

Behavior Graph:

Download SVG

Score:

43%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5c4fda221d68b0863b65d8765ed2ebe7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288/

Verdict:

Malicious

Threat:

Family.VALLEYRAT

Link:

https://tip.neiki.dev/file/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288

Threat name:

Win32.Backdoor.Valleyrat

Status:

Malicious

First seen:

2026-02-06 02:00:49 UTC

File Type:

PE (Exe)

Extracted files:

461

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmtmzuq3njmq5xduvghwnzkxmmlqrko5t3dttpuoi7yf56ymmkea._file

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor discovery

Link:

https://tria.ge/reports/260207-ym9snsbw9h/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

45.194.37.221:18809
45.194.37.221:18808
45.194.37.221:6666

Unpacked files

SH256 hash:

6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288

MD5 hash:

5c4fda221d68b0863b65d8765ed2ebe7

SHA1 hash:

475ab188e7e9d7673a34e1ea5364f483104380e8

Link:

https://www.unpac.me/results/acee361a-6d13-417e-9362-8005eff946ae/

SH256 hash:

961b4527f8161e4739d2e7979efafc33a99475180e7012678888ca6c02b2a1f3

MD5 hash:

82a56776a79fa782bdc1d8fc52713bf8

SHA1 hash:

77f2755462e3e769dcaaa274e4c5dd8340388d3c

Link:

https://www.unpac.me/results/acee361a-6d13-417e-9362-8005eff946ae/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6b26ccd21b6a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b26ccd21b6a590edc74a98f66e557631708a9dd9ec739be8e47f05efb0c6288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Gh0stKCP Create hunting rule
Author:	Netresec
Description:	Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:	https://netresec.com/?b=259a5af

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/52637/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample