MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
SHA3-384 hash: 19278b78836fdfbdad199e531ebd8707b35b65d97dfa7fa59d6c4a39261f6474a45a5c8e269022354c1690d1bb691180
SHA1 hash: 829177c36e570270ca3f29b463515f0c411d76d2
MD5 hash: 8669bdbe64a68a76227e0fe2c99ff4cf
humanhash: zulu-jig-friend-victor
File name:LineInst.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:4'316'864 bytes
First seen:2026-05-17 18:21:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b484b52df60e8d823b647a09bb1e39f9 (6 x ValleyRAT, 2 x SilverFox, 1 x DonutLoader)
ssdeep 98304:Z8lZKvl1D7xga2y3lwgYpUyXRTeQi5k8Rb8UePJkusWcj:Zll1x4FpU6MQi5XJ8Ue8b
TLSH T1F81623D2E0984A15CC5F1BB071744D7FA867AE98F0E8B2162AC5FC4237FF7A461B411A
TrID 28.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
28.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
17.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 9671e09ed461339c (8 x ValleyRAT, 1 x CryptBot, 1 x LummaStealer)
Reporter Ling
Tags:exe SilverFox Trojan/SilverFox.sa UPX ValleyRAT


Avatar
CNGaoLing
Trojan/SilverFox.sa
IOC (Domain wozjde.org) (IP 38.46.14.2)
File size (compressed) :4'316'864 bytes
File size (de-compressed) :4'432'576 bytes
Format:win32/pe
Unpacked file: d827f54dac6343d3bb7325ad7d0f23f764f681250cd504a95c318ac233d8e7ef

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives PEPacker
Details
Archives
an extracted 7-zip archive from the overlay data and SFX commands
Archives
extracted archive contents
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/fe7cef6d-f398-4c15-b486-b0f4a1737fe4/
Malware family:
n/a
ID:
1
File name:
LineInst.exe
Verdict:
Malicious activity
Analysis date:
2026-05-17 17:24:57 UTC
Tags:
valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/8e2e97cf-2708-4d3e-ad90-3a75171d267d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66222/
Detection(s):
SecuriteInfo.com.Variant.Kazy.574451.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0a0729c578ee253efe0a68
Tags:
obfuscated dropper emotet sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Connection attempt
Sending a custom TCP request
Setting a keyboard event handler
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer installer-heuristic overlay packed packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a0a076b861ee596e63a1452/reports/d8301f0b-39ee-4d44-9699-d8d71c115d20/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-17T14:30:00Z UTC
Last seen:
2026-05-19T12:12:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Dapato.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Stealer.sb HEUR:Trojan.Win32.Agent.gen Backdoor.Win32.Xkcp.a Backdoor.Win32.Agent.sb Trojan.Win32.Agent.sb Backdoor.Win32.Xkcp.csd Backdoor.Agent.TCP.C&C Trojan-Spy.Win64.Agent.sb Trojan-Spy.Win32.KeyLogger.sb HEUR:Trojan.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e635b264-5d61-4469-91d8-2d85e12a1bd8
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/8669bdbe64a68a76227e0fe2c99ff4cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-05-17 18:21:50 UTC
File Type:
PE (Exe)
Extracted files:
143
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuq64k7m4wk6v3bictxiyr25yj4lg5dwmrjfd7s65hjqtpcyxlpa._file
Verdict:
suspicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
ValleyRAT
Gathering data
Unpacked files
SH256 hash:
6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
MD5 hash:
8669bdbe64a68a76227e0fe2c99ff4cf
SHA1 hash:
829177c36e570270ca3f29b463515f0c411d76d2
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
d83d0a3ca93977a46d3031410ff782b39355c69c45d749d28a52460fec901719
MD5 hash:
5986e5d223a308d6cd8085f7d2a844ea
SHA1 hash:
c26d940667f5ae772c7bc0b229a421e98e983f85
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
9ab3dfa0ffe25a1477dcf326427259a00cf09bb09b512f6876712a35eccc94d8
MD5 hash:
fd98b4ac1eedd301ffed1e464d6aac48
SHA1 hash:
e98993e6efec3058eb5c4018e3a8236e8ed94599
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
2ef0431f26d08daaa380c8928fe5a10b16d456b6173dc46a1c6f74af1a96d434
MD5 hash:
020f5cf01a9431b7bbe45f1dd3157021
SHA1 hash:
f5e99fc0243487d896892fb1a570278d0d0ae9af
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
416cc18950569a5c616c4d8789f1d3f9c8c5caa235a219c87f3f4fbb937423b3
MD5 hash:
ba42d7af061a7496ace2aabb7967984c
SHA1 hash:
8e7e312b18bf2971efaf22f42d3b7e1320cea4ff
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
35018e18982188fc5f485f462e7a77fade7e0cb632faf632e163622815b9e90a
MD5 hash:
4ad2fc6fff2e693478eadc6793f76924
SHA1 hash:
70483d3952d781a088d8d990f1e3921cda694f01
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
SH256 hash:
d827f54dac6343d3bb7325ad7d0f23f764f681250cd504a95c318ac233d8e7ef
MD5 hash:
e9b86bb2074e0df581d245b7527e67c5
SHA1 hash:
6b27ae7a6ac411db15539bb57930f012a0416efa
Link:
https://www.unpac.me/results/ab2ca9c2-fdbf-431d-bb1a-9f00b21332eb/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d21ee2bece5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade

(this sample)

ValleyRAT

Executable exe d827f54dac6343d3bb7325ad7d0f23f764f681250cd504a95c318ac233d8e7ef

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66222/
  
Dropping
SHA256 d827f54dac6343d3bb7325ad7d0f23f764f681250cd504a95c318ac233d8e7ef
  
Dropping
MD5 e9b86bb2074e0df581d245b7527e67c5

Comments