MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f
SHA3-384 hash: e73981b3f92b3253cf0bf8368e7ff8324b82a3cd972e1e69fb066119ddf35c32e59bc7fb1fd8e878702b2732c2daa19f
SHA1 hash: 46886fb1660f67da56be5cc3a7379f744da9f57f
MD5 hash: e48fcdbcadf50b5ec84c589dd3223504
humanhash: sixteen-bakerloo-texas-yellow
File name:Danma.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:6'073'496 bytes
First seen:2026-03-31 14:29:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 483f0c4259a9148c34961abbda6146c1 (20 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep 98304:Rgv1taxu11ILRFPwUqaO/j/I77+Tn7iKp9XMpX6fwM7cNuuRqj:ev1C8ILjPEJ/k7snx58XZMQMCqj
TLSH T1A8563302F3C34878F835453D94E5C4996D06BDD806F2396A6DF8C26E5DB86C2183AA7B
TrID 72.8% (.EXE) Inno Setup installer (107240/4/30)
9.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win64 Executable (generic) (6522/11/2)
3.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'793 x Socks5Systemz, 67 x RedLineStealer)
Reporter aachum
Tags:192-238-180-62 CHN exe ValleyRAT winos


Avatar
iamaachum
https://teams-window.com/ => https://down.ch-skype.com/te_am_s_x86.zip

ValleyRAT/Winos C2: 192.238.180.62:5050

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
Danma.exe
Verdict:
Malicious activity
Analysis date:
2026-03-31 14:25:38 UTC
Tags:
themida vmprotect valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/42fa38a6-0fb0-48d4-83b8-5b09f527de85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cbd95e6363ca5d27f034bc
Tags:
vmprotect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Searching for analyzing tools
Searching for the window
Delayed reading of the file
Creating a service
Launching a service
Loading a system driver
Running batch commands
Launching the process to change network settings
Adding an access-denied ACE
Launching a process
Enabling autorun for a service
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/69cbda9190759d6205c04428/reports/e7cf6c4a-d518-48a3-9a69-46ecdeff48e2/overview
Verdict:
Suspicious
Labled as:
TR/Malware
Link:
https://www.hybrid-analysis.com/sample/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-30T19:57:00Z UTC
Last seen:
2026-03-30T20:27:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1c55406-6a6c-41e1-b4e1-ef7709fee1f4
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891516
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to check if Internet connection is working
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops password protected ZIP file
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1891516 Sample: Danma.exe Startdate: 31/03/2026 Architecture: WINDOWS Score: 100 139 Found malware configuration 2->139 141 Antivirus detection for dropped file 2->141 143 Multi AV Scanner detection for dropped file 2->143 145 13 other signatures 2->145 10 Danma.exe 2 2->10         started        13 StartMenuExperienceHostker.exe 2->13         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 process3 file4 119 C:\Users\user\AppData\Local\...\Danma.tmp, PE32 10->119 dropped 20 Danma.tmp 8 10->20         started        167 Sample is not signed and drops a device driver 13->167 23 cmd.exe 13->23         started        25 cmd.exe 13->25         started        27 cmd.exe 13->27         started        31 11 other processes 13->31 169 Changes security center settings (notifications, updates, antivirus, firewall) 16->169 29 MpCmdRun.exe 16->29         started        signatures5 process6 file7 111 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->111 dropped 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->113 dropped 33 RunCode.exe 7 20->33         started        37 powershell.exe 42 20->37         started        39 conhost.exe 23->39         started        41 netsh.exe 23->41         started        43 conhost.exe 25->43         started        45 netsh.exe 25->45         started        49 2 other processes 27->49 47 conhost.exe 29->47         started        51 22 other processes 31->51 process8 file9 101 C:\Users\Public\...\WUDFCompanionHoste.exe, PE32 33->101 dropped 103 C:\Users\...\StartMenuExperienceHostker.exe, PE32+ 33->103 dropped 105 C:\Users\Public\Documents\...\smss.exe, data 33->105 dropped 147 Antivirus detection for dropped file 33->147 149 Multi AV Scanner detection for dropped file 33->149 151 Detected unpacking (changes PE section rights) 33->151 157 5 other signatures 33->157 53 StartMenuExperienceHostker.exe 3 33->53         started        57 cmd.exe 33->57         started        59 cmd.exe 33->59         started        107 C:\Users\Public\Documents\RunCode.exe, PE32+ 37->107 dropped 109 C:\Users\Public\Documents\RunServer.dat, data 37->109 dropped 153 Loading BitLocker PowerShell Module 37->153 155 Powershell drops PE file 37->155 61 conhost.exe 37->61         started        signatures10 process11 file12 115 C:\Users\Public\Documents\...\log.dll, PE32 53->115 dropped 117 C:\Users\Public\Documents\...\Cndom6.sys, PE32+ 53->117 dropped 159 Multi AV Scanner detection for dropped file 53->159 161 Modifies the windows firewall 53->161 163 Sample is not signed and drops a device driver 53->163 63 WUDFCompanionHoste.exe 3 1 53->63         started        67 cmd.exe 53->67         started        69 cmd.exe 53->69         started        79 30 other processes 53->79 165 Uses ping.exe to sleep 57->165 71 PING.EXE 57->71         started        73 conhost.exe 57->73         started        75 conhost.exe 59->75         started        77 takeown.exe 59->77         started        81 4 other processes 59->81 signatures13 process14 dnsIp15 121 192.238.180.62, 49713, 49714, 49717 LEASEWEB-USA-LAX-11US United States 63->121 125 Contains functionality to check if Internet connection is working 63->125 127 Contains functionality to inject threads in other processes 63->127 129 Contains functionality to capture and log keystrokes 63->129 137 2 other signatures 63->137 131 Uses ping.exe to sleep 67->131 133 Uses ping.exe to check the status of other devices and networks 67->133 135 Uses netsh to modify the Windows network and firewall settings 67->135 83 conhost.exe 67->83         started        85 netsh.exe 67->85         started        87 conhost.exe 69->87         started        89 netsh.exe 69->89         started        123 127.0.0.1 unknown unknown 71->123 95 2 other processes 75->95 97 2 other processes 77->97 91 conhost.exe 79->91         started        93 netsh.exe 79->93         started        99 54 other processes 79->99 signatures16 process17
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/e48fcdbcadf50b5ec84c589dd3223504
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oco6pfr2lkzymvdyqlzr6ej7pxkc5ff424r2mxnqa7j7cpp66rpq._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution exploit installer persistence privilege_escalation
Link:
https://tria.ge/reports/260331-rvdlwabs7l/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Indicator Removal: File Deletion
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Modifies Windows Firewall
Possible privilege escalation attempt
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
192.238.180.62:5050
Unpacked files
SH256 hash:
709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f
MD5 hash:
e48fcdbcadf50b5ec84c589dd3223504
SHA1 hash:
46886fb1660f67da56be5cc3a7379f744da9f57f
Link:
https://www.unpac.me/results/bfeda026-6818-4265-83bd-d114d2da6366/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/bfeda026-6818-4265-83bd-d114d2da6366/
SH256 hash:
9461ae8a13a57c0d8490916dc1e1bb20cb0c171b9852d0846a03c4c4d212f204
MD5 hash:
b277e6ac242fcbc37f4d03e1528949c1
SHA1 hash:
2602407044a6bad216d3856eaf8fb990e0f1094f
Link:
https://www.unpac.me/results/bfeda026-6818-4265-83bd-d114d2da6366/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/bfeda026-6818-4265-83bd-d114d2da6366/
Malware family:
VMProtect
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/709de7963a5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ccebbd7f1d9b18010f50554affff3ee4293a8ef9b49def2600614fdbb2a86ed0

ValleyRAT

Executable exe 709de7963a5ab386547882f31f113f7dd42e94bcd723a65db007d3f13dfef45f

(this sample)

  
Link
https://tria.ge/260331-rm3k2aes81/behavioral2
  
Dropped by
SHA256 ccebbd7f1d9b18010f50554affff3ee4293a8ef9b49def2600614fdbb2a86ed0
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59912/

Comments