MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7387b8befb827e766dc8eb0efa0642fb9817b759f48886eab217c438b58c19a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 5 File information Comments

SHA256 hash: 7387b8befb827e766dc8eb0efa0642fb9817b759f48886eab217c438b58c19a0
SHA3-384 hash: 1411beaa370e47fc028841d7399a1e3472168dc7deabdaf10ac4784f17cce935c380653c2a457dbed54e6d4c3b29526a
SHA1 hash: a366f998b6bca440629cd137841701f50cf0964b
MD5 hash: 9b87050bd4a3c3debc455d5a8f464318
humanhash: march-angel-kilo-tango
File name:9b87050bd4a3c3debc455d5a8f464318.exe
Download: download sample
Signature ValleyRAT
File size:380'928 bytes
First seen:2025-06-03 12:50:35 UTC
Last seen:2025-06-04 06:31:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bc71e520f018bab1ed4ed22f2f6cd13 (1 x ValleyRAT)
ssdeep 6144:CuT6ng+xyDZaoIET4PAYA7UA5wCR4gjKRVtyScN5bbjzlBkjvNwfnoAz8H4:CuT6nzyDEoFT4PAYAwts7KRVtyzDbbd7
Threatray 1 similar samples on MalwareBazaar
TLSH T1B384AE167AD1C973D66701310EF0CB7CBA79BCC40E32DB8B63E88B2D9D71A914625762
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 00696b2909554d00 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
38.57.129.243:5539

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
38.57.129.243:5539 https://threatfox.abuse.ch/ioc/1539568/

Intelligence


File Origin
# of uploads :
4
# of downloads :
465
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b87050bd4a3c3debc455d5a8f464318.exe
Verdict:
No threats detected
Analysis date:
2025-06-03 12:53:00 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Tags:
emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Delayed reading of the file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a service
Moving a recently created file
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context keylogger microsoft_visual_cc obfuscated packed xor-pe
Result
Threat name:
GhostRat, ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops password protected ZIP file
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Egairtigado
Status:
Malicious
First seen:
2025-05-30 14:26:03 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
7387b8befb827e766dc8eb0efa0642fb9817b759f48886eab217c438b58c19a0
MD5 hash:
9b87050bd4a3c3debc455d5a8f464318
SHA1 hash:
a366f998b6bca440629cd137841701f50cf0964b
SH256 hash:
df61f79d79222076fa2ffe6e72ad3025af7ceb3ba766feaa44cfd9f8904ec956
MD5 hash:
1898954c93d84bb900460897a1f3b3d6
SHA1 hash:
feebf5a148f7c19b3b7d2992e5511727a08039a6
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:elysium
Author:Michelle Khalil
Description:This rule detects unpacked elysium stealer malware samples.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments