MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
SHA3-384 hash: dd47b442f2c9fa044463ffb8e1efcfd0a444b6569ce523cd3370f4ea5302ffb58bb240b8920a78d4f2cb72ed0ab7b4fd
SHA1 hash: 8bb8d55aaaa873dd7f6ebf9d4e953ff41f52c8e6
MD5 hash: 0fa187730b5792703923edefaf208bc7
humanhash: diet-fillet-nuts-montana
File name:0fa187730b5792703923edefaf208bc7.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:452'608 bytes
First seen:2025-06-30 22:40:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3269b25b3de4eed8d9468bfe17c0c6ab (1 x ValleyRAT)
ssdeep 12288:22yDgU4qrwEpFNNqOfn+AqEw04y2yP+6dbgvRggQHuUrGJG18p8o:GIG18p8
Threatray 1 similar samples on MalwareBazaar
TLSH T1BDA46B4E2B8D1EFCD186D0B884961601E57338E60B709EBB46D5AD3C2E391953DBB3E1
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
8.220.182.237:9011

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.220.182.237:9011 https://threatfox.abuse.ch/ioc/1551778/

Intelligence

File Origin
# of uploads :
1
# of downloads :
672
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
Verdict:
Malicious activity
Analysis date:
2025-06-30 22:47:13 UTC
Tags:
loader
Link:
https://app.any.run/tasks/42ecb2df-2719-4d3c-9ecc-ab0485b7eee8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11727/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.31264.14847.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6863124d37c343677947f8ce
Tags:
trojan virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 directory
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Connection attempt
Sending an HTTP GET request
Adding an access-denied ACE
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Creating a window
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 fingerprint lolbin microsoft_visual_cc packed schtasks
Link:
https://www.filescan.io/uploads/68631286eb2803506641b56a/reports/7bf16857-6c61-4cd4-a401-60adae2eb3fd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d0177afb-fa29-49dc-8cee-8393c6a5e697
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1725955
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates files in the system32 config directory
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1725955 Sample: 2v8YQU23RF.exe Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 7 constraintspx.exe 16 2->7         started        12 constraints.exe 3 12 2->12         started        14 2v8YQU23RF.exe 6 2->14         started        16 7 other processes 2->16 process3 dnsIp4 52 8.220.182.237, 49717, 49721, 49722 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 7->52 40 C:\Windows\System32\task.exe, PE32+ 7->40 dropped 42 C:\Windows\...\base64_loader32[1].dat, PE32 7->42 dropped 44 C:\ProgramData\constraints\constraints.exe, PE32 7->44 dropped 62 Multi AV Scanner detection for dropped file 7->62 64 Creates files in the system32 config directory 7->64 66 Drops executables to the windows directory (C:\Windows) and starts them 7->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 18 task.exe 1 7->18         started        20 task.exe 1 7->20         started        22 task.exe 1 7->22         started        24 schtasks.exe 1 7->24         started        70 Detected unpacking (creates a PE file in dynamic memory) 12->70 72 Contains functionality to inject threads in other processes 12->72 74 Contains functionality to capture and log keystrokes 12->74 76 Contains functionality to inject code into remote processes 12->76 46 C:\Windows\System32\constraintspx.exe, PE32+ 14->46 dropped 48 C:\Windows\System32\constraintsIO.dll, PE32+ 14->48 dropped 50 C:\...\constraintspx.exe:Zone.Identifier, ASCII 14->50 dropped 78 Changes security center settings (notifications, updates, antivirus, firewall) 16->78 26 MpCmdRun.exe 1 16->26         started        28 conhost.exe 16->28         started        file5 signatures6 process7 process8 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/0fa187730b5792703923edefaf208bc7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-27 15:55:02 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow5aiy2rk7dfxk6nrpb3hjckg7oapoutow6jyb6g347doilqdxha._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
ValleyRAT
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Link:
https://tria.ge/reports/250630-2llagaem7t/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Downloads MZ/PE file
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
8.220.182.237:9011
8.220.182.237:9012
8.220.182.237:80
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1cada886-ff58-4579-863b-4361d2337d3d
Unpacked files
SH256 hash:
75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce
MD5 hash:
0fa187730b5792703923edefaf208bc7
SHA1 hash:
8bb8d55aaaa873dd7f6ebf9d4e953ff41f52c8e6
Link:
https://www.unpac.me/results/d9d75862-b7eb-4122-9a66-8fe15a97e4a7/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75ba04635157/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75ba04635157c65babcd8bc3b3a44a37dc07ba9375bc9c07c6df3e3721701dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/11727/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:highestAvailable)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetFileAttributesW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::CreateServiceW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::RegisterServiceCtrlHandlerW
ADVAPI32.dll::StartServiceW

Comments