MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
SHA3-384 hash: ee9629bccebaaf0e39161f4a9e8471c498a01bd724a56079143df78016e77a86af11fe94569041b94edf7f72f159971d
SHA1 hash: 3a2af6d9bf762618d505bb9fa4b6efe360109edf
MD5 hash: 548488410b5fdabb1202d1166a420c74
humanhash: don-arizona-lemon-grey
File name:E4C9215CEAC03DDE05155C4FB667F69C.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'336'616 bytes
First seen:2025-11-06 14:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a4d4d785c58913f559c569cd4cb3c2e (1 x ValleyRAT)
ssdeep 49152:pAR6pHImCXi45lSevpEie7zoDQ49aXZmMAnG3eCt0cAvbfVQOlgya:pwI7Wl5Yei1ok49unt3ft0cybfVQOlgl
Threatray 117 similar samples on MalwareBazaar
TLSH T1FAB50173B5E28533EAB640F019581B466FBFE6320438CD5B93D86D4867A4DC3E61A363
TrID 54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.3% (.EXE) Win64 Executable (generic) (10522/11/4)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4504/4/1)
3.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec ValleyRAT


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
File size (compressed) :1'921'384 bytes
File size (de-compressed) :2'336'616 bytes
Format:win32/pe
Packed file: 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8.exe
Verdict:
Malicious activity
Analysis date:
2025-11-06 14:23:49 UTC
Tags:
auto-reg valley winos rat silverfox
Link:
https://app.any.run/tasks/09ca29f2-431b-465b-84f8-e4bd1d8a5733

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36368/
Detection(s):
Win.Malware.Bulz-10016535-0
Create hunting rule

Win.Malware.Vindor-10034624-0
Create hunting rule

Win.Malware.Vindor-10034625-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690caec2ea0f3e915c23a4cc
Tags:
emotet zegost
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Searching for synchronization primitives
Creating a window
Creating a file in the drivers directory
Launching cmd.exe command interpreter
Loading a system driver
Searching for the window
Sending a custom TCP request
Launching a process
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Restart of the analyzed sample
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-06T11:26:00Z UTC
Last seen:
2025-11-06T11:55:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.Win32.Injector.gen HEUR:Trojan.Win32.Agent.gen HEUR:Backdoor.Win32.Generic HEUR:Backdoor.Win32.Farfli.gen Backdoor.Win32.Xkcp.bed
Link:
https://opentip.kaspersky.com/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8/results?tab=lookup
Result
Threat name:
GhostRat, Mimikatz, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1809321
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected GhostRat
Yara detected Mimikatz
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1809321 Sample: E4C9215CEAC03DDE05155C4FB66... Startdate: 06/11/2025 Architecture: WINDOWS Score: 100 67 ax-0003.ax-dc-msedge.net 2->67 69 api.msn.com 2->69 71 2 other IPs or domains 2->71 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 9 other signatures 2->83 9 E4C9215CEAC03DDE05155C4FB667F69C.exe 10 2->9         started        13 Dumdu.exe 2->13         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 63 C:\Users\user\AppData\Local\Temp\...\sg.tmp, PE32 9->63 dropped 105 Contains functionalty to change the wallpaper 9->105 107 Contains functionality to infect the boot sector 9->107 109 Contains functionality to register a low level keyboard hook 9->109 119 2 other signatures 9->119 19 16data.exe 1 9->19         started        22 setup223.exe 1 1 9->22         started        25 sg.tmp 3 9->25         started        32 2 other processes 9->32 111 Antivirus detection for dropped file 13->111 113 Multi AV Scanner detection for dropped file 13->113 115 Drops executables to the windows directory (C:\Windows) and starts them 13->115 27 Dumdu.exe 14 1 13->27         started        117 Changes security center settings (notifications, updates, antivirus, firewall) 15->117 30 MpCmdRun.exe 1 15->30         started        signatures6 process7 dnsIp8 85 Multi AV Scanner detection for dropped file 19->85 87 Changes memory attributes in foreign processes to executable or writable 19->87 89 Injects code into the Windows Explorer (explorer.exe) 19->89 97 3 other signatures 19->97 34 explorer.exe 68 2 19->34 injected 55 C:\Windows\SysWOW64\Dumdu.exe, PE32 22->55 dropped 91 Antivirus detection for dropped file 22->91 38 cmd.exe 1 22->38         started        57 C:\Users\user\AppData\Local\...\setup223.exe, PE32 25->57 dropped 59 C:\Users\user\AppData\Local\...\16data.exe, PE32+ 25->59 dropped 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->93 40 conhost.exe 25->40         started        75 103.115.64.80, 443, 49718 CLOUDIE-AS-APCloudieLimitedHK China 27->75 61 C:\Windows\System32\drivers\QAssist.sys, PE32+ 27->61 dropped 95 Sample is not signed and drops a device driver 27->95 42 conhost.exe 30->42         started        44 cmd.exe 1 32->44         started        46 conhost.exe 32->46         started        file9 signatures10 process11 dnsIp12 73 16.163.24.117, 443, 49723, 49724 unknown United States 34->73 99 System process connects to network (likely due to code injection or exploit) 34->99 101 Uses ping.exe to sleep 38->101 103 Uses ping.exe to check the status of other devices and networks 38->103 48 PING.EXE 1 38->48         started        51 conhost.exe 38->51         started        53 conhost.exe 44->53         started        signatures13 process14 dnsIp15 65 127.0.0.1 unknown unknown 48->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/548488410b5fdabb1202d1166a420c74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8/
Verdict:
Malicious
Threat:
Family.GH0STRAT
Link:
https://tip.neiki.dev/file/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2025-11-06 14:22:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgfa2ep5pp32ugodljrp6mdnjd74rg2vlz722asnctmtue4eyk4a._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
fatalrat
Create hunting rule
Similar samples:
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
ValleyRAT
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
ValleyRAT
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
ValleyRAT
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
ValleyRAT
error
ValleyRAT
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
ValleyRAT
+ 107 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox family:valleyrat_s2 backdoor discovery persistence ransomware rat rootkit trojan
Link:
https://tria.ge/reports/251106-rn3x7abn7w/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Drops file in Drivers directory
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
16.163.24.117:443
16.163.24.117:80
Verdict:
Malicious
Tags:
Win.Malware.Bulz-10016535-0
YARA:
n/a
Link:
https://app.threat.zone/submission/207c82a3-1fbf-4e57-8c44-dc1c09ef9fe0
Unpacked files
SH256 hash:
798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
MD5 hash:
548488410b5fdabb1202d1166a420c74
SHA1 hash:
3a2af6d9bf762618d505bb9fa4b6efe360109edf
Link:
https://www.unpac.me/results/f254ae18-ebd9-4483-a63a-595c70ea005a/
SH256 hash:
026cf8a46d414d23dee61703e8eae5acf97415c96e76512b09834e57eae32821
MD5 hash:
949cfe6fc7b65bdcd66ae73cb29324d7
SHA1 hash:
dfadd7138554297bf185797aba84e554fab2b1c3
Detections:
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Link:
https://www.unpac.me/results/f254ae18-ebd9-4483-a63a-595c70ea005a/
Parent samples :
798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
SH256 hash:
3806ebd7ff35d1c9703f9add0ba32ade41763d7a8851bca5bbdeb076db8b071f
MD5 hash:
71c13d3cf7d12f013d4627841b2d5c28
SHA1 hash:
017dd4a5450298d014a2102ef38633ef443cb1aa
Link:
https://www.unpac.me/results/f254ae18-ebd9-4483-a63a-595c70ea005a/
Malware family:
HiddenGh0st
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/798a0d11fd7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88

ValleyRAT

Executable exe 798a0d11fd7bf7aa19c35a62ff306d48ffc89b555e7fad024d14d93a1384c2b8

(this sample)

  
Dropped by
SHA256 580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
  
Dropped by
MD5 e4c9215ceac03dde05155c4fb667f69c
Cape
Cape
https://www.capesandbox.com/analysis/36368/

Comments