MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6
SHA3-384 hash: 4e55d15bd8cbc4c42cc78edad97530baa48909581fa961b3fada9da0c9de158d322a8e7aac7fda4c27e61fc951b410a8
SHA1 hash: 68237be2420f3a7f2618a234599b0c1d3b45e594
MD5 hash: 72d7ddc9d23145c83df786170496c4e3
humanhash: ohio-triple-india-princess
File name:72D7DDC9D23145C83DF786170496C4E3.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:838'676 bytes
First seen:2025-06-13 19:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9165ea3e914e03bda3346f13edbd6ccd (3 x ValleyRAT, 2 x QuasarRAT, 1 x Redosdru)
ssdeep 24576:8ve9qnkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKn01:8v/svD/DX+y4onCYDoD5
TLSH T1EB05F1527BB0C068E8A5173284BAD7314D7BB9710EB440CF639409692FA6BD07F7636B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon f8f8e0c99ae6d461 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
8.212.56.13:53

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.212.56.13:53 https://threatfox.abuse.ch/ioc/1544592/

Intelligence

File Origin
# of uploads :
1
# of downloads :
585
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
72D7DDC9D23145C83DF786170496C4E3.exe
Verdict:
Malicious activity
Analysis date:
2025-06-13 19:12:15 UTC
Tags:
silverfox backdoor inno installer valleyrat winos rat
Link:
https://app.any.run/tasks/781a7906-2dfd-48ce-b540-11ae35e0088a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9395/
Detection(s):
Win.Trojan.Graybird-7491042-0
Create hunting rule

Win.Dropper.Flystudio-7049423-1
Create hunting rule

Win.Malware.Zegost-9879161-0
Create hunting rule

Win.Tool.Adduser-9966692-0
Create hunting rule

Win.Malware.Fragtor-10028386-0
Create hunting rule

Win.Trojan.Farfli-10038362-0
Create hunting rule

Win.Malware.Flystudio-6937682-0
Create hunting rule

Win.Trojan.Zloyfly-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684c77a88bd5d68a12e88cb2
Tags:
flystudio emotet madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Launching a process
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm autorun flystudio graybird microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/684c77a7171e01f959401b8f/reports/ea02fd67-b62d-49f8-b8fe-f31e41290942/overview
Verdict:
Malicious
Labled as:
Packed.FlyStudio potentially unwanted application
Link:
https://www.hybrid-analysis.com/sample/7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42d33fe6-f17c-458c-a5f9-bdb47c8b0868
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1714314
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to capture and log keystrokes
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1714314 Sample: 7SiJlMzGzl.exe Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 83 Suricata IDS alerts for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 8 other signatures 2->89 12 MicrosoftEdgeUpdate.exe 9 2->12         started        15 7SiJlMzGzl.exe 5 2->15         started        18 MicrosoftEdgeUpdate.exe 2->18         started        20 MicrosoftEdgeUpdate.exe 2->20         started        process3 file4 109 Antivirus detection for dropped file 12->109 111 Multi AV Scanner detection for dropped file 12->111 113 Found evasive API chain (may stop execution after checking mutex) 12->113 125 3 other signatures 12->125 22 svchost.exe 12->22         started        24 WerFault.exe 21 16 12->24         started        73 C:\Users\user\AppData\Local\...\shell.fne, PE32 15->73 dropped 75 C:\Users\user\AppData\Local\...\krnln.fnr, PE32 15->75 dropped 77 C:\Users\user\AppData\Local\Temp\    .exe, PE32 15->77 dropped 115 Contains functionality to access PhysicalDrive, possible boot sector overwrite 15->115 117 Contains functionality to infect the boot sector 15->117 26 cmd.exe 1 15->26         started        28 cmd.exe 3 2 15->28         started        119 Writes to foreign memory regions 18->119 121 Allocates memory in foreign processes 18->121 123 Creates a thread in another existing process (thread injection) 18->123 30 svchost.exe 18->30         started        32 WerFault.exe 18->32         started        signatures5 process6 process7 34 MicrosoftEdgeUpdate.exe 22->34         started        37    .exe 20 2 26->37         started        41 conhost.exe 26->41         started        43 notepad.exe 5 28->43         started        45 conhost.exe 28->45         started        47 MicrosoftEdgeUpdate.exe 30->47         started        dnsIp8 91 Writes to foreign memory regions 34->91 93 Allocates memory in foreign processes 34->93 95 Creates a thread in another existing process (thread injection) 34->95 49 svchost.exe 34->49         started        51 WerFault.exe 34->51         started        79 47.76.115.9, 443 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 37->79 81 127.0.0.1 unknown unknown 37->81 71 C:\ProgramData\MicrosoftEdgeUpdate.exe, PE32 37->71 dropped 53 svchost.exe 37->53         started        55 svchost.exe 47->55         started        57 WerFault.exe 47->57         started        file9 signatures10 process11 process12 59 MicrosoftEdgeUpdate.exe 49->59         started        signatures13 103 Writes to foreign memory regions 59->103 105 Allocates memory in foreign processes 59->105 107 Creates a thread in another existing process (thread injection) 59->107 62 svchost.exe 59->62         started        64 WerFault.exe 59->64         started        process14 process15 66 MicrosoftEdgeUpdate.exe 62->66         started        signatures16 97 Writes to foreign memory regions 66->97 99 Allocates memory in foreign processes 66->99 101 Creates a thread in another existing process (thread injection) 66->101 69 svchost.exe 66->69         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6/
Threat name:
Win32.Trojan.FatalRAT
Create hunting rule
Status:
Malicious
First seen:
2025-06-08 12:30:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pivbxcneqkuo4iqeutclgdtxnvittykkavp7acsib3jhvfs6eo3a._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Link:
https://tria.ge/reports/250613-xvk9lscr9z/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
47.76.115.9:443
8.212.56.13:53
www.dddddddguashjdka.top:443
Verdict:
Malicious
Tags:
red_team_tool apt flystudio trojan Win.Trojan.Graybird-7491042-0
YARA:
S_MultiFunction_Scanners_s MAL_CN_FlyStudio_May18_1_RID2F5C MAL_CN_FlyStudio_May18_1
Link:
https://app.threat.zone/submission/027d019c-ac50-4b71-b987-87247c94c281
Unpacked files
SH256 hash:
7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6
MD5 hash:
72d7ddc9d23145c83df786170496c4e3
SHA1 hash:
68237be2420f3a7f2618a234599b0c1d3b45e594
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e87a8cd-03dd-44ff-9a9f-c9ae983ca452/
SH256 hash:
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
MD5 hash:
97c8fe752e354b2945e4c593a87e4a8b
SHA1 hash:
03ab4c91535ecf14b13e0258f3a7be459a7957f9
Link:
https://www.unpac.me/results/7e87a8cd-03dd-44ff-9a9f-c9ae983ca452/
SH256 hash:
f0b6ef35c4461615d99fc598df83d72ccddde9a1b90d1d48345140e34788c757
MD5 hash:
325fa0c2d9ba67507c531341fbe81268
SHA1 hash:
599ae2f64c0e080438a90e6114bc3c28e9dc115f
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e87a8cd-03dd-44ff-9a9f-c9ae983ca452/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a2a1b89a482/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a2a1b89a482a8ee2204a4c4b30e776d5139e14a055ff00a480ed27a965e23b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MAL_CN_FlyStudio_May18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware / hacktool detected in May 2018
Reference:Internal Research
Rule name:MAL_CN_FlyStudio_May18_1_RID2F5C
Create hunting rule
Author:Florian Roth
Description:Detects malware / hacktool detected in May 2018
Reference:Internal Research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:S_MultiFunction_Scanners_s
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Chinese Hacktool Set - file s.exe
Reference:http://tools.zjqhr.com/
Rule name:S_MultiFunction_Scanners_s_RID3182
Create hunting rule
Author:Florian Roth
Description:Chinese Hacktool Set - file s.exe
Reference:http://tools.zjqhr.com/
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9395/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32::TerminateProcess
KERNEL32::LoadLibraryA
KERNEL32::GetStartupInfoA
KERNEL32::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32::CreateDirectoryA
KERNEL32::CreateFileA
KERNEL32::GetTempPathA

Comments