MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a49c5f37296ce00191a904c2633822b1ab54ab3ae10c2b4a9e39cc8fdd08241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a49c5f37296ce00191a904c2633822b1ab54ab3ae10c2b4a9e39cc8fdd08241
SHA3-384 hash: c8d307d70b05ce56f1b6012d629e9b3120280eb1124d2fcbeb41c70d76978a3f1e2051a837bf9e898ffaa2bee46c808c
SHA1 hash: 4a2981fbdcd4477485770ea5b0e3f34ad2121e1a
MD5 hash: 5807d5276ea4db805c7ffbf41b9b2b8f
humanhash: dakota-india-north-virginia
File name:5807d5276ea4db805c7ffbf41b9b2b8f.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:47'196'184 bytes
First seen:2025-06-07 10:40:48 UTC
Last seen:2025-06-07 12:51:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332c2c30e8117c34df5d81fe9eedebd9 (1 x ValleyRAT)
ssdeep 393216:QzsM52nziiribzTN6hkhxEIwV9dZ330iI:gLQzDmA9dZlI
TLSH T1FCA7124D23D26B9DCB7C137C9493AF4566A1E445CA6AC3E76E44020B3D37BA80DE72E4
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
154.91.84.54:9865

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.91.84.54:9865 https://threatfox.abuse.ch/ioc/1542399/

Intelligence

File Origin
# of uploads :
2
# of downloads :
567
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5807d5276ea4db805c7ffbf41b9b2b8f.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 10:42:00 UTC
Tags:
auto-reg silverfox backdoor winos antivm
Link:
https://app.any.run/tasks/8236fb14-d83f-4869-9b5c-669408e8febf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684417998bd5d68a12e63b79
Tags:
cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive fingerprint fingerprint invalid-signature microsoft_visual_cc overlay overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/68441758e336a33801e5062f/reports/25f06cd4-5c51-49c2-8268-b82aefca90cd/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/7a49c5f37296ce00191a904c2633822b1ab54ab3ae10c2b4a9e39cc8fdd08241
Result
Threat name:
GhostRat, UACMe, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708842
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a49c5f37296ce00191a904c2633822b1ab54ab3ae10c2b4a9e39cc8fdd08241
Gathering data
Threat name:
Win64.Trojan.UACBypassExp
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 11:07:58 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pje4l43ss3haagi2sbgcmm4cfmnlksvtvyimfnfj4oomr7oqqjaq._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor persistence
Link:
https://tria.ge/reports/250607-mrbkwsvrs3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Adds Run key to start application
Enumerates connected drives
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
154.91.84.54:9865
154.91.84.54:3657
127.0.0.1:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/67d2756b-b17e-4b85-9b9d-1ab96def0d9e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/7a49c5f37296ce00191a904c2633822b1ab54ab3ae10c2b4a9e39cc8fdd08241

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:Indicator_MiniDumpUsage
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThreadpoolIo
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesSHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW

Comments