MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1
SHA3-384 hash: 32156ac4c75074987a252c7f8ff3d8e6de27298bdd00cbeb0e7d168a40e0ddaecda53b98b034ae6a19ac2a955a81fdd5
SHA1 hash: dd2d0700e7f8f7ba20900601aea1fd2a7cd071e0
MD5 hash: 20e65b1675d439ac991fb8aae315b3c8
humanhash: ceiling-papa-queen-nuts
File name:20E65B1675D439AC991FB8AAE315B3C8.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:17'429'232 bytes
First seen:2025-08-02 15:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (14 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 393216:Kc8OaekplqlFF8VJf4Xn4QxcWL4XZr7PmkSMg3nBm9bP:Kc8OAplqlQRE4Qn+RPPdg3O
Threatray 165 similar samples on MalwareBazaar
TLSH T1AA07339EB7602623C4E7597281241BB6395631D860FDA0791B01DEFC3B8A821F63EF75
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c0c8d4cc64d4ccf8 (8 x ValleyRAT, 3 x AsyncRAT, 3 x Blackmoon)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
45.192.208.56:14725

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.192.208.56:14725 https://threatfox.abuse.ch/ioc/1563506/

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20E65B1675D439AC991FB8AAE315B3C8.exe
Verdict:
Malicious activity
Analysis date:
2025-08-02 15:42:16 UTC
Tags:
valley winos rat silverfox
Link:
https://app.any.run/tasks/92356eff-4c30-4116-ae80-bedd75bfd80c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18471/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e317d0b4775fb21353515
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Moving a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc overlay overlay packed signed
Link:
https://www.filescan.io/uploads/688e317573b8ef6f4afb545b/reports/23d83c1d-4558-4830-9cf7-80664bda6f68/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f8def41b-ef68-43ab-a47c-0a3f92b92f34
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749094
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1749094 Sample: X2AZH6Z3RO.exe Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 7 other signatures 2->75 13 X2AZH6Z3RO.exe 4 2->13         started        process3 process4 15 X2AZH6Z3RO.exe 10 13->15         started        18 WerFault.exe 13->18         started        file5 55 C:\Users\user\AppData\Roaming\hnwU .exe, PE32 15->55 dropped 57 C:\Users\user\AppData\Roaming\PfBh  .exe, PE32 15->57 dropped 20 PfBh  .exe 2 15->20         started        23 hnwU .exe 15 15->23         started        process6 file7 45 C:\Users\user\AppData\Local\...\PfBh  .tmp, PE32 20->45 dropped 25 PfBh  .tmp 3 4 20->25         started        47 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 23->47 dropped 49 C:\Users\user\AppData\Local\...\System.dll, PE32 23->49 dropped process8 file9 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->51 dropped 28 PfBh  .exe 2 25->28         started        process10 file11 53 C:\Users\user\AppData\Local\...\PfBh  .tmp, PE32 28->53 dropped 31 PfBh  .tmp 24 10 28->31         started        process12 file13 59 C:\Users\user\...\msedgewebview2.exe (copy), PE32+ 31->59 dropped 61 C:\Users\user\...\msedge_elf.dll (copy), PE32+ 31->61 dropped 63 C:\Users\user\AppData\...\is-TLR9M.tmp, PE32+ 31->63 dropped 65 4 other files (none is malicious) 31->65 dropped 34 msedgewebview2.exe 1 31->34         started        process14 dnsIp15 67 45.192.208.56, 14725, 25836, 49735 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 34->67 77 Suspicious powershell command line found 34->77 38 powershell.exe 36 34->38         started        41 msedgewebview2.exe 34->41         started        signatures16 process17 signatures18 79 Loading BitLocker PowerShell Module 38->79 43 conhost.exe 38->43         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/20e65b1675d439ac991fb8aae315b3c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 05:24:56 UTC
File Type:
PE (Exe)
Extracted files:
785
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pklhcfg5x7ucolzhfm4isvizouylbn7guybimrkig77c7u3omliq._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
16a32e0c4135c7ea1e726075e10520eb2ef214b07c17cea573dc39f72072653c
ValleyRAT
1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
ValleyRAT
358a44c2e365c1bb5547eb89224434fab843f4fea81115c938005620c1bd131a
ValleyRAT
4cb0a38177ac3be92d77eb53b8993755bcb8ad71d835bd3c910af617682bc642
ValleyRAT
65a4681662b077391d444ff1e48c7264c3ded06099ddd135487543b6f6e8245a
ValleyRAT
7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1
ValleyRAT
a57eb3572a3934d993b048537aac353ad6da21931de075167b68bbd59623ac24
ValleyRAT
bf0f5fe356a87d73af61dd4fdae1c7645811803dfa3749156550a96fdb3632cb
ValleyRAT
error
ValleyRAT
f986a0f0a1aa4120a72de40abb9aaf2c4a2ecac1405cb577ce30a24ef55300aa
ValleyRAT
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware trojan
Link:
https://tria.ge/reports/250802-s4hsmaap8s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7c803fd-753c-4f7f-99b1-f467a321fcc0
Unpacked files
SH256 hash:
7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1
MD5 hash:
20e65b1675d439ac991fb8aae315b3c8
SHA1 hash:
dd2d0700e7f8f7ba20900601aea1fd2a7cd071e0
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
SH256 hash:
bd7b7cada7cb5ed7e20a545746b70870c5726d9ef3533c0097ceabbfbedb604c
MD5 hash:
04aaedf0706aa5fe7593b140e201d6bc
SHA1 hash:
c671af61358c2ab60619f0aae4c862acc435e261
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
SH256 hash:
d519aafc02d657e18e7dd222c88c7e9d142f9679576fe86b6761fa65abebb692
MD5 hash:
b8ee3798fba5d77c0236930eca6f690d
SHA1 hash:
eb7ddbb7dd5cb853857f95ba81483202ed62c9e2
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
SH256 hash:
57e267ff2d6eb520b7ec7d5448e8cfef29ccfd2e4b72bd8bfa79123f9dd4a1c6
MD5 hash:
6cf8f27672d4158aa8f5bba12ab18dc2
SHA1 hash:
e87a4be3adf30e37dc1b65d4863638e8cec38439
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/bed29248-6b0b-4ba3-947c-82d1988b19dd/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a967114ddbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a967114ddbfe8272f272b388955197530b0b7e6a60286454837fe2fd36e62d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18471/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments