MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62
SHA3-384 hash:	73d7cf42c52752aed6a00bec57fe6e4de239c1a6e822c981c399fe1c71f9e140325e8675c201b7189ef56ce583dcf334
SHA1 hash:	fecc61d5404810d8fc7928ec05bb73e400e74a03
MD5 hash:	7d8823a59f6739655c2c545a18963bae
humanhash:	mobile-minnesota-magazine-uranus
File name:	Xwincvawbugvrfjiasnud.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	101'299'639 bytes
First seen:	2026-01-21 12:19:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	039d1617d5f0788dacbd04b35a141ebe (33 x ValleyRAT)
ssdeep	3145728:hNF90y6l8X1fnymJFvry4MeiE0q5kHOoRtudcp:hNwaWE+u78
Threatray	8 similar samples on MalwareBazaar
TLSH	T1092833CF50B078C1F6D76B3595B645348A8F5F2042A18BAFA2677D0934F9AC4A3948CF
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	134d3cd8e4c24933 (3 x ValleyRAT, 1 x LummaStealer, 1 x Gh0stRAT)
Reporter	zhuzhu0009
Tags:	exe ValleyRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

161

Origin country :

SG

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

1

File name:

_7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62

Verdict:

Suspicious activity

Analysis date:

2026-01-21 12:28:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0952a5f1-0932-4a15-a73c-bee3ef3a933e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6970c46ef3cf908ba506fdec

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis packed soft-404

Link:

https://www.filescan.io/uploads/6970c46055805a763fed1c50/reports/91386e70-7781-41ac-9af1-233177439a16/overview

Verdict:

Malicious

Labled as:

UDS_DangerousObject_Multi_Generic

Link:

https://www.hybrid-analysis.com/sample/7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-21T12:50:00Z UTC

Last seen:

2026-01-21T14:02:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agentb.tpgt Backdoor.Win32.Xkcp.a VHO:Trojan.Win32.GenericML.xnet

Link:

https://opentip.kaspersky.com/7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62/results?tab=lookup

Score:

43%

Verdict:

Susipicious

File Type:

PE

Link:

https://malprob.io/report/7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62

Gathering data

Verdict:

Malicious

Threat:

Family.VALLEYRAT_S2

Link:

https://tip.neiki.dev/file/7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pvotgjjnsdnn5jhytejoiesp4vvyvwo25m2pnnc7ehihpbn2nrra._file

Verdict:

malicious

Label(s):

valleyrat

Similar samples:

151d1efff2d7867e50717283dbd72f965bccd893a5e3fe56c412c8c692bb06aa

79a7f0af74f20d3b58ae98a1df53e0492758c6ded57c7ebbeddf05de3a630904

7d5d33252d90dadea4f89912e4124fe56b8ad9daeb34f6b45f21d07785ba6c62

9318010b2e80b4a9a88753aa7ef16deff3293cdcfc1dadb34ba4796db4e8c40e

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor discovery installer

Link:

https://tria.ge/reports/260121-phkhjsc18c/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

szhuandxiaomuma-yandi.com:4433

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d5d33252d90/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample