MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
SHA3-384 hash: 16e9cc094a057a1ba2411e5b535a44f15dc277cf37e8f345cc96667ee6228902ac549909346aa49ed530c625ca933646
SHA1 hash: ef6ae6a21fc87ea548d2425ad9149ad88efeba4c
MD5 hash: fc057b47b3bea3b1e5410b326ac55315
humanhash: gee-wolfram-november-six
File name:7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:518'144 bytes
First seen:2025-05-16 09:48:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c316c09a38dd8756a01b65ed6910d7a5 (1 x ValleyRAT)
ssdeep 6144:DPUlmJBsosn5hzSk7/Ud9OB/ivvcYohahENkxQol0XAD35m0ampO83rvdcYc7KH:DPUlyuFHzV/U+UcYoL+eKQG5+YV6
TLSH T1AEB47D1A72E804B9E577813DC9538906F7B3BC560720DAAF13A4476B1F237D1A93EB21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter JAMESWT_WT
Tags:dsh-fvsrchps-cn exe ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa.exe
Verdict:
Malicious activity
Analysis date:
2025-05-16 09:53:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a0224f3-0d88-420b-ba55-646920ff65ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Tool.Ulise-10001984-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68270a23e16384d6a704ec4d
Tags:
ransomware dropper emotet virus
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive eventvwr exploit explorer fingerprint hacktool lolbin microsoft_visual_cc msconfig remote uacme wsreset
Link:
https://www.filescan.io/uploads/68270a15c609634bd7c56f76/reports/6be96d8b-121c-4993-8a3f-67366cea593d/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.AB.Generic
Link:
https://www.hybrid-analysis.com/sample/7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
Malware family:
UACMe
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/802b6b47-1e6d-4e67-a0d3-49f9373d168a
Result
Threat name:
UACMe, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1691686
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1691686 Sample: Shuu3zpv50.exe Startdate: 16/05/2025 Architecture: WINDOWS Score: 100 31 dsh.fvsrchps.cn 2->31 33 yn.faagazd.com 2->33 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 1 1 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 1 8->16         started        18 conhost.exe 8->18         started        file6 29 C:\Users\Public\Downloads\bb.jpg, zlib 10->29 dropped 59 Contains functionality to inject threads in other processes 10->59 61 Injects code into the Windows Explorer (explorer.exe) 10->61 63 Writes to foreign memory regions 10->63 20 explorer.exe 13 8 10->20 injected 25 rundll32.exe 14->25         started        65 Allocates memory in foreign processes 16->65 67 Creates a thread in another existing process (thread injection) 16->67 signatures7 process8 dnsIp9 35 dsh.fvsrchps.cn 8.210.193.196, 49687, 49688, 49690 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 20->35 37 yn.faagazd.com 47.76.200.151, 80 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 20->37 27 C:\ProgramData\kernelquick.sys, data 20->27 dropped 47 System process connects to network (likely due to code injection or exploit) 20->47 49 Sample is not signed and drops a device driver 20->49 51 Injects code into the Windows Explorer (explorer.exe) 25->51 53 Writes to foreign memory regions 25->53 55 Allocates memory in foreign processes 25->55 57 Creates a thread in another existing process (thread injection) 25->57 file10 signatures11
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa/
Threat name:
Win64.Trojan.UACBypassExp
Create hunting rule
Status:
Malicious
First seen:
2025-04-26 10:14:07 UTC
File Type:
PE+ (Dll)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7ua4bchgrs5t5qv75nupmgxtz5rwd2dz3tnespazjuva45f675a._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor
Link:
https://tria.ge/reports/250516-ltgdgs1th1/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates connected drives
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
dsh.fvsrchps.cn:7777
Verdict:
Malicious
Tags:
Win.Tool.Ulise-10001984-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ff0c44fa-b154-4894-b53c-833d25dc959d
Unpacked files
SH256 hash:
7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
MD5 hash:
fc057b47b3bea3b1e5410b326ac55315
SHA1 hash:
ef6ae6a21fc87ea548d2425ad9149ad88efeba4c
Link:
https://www.unpac.me/results/be235e34-21a5-4a45-a992-aea033b4007e/
SH256 hash:
8bc94eaab9f28443c882586b7fd38271f543b6e2b2e04a3f449750bd800b0af0
MD5 hash:
9557f6c29dd69a1cf67d91810fffc536
SHA1 hash:
2a7665e23371a8be26a05e1e57a0cdb2209e22ad
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/be235e34-21a5-4a45-a992-aea033b4007e/
Parent samples :
8979349c501e985918d443e413710cd0c6a9e1f6e6d9de0083076d2ab3ac31cb
cf417c75c8323c2f5b6d99661aac0ccfdb977a020b6c02d0170f1de350c04252
2f8caaee0056f565ff196509cec7c15e804b5a3349e0f8da20e93e889939e5cf
7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa
144ef23ee12c8eea97bb470379504ba2ae30f2263b8242d5aa9e358e29234b35
589843f0267a1dfc864fd4e1d87c3aeaddea946f67d4fa5f94e319cfd09bd623
ec254c2d8a4ff02028505bf7c1eb994d24ff30d7395d2057d45f8cb9e4adfb60
78073d05ad9332199eea1f51bc30ae648745d4fe2e725f1ffca0d164369822f9
a5d58182d5e4d5c1452d7d39dd2261c0fd78363cc5ec9772cb3b681238781958
970e8ab761970955e79c64c81b07e4598161cfb1d269b980f067bfe019495f6c
6e077a0d195558a6dbe2f78349db94ccddff1513a92288b9a1408256267560e7
c16ba051fe48b6f157f2bd2fe580ded19982122b56b55b1342163f064db7dedb
f320b0222a719de0b9b5c67fc856f391ae3a6af171205b8373914e63eed11ff8
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fe80e044734/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fe80e04473465d9f615ff5b47b0d79e7b1b0f43cee6d249e0ca695073a5f7fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWait
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExW

Comments