MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c
SHA3-384 hash: d56b39b5255ace28f1fd5a223da66e4b26ea17a6969813e6202ca968ffdcfc34cb4a78d31db7e920119a4352ae61e492
SHA1 hash: eaa82a1ebd8f6e610fb887453f718b3f68321534
MD5 hash: 75c2f29412ac7e63824df85973643adc
humanhash: nuts-spring-uranus-alaska
File name:75c2f29412ac7e63824df85973643adc.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:47'104 bytes
First seen:2025-08-23 03:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28ef17cb7630bdccb6c5e29dd4723500 (1 x ValleyRAT)
ssdeep 768:94UkNkSlAGFRQHG/vgtXw0PkgWtfm0ekJQTx3WslHmz1+EDGJdPwN0rI:9pkeSlAGFUG/vOxPkgWtfm0eOa1JmXDZ
Threatray 547 similar samples on MalwareBazaar
TLSH T127231812BBA54461E4B713F625B69B6182BF7D70073092DB43CC896C1B236E1BF32756
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
175.24.182.113:8888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
175.24.182.113:8888 https://threatfox.abuse.ch/ioc/1572895/

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75c2f29412ac7e63824df85973643adc.exe
Verdict:
No threats detected
Analysis date:
2025-08-23 03:58:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd4bb202-b4f0-47d0-86aa-5698ef9bab6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23114/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.29626889.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a93bd7e9d9dbcfd96d2e6b
Tags:
obfuscated injection virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm genheur greyware installer microsoft_visual_cc packed threat unsafe
Link:
https://www.filescan.io/uploads/68a93bd34a87ed796768dffa/reports/c67f2772-61cb-467c-84b6-ba4aef91d561/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-18T11:02:00Z UTC
Last seen:
2025-08-18T11:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c/results?tab=lookup
Malware family:
Winos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d040e0c5-06f9-492a-9fa4-a180c6ad8a43
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1763425
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/75c2f29412ac7e63824df85973643adc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-08-18 08:29:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6egj6z7llej2grw7oz33phfkkc732wn744nnjuknsnxerfznwoa._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
7197dc2e6243b3aa6ba71825c04b381a98922982de4232bb27474eb69ba43a28
ValleyRAT
81d66c6ed1e60f646ac9a611fd80dcc82fb2de66690ae5d932f8f3aa42848127
ValleyRAT
829f4e637040a19db5f9f01097792efa36887ceb2f7d4df5cec1b3af0fc212f8
ValleyRAT
878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c
ValleyRAT
899aa86321449b7426c57ad13bb02e44035680a4b907c7ed9aab50dcff0f810b
ValleyRAT
aaa8e05b186b3582e87ae5ed47c1f7909a37e0472b773636fd2e1a0f49255dfd
ValleyRAT
bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
ValleyRAT
e58f8591c90fe3e682ad50349a626e255664a749f0bb1ba57823d432c5d4fb71
ValleyRAT
error
ValleyRAT
+ 537 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250823-eham8sslz2/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
ProcessKiller
YARA:
n/a
Link:
https://app.threat.zone/submission/158b5e2e-dbe7-401b-80db-e6d6a8e74270
Unpacked files
SH256 hash:
878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c
MD5 hash:
75c2f29412ac7e63824df85973643adc
SHA1 hash:
eaa82a1ebd8f6e610fb887453f718b3f68321534
Link:
https://www.unpac.me/results/670bba3c-851a-45fc-adf4-725d13bd5dce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/878864fb3f5ac89d1a36fbb3bdbce55285fdeacdff38d6a68a6c9b7244b96d9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23114/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcBindingFree
RPCRT4.dll::RpcBindingFromStringBindingW
RPCRT4.dll::RpcBindingSetAuthInfoExW
RPCRT4.dll::RpcStringBindingComposeW
RPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::GetConsoleWindow
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW

Comments