MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c95e9af549cb0d65e9531bb2994eb122474909c42ced4d0657f0de91afebe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash: 88c95e9af549cb0d65e9531bb2994eb122474909c42ced4d0657f0de91afebe3
SHA3-384 hash: fa80c1b576227e23ac006901f5babe7a47cf8cd319efb524f5f7baee5efc5130d602e96a2019e8b8633a54faf64c4637
SHA1 hash: 944e16625106f12a2c9ffde5f4b759e878a8b570
MD5 hash: cd3f7a225808cd4e1c48459f69a39f5e
humanhash: zulu-bacon-july-floor
File name:cd3f7a225808cd4e1c48459f69a39f5e.exe
Download: download sample
Signature ValleyRAT
File size:364'544 bytes
First seen:2025-05-30 14:40:17 UTC
Last seen:2025-05-31 01:55:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2858f190497bb57899772e1c4717438 (1 x ValleyRAT)
ssdeep 6144:W+xlIkuwnG2V9p6aoSeQ40JEI6pYAV5HmXVpbZRTGIi94LOSQXwv:pxlIkusN9pxoSIYMfV5HmHbrGIoM
TLSH T18174AE267AD0C977CB6740700DD1DB7CF1B9B9940E229E43B3E49B3D9D32AE24636252
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
38.45.122.163:5539

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
38.45.122.163:5539 https://threatfox.abuse.ch/ioc/1537018/

Intelligence


File Origin
# of uploads :
2
# of downloads :
614
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd3f7a225808cd4e1c48459f69a39f5e.exe
Verdict:
No threats detected
Analysis date:
2025-05-30 14:43:28 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Delayed reading of the file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a service
Moving a recently created file
Launching a service
DNS request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context keylogger microsoft_visual_cc obfuscated packed xor-pe
Result
Threat name:
GhostRat, ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops password protected ZIP file
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1702456 Sample: 7d1j5wlGfv.exe Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 7 other signatures 2->55 7 7d1j5wlGfv.exe 209 2->7         started        11 svchost.exe 2->11         started        14 OpenWith.exe 15 2->14         started        16 5 other processes 2->16 process3 dnsIp4 47 45.192.243.33, 1536, 49722 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 7->47 37 C:\ProgramDataMmgznOTU.exe, PE32 7->37 dropped 39 C:\ProgramData\zlib.dll, PE32 7->39 dropped 41 C:\ProgramData\mzlib.dll, PE32 7->41 dropped 43 3 other files (none is malicious) 7->43 dropped 18 EMmgznOTU.exe 4 5 7->18         started        23 explorer.exe 7->23         started        65 Changes security center settings (notifications, updates, antivirus, firewall) 11->65 25 MpCmdRun.exe 1 11->25         started        file5 signatures6 process7 dnsIp8 45 38.45.122.163, 49724, 49725, 5539 COGENT-174US United States 18->45 29 C:\ProgramData\OYzaUzYUe@12\zlib.dll (copy), PE32 18->29 dropped 31 C:\ProgramData\OYzaUzYUe@12\cnima.xml, COM 18->31 dropped 33 C:\ProgramData\OYzaUzYUe@12\OlOFIGACJ.exe, PE32 18->33 dropped 35 C:\ProgramData\OYzaUzYUe@12\DuiLib-1.dll, PE32 18->35 dropped 57 Found evasive API chain (may stop execution after checking mutex) 18->57 59 Found stalling execution ending in API Sleep call 18->59 61 Found API chain indicative of debugger detection 18->61 63 4 other signatures 18->63 27 conhost.exe 25->27         started        file9 signatures10 process11
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2025-05-27 03:06:00 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
Similar samples:
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
88c95e9af549cb0d65e9531bb2994eb122474909c42ced4d0657f0de91afebe3
MD5 hash:
cd3f7a225808cd4e1c48459f69a39f5e
SHA1 hash:
944e16625106f12a2c9ffde5f4b759e878a8b570
SH256 hash:
444975ec53abcb4ef2742743958830a13a25bb343c9b967e514ea73754609829
MD5 hash:
fada8cdd75d468e89b74e186606e4a2f
SHA1 hash:
a7bfcb85b500e6132432999a65aff4b89fd769b5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments