MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0
SHA3-384 hash: 6eea3c99b071d6d6e2df4d51812d864894d1f0a60c59786595615981fbbb1cd6eba2c7f753dc8c4bd71fe6e63eed9a46
SHA1 hash: 24fbcccf700e1b9861f94d9d74c39b66067de997
MD5 hash: 358a85bfa76a008773958cab04cbbd31
humanhash: oscar-glucose-louisiana-march
File name:358a85bfa76a008773958cab04cbbd31.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'133'896 bytes
First seen:2026-06-24 16:20:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b352331f1815c3aef5e75c650559b8d5 (2 x ValleyRAT)
ssdeep 24576:GBT3IdwagHtoI7Wtgu/917dYl4R0KuGk2XGA+tDNq:GBT3IdwagH6I7Wtgi7dYlkkMl+N
Threatray 94 similar samples on MalwareBazaar
TLSH T19DA5549D6A4454F2C57442F58D0805B8A2BEFD1F3E203925BA38AB212C77786DFB8375
TrID 22.5% (.ICL) Windows Icons Library (generic) (2059/9)
22.3% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25)
21.9% (.EXE) Generic Win/DOS Executable (2002/3)
21.9% (.EXE) DOS Executable (generic) (2000/1)
11.0% (.SCORE) Music Craft Score (1007/6)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
http://qqdhq.cn/getinstall64

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://qqdhq.cn/getinstall64 https://threatfox.abuse.ch/ioc/1837038/

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0.exe
Verdict:
Malicious activity
Analysis date:
2026-06-24 16:24:55 UTC
Tags:
rat valleyrat remote generic websocket silverfox winos
Link:
https://app.any.run/tasks/4f124fed-2c65-4ea4-84fb-cd97352d95f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71867/
Detection(s):
Win.Trojan.Ulise-9645830-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3c042886bc95245bf92f5c
Tags:
downloader injection emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the system32 subdirectories
Deleting a recently created file
Creating a file
Launching a process
Creating a window
Moving of the original file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-15T10:08:00Z UTC
Last seen:
2026-06-24T22:44:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Silverfox.xz
Link:
https://opentip.kaspersky.com/8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7fd4ce3-ade2-4573-bd46-703ea67377a3
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933296
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933296 Sample: NnnFvMu9gl.exe Startdate: 24/06/2026 Architecture: WINDOWS Score: 100 37 qqdhq.cn 2->37 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 9 NnnFvMu9gl.exe 1 2->9         started        signatures3 process4 signatures5 59 Writes to foreign memory regions 9->59 61 Allocates memory in foreign processes 9->61 63 Found direct / indirect Syscall (likely to bypass EDR) 9->63 12 svchost.exe 12 19 9->12 injected 17 NnnFvMu9gl.exe 1 1 9->17         started        process6 dnsIp7 39 qqdhq.cn 18.163.0.245, 49698, 49701, 49702 AMAZON-02-AmazoncomIncUS Hong Kong SAR China 12->39 33 C:\Program Files\Common Files\nvml.dll, PE32+ 12->33 dropped 35 C:\Program Files\Common Files\nvgpu_x64.exe, PE32+ 12->35 dropped 67 Benign windows process drops PE files 12->67 69 Creates files in the system32 config directory 12->69 71 Modifies the context of a thread in another process (thread injection) 12->71 73 Unusual module load detection (module proxying) 12->73 19 nvgpu_x64.exe 1 12->19         started        22 svchost.exe 1 12->22         started        24 svchost.exe 12->24         started        75 Moves itself to temp directory 17->75 77 Found direct / indirect Syscall (likely to bypass EDR) 17->77 file8 signatures9 process10 signatures11 49 Changes memory attributes in foreign processes to executable or writable 19->49 51 Writes to foreign memory regions 19->51 53 Allocates memory in foreign processes 19->53 57 2 other signatures 19->57 26 conhost.exe 19->26         started        55 Modifies the context of a thread in another process (thread injection) 22->55 28 dllhost.exe 22->28         started        31 dllhost.exe 24->31         started        process12 signatures13 65 Unusual module load detection (module proxying) 28->65
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0
Threat name:
Win64.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2026-06-15 20:09:53 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmv6nk63wmdcx3gjyo3tzeki4bxwepikhxce343xlqc6442vywqa._file
Verdict:
malicious
Label(s):
boxedrat
Create hunting rule
Similar samples:
032e1d550d78270eca2815941833c288d09dcbbfb9e8360d30971d5ee013f509
ValleyRAT
4bf8707ee3eae011e239dca5f7dd1c79e6c564542f3fa9427e3657b35c578c9d
ValleyRAT
56624e466ec099c7f3bd90a5e541e5fd7d7856f57766bf774f3022c126dd9b0b
ValleyRAT
6357059ba1b68376b11311cd1679f93e3709f48c8e6e9e84e88d4c27ebc00e1a
ValleyRAT
66190c82b66b183a68722bebc38c787c360b6a1bb165049f788dbe512ca29c3b
ValleyRAT
8a330b78954bcc3befbc4702617a61f201d874b57551928e795b2e70330e1a38
ValleyRAT
9c50cdf3a03174b3ede792aafcb7881f4b590b551721fd27e2805dc8fdf5090f
ValleyRAT
a76879e7320bf59ad2da99d24b0b20a03a1d9807092ab5409e3e514fd549e773
ValleyRAT
ca473d07c0b673ed40ef1c5584a87606b6f67b0d37e71e3b43406acfd7a19ef9
ValleyRAT
cc4aed185ff224de372d968457382222fe685cadd14934b26b349935da88e64a
ValleyRAT
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/260624-ttseradv4t/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
8b2be6abdbb3062becc9c3b73c9148e06f623d0a3dc44df3775c05ee7355c5a0
MD5 hash:
358a85bfa76a008773958cab04cbbd31
SHA1 hash:
24fbcccf700e1b9861f94d9d74c39b66067de997
Link:
https://www.unpac.me/results/f2c18275-1ac3-4623-904f-93122789dfbf/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71867/

Comments