MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
SHA3-384 hash: af2333c587938129e8a57360ef464bc9b5359d4873803a9f9e7b59c4f69884f675bc9bed32fd048757bae5913170c390
SHA1 hash: f7e669347b987d1e586d2f3bce84c2804da95323
MD5 hash: 79d5b4eb49f046f1a5f6421c40d95fcb
humanhash: delaware-fanta-johnny-coffee
File name:8ba27d6500ead73d174e9c8147aa618a2b36cacb633b9.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:5'134'198 bytes
First seen:2026-02-09 23:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (7 x ValleyRAT, 5 x GCleaner, 4 x CoinMiner)
ssdeep 98304:FzHZPyqPLaIid0DroXJNrlTdXrSgUWCbjUE8hAW2impY8vTeN8HJV:Fz5jPWIiqo5wFWiUdAW2iQY86N8HX
TLSH T106362385E7E008FCE0B7E63889564D03E7767C1D1760A68B13A876512F737E19E3AB12
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
143.92.32.132:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.32.132:443 https://threatfox.abuse.ch/ioc/1744155/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/4e159131-3d75-408a-8520-c771508e23c3/
Malware family:
n/a
ID:
1
File name:
8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b.exe
Verdict:
Malicious activity
Analysis date:
2026-02-09 22:18:56 UTC
Tags:
silverfox backdoor donutloader loader
Link:
https://app.any.run/tasks/ab060e86-01ab-43d5-b209-88d6f6b9abcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52865/
Detection(s):
Win.Exploit.Rozena-10038302-0
Create hunting rule

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698a5d514c8b031249cdd5a9
Tags:
emotet nemty
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
alien anti-debug anti-vm anti-vm base64 expand expired-cert explorer fingerprint fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc obfuscated overlay packed rozena sfx soft-404
Link:
https://www.filescan.io/uploads/698a6f6e16ebb08a9466dbbd/reports/b805875c-f1d3-4b4b-bfc0-6d3ac6d1dbdb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-09T19:18:00Z UTC
Last seen:
2026-02-11T02:36:00Z UTC
Hits:
~100
Detections:
UDS:DangerousObject.Multi.Generic Backdoor.Win32.Agent.a Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.mku Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b10c1bef-f988-40ab-9417-c2656b07266b
Result
Threat name:
DonutLoader, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866411
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Ping/Del Command Combination
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DonutLoader
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866411 Sample: 8ba27d6500ead73d174e9c8147a... Startdate: 10/02/2026 Architecture: WINDOWS Score: 100 79 infoehpt.co 2->79 81 myexternalip.com 2->81 83 8 other IPs or domains 2->83 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 8 other signatures 2->111 11 8ba27d6500ead73d174e9c8147aa618a2b36cacb633b9.exe 5 2->11         started        14 WindowsTasker.exe 4 13 2->14         started        18 svchost.exe 2->18         started        20 41 other processes 2->20 signatures3 process4 dnsIp5 71 C:\Program Files\mysetup.exe, PE32 11->71 dropped 73 C:\Program Files\ChromeSetup.exe, PE32 11->73 dropped 22 mysetup.exe 2 11->22         started        25 ChromeSetup.exe 7 11->25         started        87 infoehpt.co 143.92.32.132, 443, 49718, 49724 BCPL-SGBGPNETGlobalASNSG Singapore 14->87 89 myexternalip.com 34.160.111.145, 49725, 80 ATGS-MMD-ASUS United States 14->89 115 Detected unpacking (creates a PE file in dynamic memory) 14->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 14->117 119 Unusual module load detection (module proxying) 14->119 27 schtasks.exe 14->27         started        121 Changes security center settings (notifications, updates, antivirus, firewall) 18->121 29 MpCmdRun.exe 18->29         started        91 192.168.2.4, 443, 49708, 49718 unknown unknown 20->91 93 192.168.2.5 unknown unknown 20->93 31 chrome.exe 20->31         started        file6 signatures7 process8 dnsIp9 67 C:\Users\user\AppData\Local\...\mysetup.tmp, PE32 22->67 dropped 34 mysetup.tmp 5 11 22->34         started        69 C:\Users\user\AppData\Local\...\updater.exe, PE32 25->69 dropped 38 updater.exe 22 12 25->38         started        40 conhost.exe 27->40         started        42 conhost.exe 29->42         started        95 google.com 142.250.176.78, 443, 49731, 49733 GOOGLEUS United States 31->95 97 www.google.com 142.250.64.228, 443, 49757, 49791 GOOGLEUS United States 31->97 99 24 other IPs or domains 31->99 file10 process11 file12 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->57 dropped 59 C:\ProgramData\...\vcruntime140.dll (copy), PE32 34->59 dropped 61 C:\ProgramData\...\msvcp140.dll (copy), PE32 34->61 dropped 65 6 other malicious files 34->65 dropped 113 Multi AV Scanner detection for dropped file 34->113 44 regsvr32.exe 2 34->44         started        63 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 38->63 dropped 47 updater.exe 4 38->47         started        signatures13 process14 file15 75 C:\ProgramData\...behaviorgraphuard.dll, PE32 44->75 dropped 77 C:\ProgramData\...\DataReport.dll, PE32 44->77 dropped 49 cmd.exe 44->49         started        process16 signatures17 101 Uses ping.exe to sleep 49->101 103 Uses ping.exe to check the status of other devices and networks 49->103 52 PING.EXE 49->52         started        55 conhost.exe 49->55         started        process18 dnsIp19 85 127.0.0.1 unknown unknown 52->85
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/79d5b4eb49f046f1a5f6421c40d95fcb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rorh2zia5llt2f2otsaupktbrivtnswlmm5zpoaj67zdnvzcsn5q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery installer trojan
Link:
https://tria.ge/reports/260209-3lnk9sfv3b/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b
MD5 hash:
79d5b4eb49f046f1a5f6421c40d95fcb
SHA1 hash:
f7e669347b987d1e586d2f3bce84c2804da95323
Link:
https://www.unpac.me/results/d3503f83-c10f-4950-8fa6-f1fd10132827/
SH256 hash:
810e9879fdb18d0a5d68cd455b7187c62eb44fe585346a34f17b8802ad065482
MD5 hash:
66359e7e445803478383f3d2d35e9c6b
SHA1 hash:
39fadda30aa9ccca73314db31fc8aaceef126393
Link:
https://www.unpac.me/results/d3503f83-c10f-4950-8fa6-f1fd10132827/
SH256 hash:
bd843f7c165a6251455639d01b6ae85f20c7aec2a8ca5d4ab521880d6813735e
MD5 hash:
145898cb5af2ca809c95e23b45fed65e
SHA1 hash:
0d33795c0d669182c2eab357c05c741eff8977c4
Link:
https://www.unpac.me/results/d3503f83-c10f-4950-8fa6-f1fd10132827/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ba27d6500ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ba27d6500ead73d174e9c8147aa618a2b36cacb633b97b809f7f236d722937b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52865/

Comments