MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610
SHA3-384 hash: 8a6edc29ac88d7a4b636057b9b8906e761ced5fc1f0818b75de4558d9acdc2b33e61fc06762d10649ad6e1140fc2c2d3
SHA1 hash: 9e30d0ba3219db851df612cfd4a5ba04e2396d82
MD5 hash: 8a8ed18e78dffdf9995f1b6148c802d0
humanhash: mirror-lemon-carpet-sixteen
File name:软件安装包_setup.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:22'022'373 bytes
First seen:2025-07-18 02:15:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d74d76c7011bfcc0cc1ebcb319809a31 (3 x ValleyRAT, 1 x CobaltStrike)
ssdeep 393216:OcqwjRe2B4QM8fCqUncfcsJLedS4g3lE4Fu76qUtiCT9cIFgI2Dpxr2n:ra2BY8fCbnWcsJLedS4a3Fq6qIHqIsS
Threatray 65 similar samples on MalwareBazaar
TLSH T16F2733EF24DC6CDADCE26136D0C94659DC30BE16074B807B87B80A849BAF36659FE750
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (47 x PythonStealer, 26 x CoinMiner, 24 x SVCStealer)
Reporter GDHJDSYDH1
Tags:backdoor dropper exe SilverFox ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
软件安装包_setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-18 02:16:56 UTC
Tags:
payload python silverfox backdoor pyinstaller loader auto-reg valleyrat winos rat
Link:
https://app.any.run/tasks/713111ae-85c9-4957-a1ec-05d54b2457f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15141/
Detection(s):
SecuriteInfo.com.Generic.PY.ReverseShell.B.8DBD9547.200.15836.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6879ae6e84b37dd61eef345f
Tags:
emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm compiled-script expand expired-cert invalid-signature lolbin microsoft_visual_cc msbuild overlay overlay packed packed pyinstaller pyinstaller signed
Link:
https://www.filescan.io/uploads/6879ae6e8a7d628a81b57ffa/reports/2a0d74eb-8f80-4710-aa04-14686d0b3847/overview
Verdict:
Malicious
Labled as:
Trojan.Stelega
Link:
https://www.hybrid-analysis.com/sample/8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/8a8ed18e78dffdf9995f1b6148c802d0
Gathering data
Threat name:
Win64.Hacktool.UacMe
Create hunting rule
Status:
Malicious
First seen:
2025-07-18 02:20:00 UTC
File Type:
PE+ (Exe)
Extracted files:
766
AV detection:
11 of 24 (45.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtpvoqgrhqva7yjw2ruxcfzziklvzfths7mmpedxpuiystqtcyia._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
0c4db03b4deb41efd71f82444034efc2196fb8586a74d85786b6d09a1ae19ef5
ValleyRAT
47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e
ValleyRAT
6602db73720a8c8ff71f0277ff23f5ab4c63c0dc04e67be08aa9b7609183627f
ValleyRAT
83f8553d64af8e471b7d0e18425e85e85d39565b4e7de8f80c807715551c8cb3
ValleyRAT
8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610
ValleyRAT
dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
ValleyRAT
error
ValleyRAT
f0193ed53ec30bcba588fcc0d08c87a6ad066bbf1c30eec0eee3860715d6c6f6
ValleyRAT
fbb7826f9715516801419259ce25b9be57a67663a790efb931a7b4a2fb83d052
ValleyRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 adware backdoor persistence pyinstaller ransomware spyware
Link:
https://tria.ge/reports/250718-cp7v7svwgs/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
v2.egrfbumsu.cn:7777
v2.egrfbumsu.cn:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd76d9cf-f99e-4e25-be78-ea63373dc227
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 8cdf5740d13c2a0fe136d46971173942975c966797d8c790777d11894e131610

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/15141/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW

Comments