MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
SHA3-384 hash:	3d9a85086799126835450fc3cdecea5506fe3c5c5ee8dcee4aba221b0c317603173f7607bca32fed2706475cb9e3a297
SHA1 hash:	bc71f292b0bfadd44bb2fcba8795117e26a76b1b
MD5 hash:	89ebf2795ac8923daf7d3caed0491907
humanhash:	shade-nuts-lemon-early
File name:	89EBF2795AC8923DAF7D3CAED0491907.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	11'562'844 bytes
First seen:	2025-03-13 20:05:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep	196608:SOGMJpADerDI67ZkknrHzqZ2R72W1GxDMbmREQykLpiSNCwchsqiDwkP21lQF3O:SbMJaerDIwfqk7TbnQy8BNCgqi3OeI
Threatray	699 similar samples on MalwareBazaar
TLSH	T1F6C633023E11D4C2EE75B33DC888FA333755A6FBE79488DAB2417523267E44BDAB4548
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter	abuse_ch
Tags:	154-37-213-53 exe ValleyRAT

abuse_ch

ValleyRAT C2:
154.37.213.53:99

Intelligence

File Origin

# of uploads :

# of downloads :

468

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9.zip

Verdict:

Malicious activity

Analysis date:

2025-03-13 20:07:09 UTC

Tags:

arch-exec silverfox backdoor

Link:

https://app.any.run/tasks/f6e008c8-b666-4561-ad5e-d662ccd1b7df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d347853962f1a6f4710113

Tags:

virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% subdirectories

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context blackhole installer microsoft_visual_cc overlay packed packer_detected

Link:

https://www.filescan.io/uploads/67d33abc0a7899f35794f4cc/reports/5cc24cf9-ac23-4916-857e-f814e0ee0d92/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9c5e6fdc-0cff-4047-b6e2-0b8fcef90a46

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1637709

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9/

Threat name:

Win32.Exploit.Marte

Status:

Malicious

First seen:

2025-03-08 23:29:14 UTC

File Type:

PE (Exe)

Extracted files:

351

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sb6xmml4ghu4u6m353xqqfcncl2qax6ljlhrpbept5dh4cmgjdmq._file

Verdict:

malicious

Label(s):

winos

ValleyRAT

4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988

ValleyRAT

665e1be1f45631a3fc1061d1113d58acd78b9213280ced0c450ec542116c940f

ValleyRAT

907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9

ValleyRAT

9c8f2ac8805fb7e9d35106aa7c3cbe979dd95c4f48b71fcd4a07618ecc9d37e5

ValleyRAT

error

ValleyRAT

f8049537bdb3c374aed7b6247b2376038b372e12582829485e7c88cc59fba17f

ValleyRAT

+ 689 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution persistence

Link:

https://tria.ge/reports/250313-yvfjss1zc1/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f046d22b-6672-4a39-bdef-8c13c02b528c

Unpacked files

SH256 hash:

907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9

MD5 hash:

89ebf2795ac8923daf7d3caed0491907

SHA1 hash:

bc71f292b0bfadd44bb2fcba8795117e26a76b1b

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

96d84047cb40c67f42023ee5123ddaf8e98c1bd13bee5e40a4375ec4c0c28bb1

MD5 hash:

74aa3cbcf9b3921e5fedf62ff9279b32

SHA1 hash:

f913912984365c3af7829d5afde4ce0ff4d0c4fd

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

05eb1ad8a8fd447fe91e7dae8bf96da0a9f7f40c79e15005f14a3ca749e0bba8

MD5 hash:

6a32f08a959012ed526c834f8edfd3b4

SHA1 hash:

097cd6b73f469bdbe663c60c8a38771a454c4ed4

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

MD5 hash:

a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1 hash:

358179dc6acaca3101c3b6f8af4d471267576d63

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39

MD5 hash:

ea60c7bd5edd6048601729bd31362c16

SHA1 hash:

6e6919d969eb61a141595014395b6c3f44139073

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

756cad002e1553cfa1a91ebe8c1b9380ffabe0b4b1916c4a4db802396ddfbef8

MD5 hash:

bfb3091b167550ec6e6454813d3db244

SHA1 hash:

87e86a7c783f607697a4880e7e063ab87bf63034

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

MD5 hash:

4add245d4ba34b04f213409bfe504c07

SHA1 hash:

ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

b5444983aaf86ba12cb0f4ce4ae6f35239a7b6e9b0cb6936a4ce2b2bfda79ef5

MD5 hash:

cc5dc9be5e43e25e7bf91d91c5e976aa

SHA1 hash:

8c86d955ef780f79e790df59a0bee188c744858a

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

SH256 hash:

c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

MD5 hash:

b38561661a7164e3bbb04edc3718fe89

SHA1 hash:

f13c873c8db121ba21244b1e9a457204360d543f

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

Parent samples :

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6

SH256 hash:

b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

MD5 hash:

d095b082b7c5ba4665d40d9c5042af6d

SHA1 hash:

2220277304af105ca6c56219f56f04e894b28d27

Link:

https://www.unpac.me/results/7ee0105f-8d94-4d03-b316-ea92c3c20fae/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/907d76317c31/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	SUSP_PDB_Path_Keywords Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious PDB paths
Reference:	https://twitter.com/stvemillertime/status/1179832666285326337?s=20

Rule name:	SUSP_PDB_Path_Keywords_RID2F34 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious PDB paths
Reference:	https://twitter.com/stvemillertime/status/1179832666285326337?s=20

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Shellcode_Rdi_eee75d2c Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample