MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
SHA3-384 hash: 0c47ce667e37bbfb707fccda0cc5835e3ea73b278e332310dbaa03565b91f2d992ed83ad5cf1e9384d1308da738d1114
SHA1 hash: 2177363ab8385346e09ed4b30b47424553921516
MD5 hash: 542e5fa97c641068e3c7e92fbe203ea6
humanhash: happy-butter-delta-orange
File name:#点击安装中文汉化语言zh-cn.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'398'720 bytes
First seen:2025-06-09 11:30:30 UTC
Last seen:2025-06-10 11:05:29 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:3ulf+TEanLBm/usqOVX7Gp7ADREFClUDxuj45G17Q0RabPkKbG:pyX0lFC2Ysua7k/
Threatray 45 similar samples on MalwareBazaar
TLSH T1E9B5AE21768BC436D16D01B3E92DFE1A603DADB70B3041D7B7E8795E69704C1A23EB92
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter GDHJDSYDH1
Tags:backdoor dropper msi SilverFox ValleyRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.68.181.196:1688 https://threatfox.abuse.ch/ioc/1542951/

Intelligence

File Origin
# of uploads :
3
# of downloads :
76
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8072/
Detection(s):
PUA.Win.Tool.AutoHotKey-10022305-1
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846c6278bd5d68a12e70d96
Tags:
shellcode extens agent
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709471
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709471 Sample: ##U70b9#U51fb#U5b89#U88c5#U... Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 51 oneihmdo.com 2->51 53 quickqnew.com 2->53 55 c0mcom.com 2->55 61 Suricata IDS alerts for network traffic 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Detected unpacking (creates a PE file in dynamic memory) 2->65 67 10 other signatures 2->67 10 msiexec.exe 16 43 2->10         started        14 Hr.exe 1 2->14         started        17 msiexec.exe 2 2->17         started        signatures3 process4 dnsIp5 39 C:\Windows\Installer\MSIA18E.tmp, PE32 10->39 dropped 41 C:\Users\Public\403\Hr.exe, PE32 10->41 dropped 43 C:\Windows\Installer\MSI9F0B.tmp, PE32 10->43 dropped 47 4 other files (none is malicious) 10->47 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 10->69 19 MSIA18E.tmp 1 10->19         started        21 msiexec.exe 10->21         started        59 quickqnew.com 38.45.124.50, 49690, 49691, 49692 COGENT-174US United States 14->59 45 C:\Program Files\91\TPCASPac.exe, PE32 14->45 dropped 71 Sample or dropped binary is a compiled AutoHotkey binary 14->71 file6 signatures7 process8 process9 23 cmd.exe 2 19->23         started        file10 37 C:\Users\Public\403\cc.exe, PE32 23->37 dropped 26 Hr.exe 8 23->26         started        31 conhost.exe 23->31         started        33 cc.exe 1 23->33         started        process11 dnsIp12 57 oneihmdo.com 103.68.181.196, 1688, 49689, 49693 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 26->57 49 C:\Program Files\91\PCASPac.exe, PE32 26->49 dropped 73 Contains functionality to register a low level keyboard hook 26->73 75 Writes to foreign memory regions 26->75 77 Allocates memory in foreign processes 26->77 79 2 other signatures 26->79 35 PCASPac.exe 10 2 26->35         started        file13 signatures14 process15
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sckjo2sma5gkpw6hcutddxdwvfrmf73th5mh4b54zgi47zia7kiq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
admintool_autohotkey
Create hunting rule
Similar samples:
10a3a6fdb48b2b830f0717d8c56e7164d79209260b340ef523bc3e611de0a477
ValleyRAT
9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91
ValleyRAT
9e21adec9dd5bdafe5b4ed284d4d3f609493cb08bc188b0c2a8683f03a5e1bd2
ValleyRAT
a0bedd762b2aba1b4f93ee6b6761cabee41c2f9806eb6fb7c37c5973e4458fd5
ValleyRAT
b6a77590e8bd3f54415e83000e46d9e0e959264784b94b1700e87e94fd7c2b52
ValleyRAT
eb5f26ec9d7e185f782163fd9140859d1e0a27616e15c4ba2b6d639f09123383
ValleyRAT
error
ValleyRAT
+ 35 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250609-nmnv4ax1ct/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Downloads MZ/PE file
Enumerates connected drives
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
oneihmdo.com:1688
127.0.0.1:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec4ff752-b8c9-47d9-b924-36a3897346ba
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 9094976a4c074ca7dbc7152631dc76a962c2ff733f587e07bcc991cfe500fa91

(this sample)

  
Link
https://tria.ge/250608-vaqmgsbr8z
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8072/

Comments