MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209
SHA3-384 hash:	363bf8e9079eb21a76d29b3fd83f4924aed1de9f11908cf553bcb93b7d7f40f17035c75ab0f6f6964b8f32f5bae54d99
SHA1 hash:	08bd771ddd0b4ed12705e369c6617a13afb8432b
MD5 hash:	d041a2bc3d3ea600cfb91b5b5f140036
humanhash:	alpha-wisconsin-florida-blossom
File name:	a-software85659014.msi
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	6'295'552 bytes
First seen:	2026-06-26 19:25:38 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:CQfQ3Vu6lqX9LTEZpY84XSvl4vHguz/LtjHRJSreQkMSQ1xEl/AWug:CBVumqhIt9gAuz06QZ1aAWug
Threatray	1 similar samples on MalwareBazaar
TLSH	T117563356BDC76978D0D7C7B5579A212D30297FCA8F688C6B73E87A1C0D72200A4F6389
TrID	88.4% (.MST) Windows SDK Setup Transform script (61000/1/5) 11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	Ling
Tags:	gh0st Gh0stRAT msi SilverFox ValleyRAT

CNGaoLing

The sample is retrieved from "hxxps://www[.]pc-ziniaogw[.]com[.]cn", "hxxps://www[.]chromee-ziniaow[.]com[.]cn", "hxxps://ie-ziniaow[.]com[.]cn" -> "hxxps://www[.]qwjre1487[.]com/installc"

SilverFox
IOC (Domain 26nn.oss-cn-hangzhou.aliyuncs.com) (Domain zo6lz1.oss-cn-beijing.aliyuncs.com) (Domain podcse.net) (IP 43.99.107.27:28290)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSI

Details

Link:

https://research.acce.ciphertechsolutions.com/results/133d00c8-2df1-44af-99e6-900e0f3e98fe/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72149/

Detection(s):

SecuriteInfo.com.FileRepMalware.11953549.UNOFFICIAL

SecuriteInfo.com.Win64.MalwareX-gen.55477323.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3ecb8e1548daf709fa0f88

Tags:

virus spawn hype

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

bankingtrojan CAB installer installer overlay packed packed persistence wix

Link:

https://www.filescan.io/uploads/6a3ed23cafa21d129853eb87/reports/32ab5a99-ee0a-4bcd-81d4-f833d7a386b6/overview

Verdict:

Malicious

Labled as:

Trojan.MSI.Agent

Link:

https://www.hybrid-analysis.com/sample/92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209

Verdict:

Malicious

File Type:

msi

First seen:

2026-06-26T15:57:00Z UTC

Last seen:

2026-06-26T18:06:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win32.DLLhijack.pefng HEUR:Trojan.Win32.DLLhijack.pef HEUR:HackTool.OLE2.AmsiETWPatch.gen HackTool.Multi.AmsiETWPatch.sb Trojan.Win64.Agentb.lkaw Trojan.Win32.Agent.sba

Link:

https://opentip.kaspersky.com/92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209/results?tab=lookup

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

CAB:COMPRESSION:LZX Executable Office Document PE (Portable Executable) PE File Layout

Link:

https://app.malva.re/file/d041a2bc3d3ea600cfb91b5b5f140036

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209/

Verdict:

Malicious

Threat:

Family.GH0ST

Link:

https://tip.neiki.dev/file/92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209

Threat name:

Win64.Trojan.Malgent

Status:

Malicious

First seen:

2026-06-26 18:57:22 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjbav23pzmwl2p4ljnsf6cgj7vyxh6zfqq47lxtlshoelxls2ieq._file

Verdict:

malicious

Label(s):

swordldr

Similar samples:

error

ValleyRAT

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery execution exploit persistence privilege_escalation ransomware trojan

Link:

https://tria.ge/reports/260626-x5cp8aez2m/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Control Panel

Modifies data under HKEY_USERS

Modifies registry class

Runs net.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

Event Triggered Execution: Screensaver

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Adds Run key to start application

Badlisted process makes network request

Enumerates connected drives

Indicator Removal: Clear Persistence

Checks computer location settings

Disables service(s)

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Modifies RDP port number used by Windows

Possible privilege escalation attempt

UAC bypass

Windows security bypass

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

msi 92420aeb6fcb2cbd3f8b4b645f08c9fd7173fb258439f5de6b91dc45dd72d209

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/72149/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample