MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534
SHA3-384 hash: 47eb30f5618a4cc7c5beaa24e1ca242e01e4f48dc833c7aad5b812d50a5e1cd03758b58b324c0fb48d1d1cbfe77fa39b
SHA1 hash: 20afb44f647152ecffd3630e3ba39987904cd651
MD5 hash: eaa71d70f797a4207fe32278731cb693
humanhash: papa-five-burger-fourteen
File name:2026年第一季度内职人员违纪名单信息.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:4'193'792 bytes
First seen:2026-04-10 06:38:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baff4071a279938b756ddd24226c0da5 (2 x ValleyRAT)
ssdeep 49152:HE2xEp5CjVFKejRrmM0jVN9EaOurQUxYkSSW0IbbJsv6tWKFdu9CPPTvG7JvpHF+:HOeZG7HRQJsv6tWKFdu9CPiW5
TLSH T124165B9EBABE53A9C5A7C1B0A7B38196E1317C019B3056CF2384735C26735F09DA72D8
TrID 48.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.1% (.EXE) Win64 Executable (generic) (6522/11/2)
14.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) OS/2 Executable (generic) (2029/13)
5.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon e8b6b2b0b2b6cc71 (2 x ValleyRAT)
Reporter Ling
Tags:exe SilverFox Trojan/SilverFox.bg[qtsc] ValleyRAT


Avatar
CNGaoLing
Trojan/SilverFox.bg[qtsc]
IOC (Domain qqdsbnmkloi.cn) (IP 18.162.212.102)

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
2026.exe
Verdict:
No threats detected
Analysis date:
2026-04-09 14:27:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2170de0f-aea0-4938-a266-26956783200a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61022/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.14741539.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d7b73466ab6d001dd09eea
Tags:
malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 fingerprint krypt microsoft_visual_cc unsafe
Link:
https://www.filescan.io/uploads/69d89b175ea31bc68a1d143f/reports/fa1fb0c8-f746-4c12-a77b-0adba3329539/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.HIVV trojan
Link:
https://www.hybrid-analysis.com/sample/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534
Verdict:
Clean
File Type:
exe x64
First seen:
2026-04-10T08:38:00Z UTC
Last seen:
2026-04-10T08:43:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c045dded-9211-458d-9e3a-73a24e62b33b
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/eaa71d70f797a4207fe32278731cb693
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2026-04-08 11:07:13 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smg6qh6mscgrgitzlfontyrucyiwuudg7fkqt5e7lbx4asp5uu2a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260410-herdcshx6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534
MD5 hash:
eaa71d70f797a4207fe32278731cb693
SHA1 hash:
20afb44f647152ecffd3630e3ba39987904cd651
Link:
https://www.unpac.me/results/98076590-b6aa-4859-96a5-1d85e8a12908/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 930de81fcc908d132279595cd9e23416116a5066f95509f49f586fc049fda534

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61022/

Comments