MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce
SHA3-384 hash: 304dffd79c25095254a8fc9c4e3c2e01f7811f3ad7c18cb291d2b783ef336841c80ee6f0e725356a4994c2dbcbe0e9e3
SHA1 hash: cdfd06ce925c59ace6ded0e18e7a26daaef9fe1f
MD5 hash: 86aa16c1861d6f237e20599a05192aae
humanhash: skylark-helium-seventeen-blossom
File name:wpsчsetup.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:74'875'061 bytes
First seen:2025-05-12 17:09:50 UTC
Last seen:2025-05-12 17:10:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31eb9b3068898b69608e63f7441dc924 (10 x ValleyRAT)
ssdeep 1572864:vu1ss5ZAzGJQFFBEyFolTqs9BaIAywtaLqJB1K8Qwp2:m1s4AqQ31FsTqjIAywt7LK8DQ
Threatray 7 similar samples on MalwareBazaar
TLSH T156F7330EE57063E7DD1317B66A0B3AF31F719C9EA444C9475334308D68BA10B9B8B99B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 68e8b28ee6e4e030 (5 x ValleyRAT, 1 x AsyncRAT)
Reporter GDHJDSYDH1
Tags:backdoor exe FakeApp SilverFox ValleyRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
553
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wpssetup.exe
Verdict:
No threats detected
Analysis date:
2025-05-12 14:31:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17e87a58-baef-41e1-a024-cb49c46e077b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682206364a59e5a2ce03e997
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68222b8f0b64e174c4236b20/reports/5154064c-f9d6-47c5-8e2c-839e0e35dde8/overview
Verdict:
Malicious
Labled as:
Trojan.Generik
Link:
https://www.hybrid-analysis.com/sample/95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/1688195
Behaviour
Behavior Graph:
n/a
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sw4msyj4hyeuipr6qrvkdcdl6by5wtzd6lxzfcxiz4q3uqraa7ha._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
39fc79efad9b778c9eff391be78e449586590989f227cc8b2fc20d37889f3178
ValleyRAT
5cdff7f64983d581e2ead986ec68272c80f5ba3160d2d5115860cfc6bfe8b3b9
ValleyRAT
7dcafd128b08d821508aaf9e4ab9c381ae44a0fb4fa5ae8289eb1a8cea67e91b
ValleyRAT
error
ValleyRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250512-vp12rsvtg1/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1fadfd44-4888-45ec-8947-dab2ce3f84df
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95b8c9613c3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Shellcode_Rdi_eee75d2c
Create hunting rule
Author:Elastic Security
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce

(this sample)

  
Link
https://tria.ge/250512-rlcm8acr2y
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments