MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 21 File information Comments

SHA256 hash:	96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa
SHA3-384 hash:	a4fa5da46995cafb14ad30303dfe88b48f0a07cf1ef73e084b22af6b4c0d7c06a79b19365b6f2e0420299b398b910a6d
SHA1 hash:	e3634274d3077a0a956acf5f76a2a7756cdd72f2
MD5 hash:	47be8bc47308f419813e4b51e231583e
humanhash:	green-eight-mike-bulldog
File name:	tspkbvpv.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	8'395'928 bytes
First seen:	2026-05-04 09:53:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa4ef7cd7103020aad8042d3e504fd26 (1 x ValleyRAT)
ssdeep	49152:3wLIPkBz9AFK5WumE39pJObRJzdtXoxGX1:6Bz9QWAu9yJ/
Threatray	20 similar samples on MalwareBazaar
TLSH	T1728686559148C467F77212C77512AA04BA7C9BAF32058D8C706EE36F5F26EBA033B0E5
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	e88e4969d461b2e0 (1 x ValleyRAT)
Reporter	Ling
Tags:	exe SilverFox Trojan/SilverFox.sa ValleyRAT

CNGaoLing

Trojan/SilverFox.sa
IOC (IP 103.101.177.234) (IP 154.92.255.106) (IP 154.92.255.107)

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.101.177.234:6011	https://threatfox.abuse.ch/ioc/1805797/

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

tspkbvpv.exe

Verdict:

Malicious activity

Analysis date:

2026-05-04 09:21:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/765cc0b8-c26b-4136-a056-18ef415564f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WinosStager

Link:

https://www.capesandbox.com/analysis/64461/

Detection(s):

MiscreantPunch.SingleXOR.EXE.122.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Using the Windows Management Instrumentation requests

Connection attempt

Sending a custom TCP request

Сreating synchronization primitives

Setting a keyboard event handler

Creating a file

Creating a window

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm blackenergy cmd evasive expired-cert explorer installer-heuristic invalid-signature lolbin lolbin microsoft_visual_cc obfuscated overlay packed reg rundll32 signed unsafe xor-pe

Link:

https://www.filescan.io/uploads/69f86cd42fcb905ec27d3091/reports/3915a51b-0633-4239-809b-4c29fe82c63c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-02T18:03:00Z UTC

Last seen:

2026-05-02T20:11:00Z UTC

Hits:

~100

Detections:

Backdoor.Agent.TCP.C&C Trojan-Spy.Win32.KeyLogger.sb Backdoor.Win32.Xkcp.cqf Trojan-Spy.Win64.Agent.sb Trojan.Win32.Agent.sb Trojan-Spy.Win32.Stealer.sb Trojan-Dropper.Win32.Dapato.sb Backdoor.Win32.Xkcp.a Backdoor.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa/results?tab=lookup

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ae6041d-2e59-4db8-934b-e4567cf77e6d

Score:

40%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/47be8bc47308f419813e4b51e231583e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa/

Verdict:

Malicious

Threat:

Family.VALLEYRAT_S2

Link:

https://tip.neiki.dev/file/96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s2th6e4a77f356rxrhbgtnxnr6xw6axj2n2bygudcj6orxfbth5a._file

Verdict:

malicious

Label(s):

valleyrat

ValleyRAT

247bc5015b57de8b3b61bd8afdf7f432aef154405129004e941b7fa890104a6c

ValleyRAT

30fb74ab1988cc3195186a7014d21ed26828f758a2b8f17bcbc410746b7b7256

ValleyRAT

7f526f51e12c0e66bfb00b2b5132669010db2fc3664394ce8051e1ccb9c323e3

ValleyRAT

e026b43e5a2b1ec0409e7dc3b60631146a0e68203780dd5b80e2b9673ab08f3c

ValleyRAT

e7e487a43cb64f9dc80524ed942f10d6379c6bad552216aeb70b8de3b4b46903

ValleyRAT

error

ValleyRAT

+ 10 additional samples on MalwareBazaar

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor

Link:

https://tria.ge/reports/260504-lxj9jsfz91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates connected drives

Family: ValleyRat

Malware Config

C2 Extraction:

103.101.177.234:6011
103.101.177.235:6012
127.0.0.1:80

Unpacked files

SH256 hash:

96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa

MD5 hash:

47be8bc47308f419813e4b51e231583e

SHA1 hash:

e3634274d3077a0a956acf5f76a2a7756cdd72f2

Link:

https://www.unpac.me/results/e53fa37e-acd2-459e-82d8-f0850f5b035b/

SH256 hash:

1662844f61609f50b8e096228352d564f0419812923851f9916b93fff5e23bb4

MD5 hash:

828f661165da7d3dbfa0b111fb5465e1

SHA1 hash:

9aeb3f8ba65222ac277384cbd0b8c1c35bce1999

Link:

https://www.unpac.me/results/e53fa37e-acd2-459e-82d8-f0850f5b035b/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/96a67f1380ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Gh0stKCP Create hunting rule
Author:	Netresec
Description:	Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:	https://netresec.com/?b=259a5af

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	IMPLANT_4_v7 Create hunting rule
Author:	US CERT
Description:	BlackEnergy / Voodoo Bear Implant by APT28
Reference:	https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	ValleyRAT Create hunting rule
Author:	NDA0E
Description:	Detects ValleyRAT

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Generic_Threat_3055c14a Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Winos_464b8a2e Create hunting rule
Author:	Elastic Security

Rule name:	WinosStager Create hunting rule
Author:	YungBinary
Description:	https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

exe 96a67f1380ffcbbefa3789c269b6ed8faf6f02e9d3741c1a83127ce8dca199fa

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/64461/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample