MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9aec3a445e71559834feaff9d57d47d146b38d4732f7ad6adb46ba10e3ec2d9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments

SHA256 hash: 9aec3a445e71559834feaff9d57d47d146b38d4732f7ad6adb46ba10e3ec2d9e
SHA3-384 hash: af752981e7798d4afa131c20d51b1319226100ea77a6c751300ab7cab4b869beda3e7d71d3ef0c9e3c07f03699a6db67
SHA1 hash: 6c503ebf7803fd2aae05c58a392cec2274f774ed
MD5 hash: fe1b658db35d7c3418a0270b7143314e
humanhash: vegan-ohio-eleven-minnesota
File name:hr.msi
Download: download sample
Signature ValleyRAT
File size:6'327'808 bytes
First seen:2025-12-27 17:10:28 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:poSTy8wkVMhhJqUUnZSlEL2flLjHS7qrMumgiJ/377pOjfJZTqQ2hKy7zaPO:pWvqQWqfNWgkRq4vhlv
TLSH T128560221B283C036D26E0177E969EF5E1978BE730B3105D777E87D6E49B08C2A275B06
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi ValleyRAT

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.40.120.43:553 https://threatfox.abuse.ch/ioc/1687257/

Intelligence


File Origin
# of uploads :
1
# of downloads :
68
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Verdict:
Malicious
Score:
97.4%
Tags:
shellcode virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint installer lolbin msiexec packed short-lived-cert wix
Verdict:
Clean
File Type:
msi
First seen:
2025-12-27T21:28:00Z UTC
Last seen:
2025-12-27T21:47:00Z UTC
Hits:
~10
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to capture and log keystrokes
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840343 Sample: hr.msi Startdate: 27/12/2025 Architecture: WINDOWS Score: 100 41 yandi9988.com 2->41 63 Suricata IDS alerts for network traffic 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Yara detected ValleyRAT 2->67 69 4 other signatures 2->69 9 msiexec.exe 15 44 2->9         started        13 msiexec.exe 2 2->13         started        15 steam.exe 2->15         started        signatures3 process4 file5 31 C:\Windows\Installer\MSID42B.tmp, PE32 9->31 dropped 33 C:\Windows\Installer\MSID2C3.tmp, PE32 9->33 dropped 35 C:\Windows\Installer\MSID226.tmp, PE32 9->35 dropped 37 7 other malicious files 9->37 dropped 71 Drops executables to the windows directory (C:\Windows) and starts them 9->71 17 steam.exe 1 9->17         started        21 MSID42B.tmp 2 16 9->21         started        23 msiexec.exe 2 9->23         started        73 Drops PE files to the user root directory 13->73 signatures6 process7 dnsIp8 39 yandi9988.com 95.40.120.43, 49730, 49735, 49737 PLUSNETPlusnetworkoperatorinPolandPL Poland 17->39 55 Found evasive API chain (may stop execution after checking mutex) 17->55 57 Contains functionality to capture and log keystrokes 17->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->59 61 2 other signatures 17->61 25 chrome.exe 2 21->25         started        signatures9 process10 dnsIp11 43 192.168.2.5, 138, 443, 49675 unknown unknown 25->43 45 192.168.2.13 unknown unknown 25->45 47 3 other IPs or domains 25->47 28 chrome.exe 25->28         started        process12 dnsIp13 49 www.google.com 74.125.136.99, 443, 49713 GOOGLEUS United States 28->49 51 www.huorong.cn 59.110.161.133, 443, 49700, 49702 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 28->51 53 3 other IPs or domains 28->53
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
CAB:COMPRESSION:MSZIP Executable Office Document PDB Path PE (Portable Executable) PE File Layout SVG
Threat name:
Binary.Trojan.Generic
Status:
Suspicious
First seen:
2025-12-26 23:41:17 UTC
File Type:
Binary (Archive)
Extracted files:
85
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery persistence privilege_escalation ransomware vmprotect
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Gathering data
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments