MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c
SHA3-384 hash: 87dc7869e182168369632ebe7e8d5b37b57df56742faca958b4bf2b21404734a1134b4b4008a3b5d7f74d77e63575029
SHA1 hash: 87c76c5872461993c31786fd5d0ed20baa5be97b
MD5 hash: fb1c6ad40c38704b1912a5c44e016575
humanhash: neptune-arizona-zebra-cat
File name:idman642build40.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:93'942'272 bytes
First seen:2025-06-07 15:34:44 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:SmfOvZjcbyFOzN4My7UINb70U3Ds4yAteQsyGNXCOgqBL1Oq31DH41Pj4YS:5fIZIbAOBby7Uk70Uzs4PhGzF1zlD8fS
TLSH T12F283321F2336998D52F67BFE0645FD940306DE0B31BD66BB3787FA549B498221B2843
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter GDHJDSYDH1
Tags:backdoor dllHijack injector msi SilverFox ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68445cda8bd5d68a12e6509d
Tags:
cobalt emotet
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context base64 cmd expired-cert fingerprint lolbin remote wix
Link:
https://www.filescan.io/uploads/68445c74fd02ed5e059d4b5e/reports/a2457861-54c7-462c-bb01-ecd3383b255e/overview
Verdict:
Suspicious
Labled as:
TR/Agent_AGeneric.osjnr
Link:
https://www.hybrid-analysis.com/sample/9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1708969
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops password protected ZIP file
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Malware Callback Communication
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708969 Sample: idman642build40.msi Startdate: 07/06/2025 Architecture: WINDOWS Score: 70 86 www.wshifen.com 2->86 88 www.baidu.com 2->88 90 www.a.shifen.com 2->90 104 Suricata IDS alerts for network traffic 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 5 other signatures 2->110 10 msiexec.exe 18 70 2->10         started        13 idman642build40.exe 190 2->13         started        15 msiexec.exe 12 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 60 C:\Windows\Installer\MSI70AB.tmp, PE32+ 10->60 dropped 62 C:\Windows\Installer\MSI4534.tmp, PE32 10->62 dropped 64 C:\Windows\Installer\MSI44E5.tmp, PE32 10->64 dropped 74 5 other files (3 malicious) 10->74 dropped 19 msiexec.exe 8 20 10->19         started        23 msiexec.exe 10->23         started        25 msiexec.exe 10->25         started        66 C:\Users\user\AppData\Local\Temp\...\IDM1.tmp, data 13->66 dropped 27 IDM1.tmp 10 205 13->27         started        68 C:\Users\user\AppData\Local\Temp\MSIFBC.tmp, PE32 15->68 dropped 70 C:\Users\user\AppData\Local\...\MSIBD29.tmp, PE32 15->70 dropped 72 C:\Users\user\AppData\Local\...\MSI1232.tmp, PE32 15->72 dropped 76 4 other malicious files 15->76 dropped process6 dnsIp7 92 www.wshifen.com 103.235.46.102, 443, 49691, 49692 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 19->92 42 C:\Users\user\plsamc26330171\vstdlib.dll, PE32+ 19->42 dropped 44 C:\Users\user\...\vcruntime140_1.dll, PE32+ 19->44 dropped 46 C:\Users\user\plsamc26330171\tier0.dll, PE32+ 19->46 dropped 54 3 other malicious files 19->54 dropped 30 749ju.exe 3 9 19->30         started        48 C:\Program Files (x86)\...\idmwfpAA.sys, data 27->48 dropped 50 C:\Program Files (x86)\...\idmwfp64.sys, data 27->50 dropped 52 C:\Program Files (x86)\...\idmwfp32.sys, data 27->52 dropped 56 2 other malicious files 27->56 dropped 116 Sample is not signed and drops a device driver 27->116 file8 signatures9 process10 file11 78 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 30->78 dropped 80 C:\Users\user\AppData\...\preorbital.exe, PE32+ 30->80 dropped 82 C:\Users\user\AppData\...\libcares-2.dll, PE32+ 30->82 dropped 84 2 other malicious files 30->84 dropped 118 Injects code into the Windows Explorer (explorer.exe) 30->118 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->120 122 Writes to foreign memory regions 30->122 124 2 other signatures 30->124 34 explorer.exe 22 10 30->34 injected signatures12 process13 signatures14 96 Creates an undocumented autostart registry key 34->96 98 Injects code into the Windows Explorer (explorer.exe) 34->98 100 Contains functionality to inject code into remote processes 34->100 102 2 other signatures 34->102 37 explorer.exe 2 1 34->37         started        process15 dnsIp16 94 1.32.255.9, 4433, 49694 BCPL-SGBGPNETGlobalASNSG Singapore 37->94 58 C:\ProgramData\kernelquick.sys, data 37->58 dropped 112 System process connects to network (likely due to code injection or exploit) 37->112 114 Sample is not signed and drops a device driver 37->114 file17 signatures18
Score:
29%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-07 02:42:48 UTC
File Type:
Binary (Archive)
Extracted files:
50568
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsx2gogprvgt6aw4j6swu2kdpr3k2zmuy7m6ckypliigycvz4voa._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250607-s13cvsbr5w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/875ab8f9-8ca7-4e40-8f86-8bea1e6d3d23
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cafa338cf8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 9cafa338cf8d4d3f02dc4fa56a69437c76ad6594c7d9e12b0f5a106c0ab9e55c

(this sample)

ValleyRAT

zip 352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65

  
Link
https://tria.ge/250607-sffncssygz
  
Delivery method
Distributed via web download
  
Dropping
SHA256 352dd4b560292372b0cae1f8c30be8dcb47ec0cf93ae946e23cc8a3b2c0b0f65
  
Dropping
MD5 8d2b9ef3afb94897ff2066a8b154f934
  
Dropping
SHA256 9562035061eeb239e715beffe44fdfa3dadd75ad6532f533fc42570c47b27e68
  
Dropping
MD5 4f6f17dcfcbcc63e5b60572e010230fa

Comments