MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4
SHA3-384 hash: 1757902d69842932c1a3947b08a8b93875082eee5f24d7462eedf5fe80cb5333d1ac52bf24c984ba6d83a3a876218497
SHA1 hash: a419c841c71c07518b8fd767b144d8b0fc7eb9d0
MD5 hash: 14fdaebcdca24aa7140ddf66e0fcb67c
humanhash: floor-nebraska-apart-twelve
File name:14fdaebcdca24aa7140ddf66e0fcb67c.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:865'280 bytes
First seen:2025-12-23 18:15:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21e92f5a5c455f5b897bdcf7710f239f (1 x ValleyRAT)
ssdeep 24576:pNfwHXWNNOJiHDVjh1JOfldcw8B9RO7zn:A3WNEJo/Oflx
Threatray 66 similar samples on MalwareBazaar
TLSH T10405AD1335C9BCB1E4B211356B7A4BE5CB2DEC200B22C9CF53D4259A9A386C37A317D6
TrID 53.9% (.EXE) UPX compressed Win64 Executable (70117/5/12)
20.8% (.EXE) UPX compressed Win32 Executable (27066/9/6)
8.1% (.EXE) Win64 Executable (generic) (10522/11/4)
5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
206.238.144.163:23051

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
206.238.144.163:23051 https://threatfox.abuse.ch/ioc/1684896/

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
ValleyFall
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6cf67a28-b013-496b-b3e2-f1acf056850d/
Malware family:
n/a
ID:
1
File name:
_9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4.exe
Verdict:
Malicious activity
Analysis date:
2025-12-23 18:17:37 UTC
Tags:
upx
Link:
https://app.any.run/tasks/15e7bb0a-a1f6-4d07-940d-01789a1273b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45922/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694adc42038f10550b552621
Tags:
dropper emotet virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd explorer fingerprint lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/694adc41e126b9ff438ec0e2/reports/cbe753a2-0c7f-4b48-8687-a0d7315cbb8d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-19T11:47:00Z UTC
Last seen:
2025-12-21T10:13:00Z UTC
Hits:
~10
Detections:
Trojan-Spy.Win32.Stealer.sb Trojan.Win32.DrvInst.gv HEUR:Backdoor.Win32.Xkcp.gen Backdoor.Win32.Xkcp.a PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e0c3ff0-e5e9-48ef-a99c-4d73a507543b
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1838378
Signature
Connects to many ports of the same IP (likely port scanning)
Drops executable to a common third party application directory
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1838378 Sample: vIxFzEvZFT.exe Startdate: 23/12/2025 Architecture: WINDOWS Score: 92 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected ValleyRAT 2->71 73 2 other signatures 2->73 10 vIxFzEvZFT.exe 4 2->10         started        14 vIxFzEvZFT52993977.exe 1 2->14         started        process3 file4 53 C:\ProgramData\Mozilla\vIxFzEvZFT.exe, PE32 10->53 dropped 55 C:\...\vIxFzEvZFT.exe:Zone.Identifier, ASCII 10->55 dropped 83 Drops executable to a common third party application directory 10->83 16 cmd.exe 1 10->16         started        18 conhost.exe 10->18         started        20 conhost.exe 14->20         started        signatures5 process6 process7 22 vIxFzEvZFT.exe 1 4 16->22         started        file8 47 C:\ProgramData\...\vIxFzEvZFT52993977.exe, PE32 22->47 dropped 49 C:\ProgramData\Mozilla\DeConhost.exe, PE32+ 22->49 dropped 75 Multi AV Scanner detection for dropped file 22->75 77 Drops executable to a common third party application directory 22->77 26 cmd.exe 1 22->26         started        28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures9 process10 process11 32 vIxFzEvZFT52993977.exe 10 2 26->32         started        36 DeConhost.exe 2 1 28->36         started        dnsIp12 57 206.238.144.163, 23051, 49681, 49682 COGENT-174US United States 32->57 59 Multi AV Scanner detection for dropped file 32->59 61 Unusual module load detection (module proxying) 32->61 39 DeConhost.exe 1 32->39         started        43 conhost.exe 32->43         started        45 C:\ProgramData\Mozilla\CookiesDrvYOM21.sys, PE32+ 36->45 dropped 63 Sample is not signed and drops a device driver 36->63 65 Drops executable to a common third party application directory 36->65 file13 signatures14 process15 file16 51 C:\ProgramData\Mozilla\CookiesDrv75G0Y.sys, PE32+ 39->51 dropped 79 Sample is not signed and drops a device driver 39->79 81 Drops executable to a common third party application directory 39->81 signatures17
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/14fdaebcdca24aa7140ddf66e0fcb67c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-21 13:55:32 UTC
File Type:
PE (Exe)
Extracted files:
89
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3ihbffpmspln7dwbpsoxmc46x527czwoyvgxwc4cdglapxzug2a._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
090e18571bea63326ed56b61a157f8438f41a299c2dcc11ae5fc94d26418fe0d
ValleyRAT
323d104d40becaddc05d2c48a53b685ead32c3cfb88aa11f0307d0a0e5e250d2
ValleyRAT
3afa1d4d51f28ed901f77025aec67c94bdc54f09d88a82293d3a62112049c4e7
ValleyRAT
686bb5ee371733ab7908c2f3ea1ee76791080f3a4e61afe8b97c2a57fbc2efac
ValleyRAT
914ebc28c270eeeada23da31fd6554acdc91322c1478feb19d0c5e0c0ef2562e
ValleyRAT
ac9c44a3f4bedb921c58d0182f24777f035d60f338e265a08ca18097529d1040
ValleyRAT
c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f
ValleyRAT
error
ValleyRAT
f82642748a408a33da205c657ddc9bb41f720d09e19b22ca3165d347361ee99e
ValleyRAT
fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70
ValleyRAT
+ 56 additional samples on MalwareBazaar
Gathering data
Verdict:
Malicious
Tags:
ProcessKiller
YARA:
n/a
Link:
https://app.threat.zone/submission/a9f66278-b28e-42ec-af17-ea5ef0017876
Unpacked files
SH256 hash:
9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4
MD5 hash:
14fdaebcdca24aa7140ddf66e0fcb67c
SHA1 hash:
a419c841c71c07518b8fd767b144d8b0fc7eb9d0
Link:
https://www.unpac.me/results/2a2551b0-e1e4-45fd-95b7-144946e84491/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ed07094af64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ed07094af649eb6fc760be4ebb05cf5fbaf8b36762a6bd85c10ccb03ef9a1b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45922/

Comments