MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90
SHA3-384 hash: 95caebb39e1cc94528f119e5630158a9443bc7673221956d3c581cd54b2686c03cfd211483e28b83af6c63fdb32e8f6c
SHA1 hash: 9069c4f2327e48a24cb04af50ed88bc496c8332c
MD5 hash: 8cb2393ce8207493aa2de29510652e09
humanhash: queen-item-hotel-rugby
File name:8CB2393CE8207493AA2DE29510652E09.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:26'394'112 bytes
First seen:2026-01-06 07:15:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c220098faa84d4d9bcb744d4c28ee792 (1 x ValleyRAT)
ssdeep 786432:JejHQSRFhuwwXYsFC0pPPn8dIL0qd8XmXvn:8P3OXYsFCQH8dXg8Xyn
TLSH T100473394FBC5C064EC59F6B1093674FC31793CFD0AA88E3966827CD9E9772A4633250A
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
103.85.225.40:8000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.85.225.40:8000 https://threatfox.abuse.ch/ioc/1691944/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0d0859bb-025a-4c1f-a677-d6f94745db57/
Malware family:
n/a
ID:
1
File name:
8CB2393CE8207493AA2DE29510652E09.exe
Verdict:
Malicious activity
Analysis date:
2026-01-06 07:15:44 UTC
Tags:
payload silverfox backdoor valleyrat rat winos
Link:
https://app.any.run/tasks/eefe5ec3-f137-496a-bdfd-bc4c7a28c461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47805/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695cb698d2357cccc3dfe151
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
Loading a suspicious library
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Connection attempt
Creating a file
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer installer installer-heuristic nsis packed unsafe valleyrat
Link:
https://www.filescan.io/uploads/695cb690db1b3f0505be509b/reports/2f7c0644-c645-4b19-ab6d-d33667bdece9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-03T06:34:00Z UTC
Last seen:
2026-01-08T00:56:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Yephiler.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.DLLhijack.acdj Trojan-Spy.Win32.Xegumumune.sbc Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.byi Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90/results?tab=lookup
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
82 / 100
Link:
https://www.joesandbox.com/analysis/1845325
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845325 Sample: JUmXaBxu3A.exe Startdate: 06/01/2026 Architecture: WINDOWS Score: 82 119 yandex.com 2->119 121 www.yandex.com 2->121 123 7 other IPs or domains 2->123 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Antivirus / Scanner detection for submitted sample 2->139 141 9 other signatures 2->141 11 JUmXaBxu3A.exe 7 2->11         started        15 Crash.exe 2 2 2->15         started        18 svchost.exe 2->18         started        20 12 other processes 2->20 signatures3 process4 dnsIp5 107 C:\Users\user\AppData\...\letsvpn-latest.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\Roaming\...\Crash.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Roaming\Crash\qr.dll, PE32+ 11->111 dropped 113 C:\Users\user\AppData\Roaming\...\libcurl.dll, PE32 11->113 dropped 165 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->165 167 Switches to a custom stack to bypass stack traces 11->167 169 Found direct / indirect Syscall (likely to bypass EDR) 11->169 22 letsvpn-latest.exe 10 304 11->22         started        26 rundll32.exe 11->26         started        131 103.85.225.40, 49718, 49725, 49726 BSYNTCL-AS-APBeijingShijihulianYuntongNetworkTechnology China 15->131 171 Queues an APC in another process (thread injection) 15->171 28 drvinst.exe 18->28         started        30 drvinst.exe 18->30         started        133 127.0.0.1 unknown unknown 20->133 173 Changes security center settings (notifications, updates, antivirus, firewall) 20->173 175 Modifies the DNS server 20->175 32 MpCmdRun.exe 20->32         started        34 LetsPRO.exe 20->34         started        file6 signatures7 process8 file9 91 C:\Program Files (x86)\...\tapinstall.exe, PE32+ 22->91 dropped 93 C:\Program Files (x86)\...\tap0901.sys, PE32+ 22->93 dropped 95 C:\Program Files (x86)\...\LetsPRO.exe, PE32 22->95 dropped 105 223 other files (2 malicious) 22->105 dropped 157 Bypasses PowerShell execution policy 22->157 159 Modifies the windows firewall 22->159 161 Sample is not signed and drops a device driver 22->161 36 LetsPRO.exe 22->36         started        38 cmd.exe 22->38         started        41 powershell.exe 23 22->41         started        47 8 other processes 22->47 43 rundll32.exe 1 26->43         started        97 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 28->97 dropped 99 C:\Windows\System32\drivers\SETADC9.tmp, PE32+ 28->99 dropped 163 Accesses sensitive object manager directories (likely to detect virtual machines) 28->163 101 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 30->101 dropped 103 C:\Windows\System32\...\SETA1B5.tmp, PE32+ 30->103 dropped 45 conhost.exe 32->45         started        signatures10 process11 file12 50 LetsPRO.exe 36->50         started        149 Uses netsh to modify the Windows network and firewall settings 38->149 151 Uses ipconfig to lookup or modify the Windows network settings 38->151 153 Performs a network lookup / discovery via ARP 38->153 54 conhost.exe 38->54         started        56 netsh.exe 38->56         started        155 Loading BitLocker PowerShell Module 41->155 58 conhost.exe 41->58         started        115 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 47->115 dropped 117 C:\Users\user\AppData\Local\...\SET9F73.tmp, PE32+ 47->117 dropped 60 conhost.exe 47->60         started        62 conhost.exe 47->62         started        64 conhost.exe 47->64         started        66 9 other processes 47->66 signatures13 process14 dnsIp15 125 119.29.29.29, 49732, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 50->125 127 23.98.101.63, 443, 49742, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->127 129 9 other IPs or domains 50->129 143 Loading BitLocker PowerShell Module 50->143 68 cmd.exe 50->68         started        71 WMIC.exe 50->71         started        73 cmd.exe 50->73         started        75 cmd.exe 50->75         started        signatures16 process17 signatures18 145 Performs a network lookup / discovery via ARP 68->145 77 conhost.exe 68->77         started        79 ARP.EXE 68->79         started        147 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 71->147 81 conhost.exe 71->81         started        83 conhost.exe 73->83         started        85 ipconfig.exe 73->85         started        87 conhost.exe 75->87         started        89 ROUTE.EXE 75->89         started        process19
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8cb2393ce8207493aa2de29510652e09
Gathering data
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-01-03 11:14:31 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7s2npgeycvhrotjnt5oifgwbonaei4e6lgwmolye5xpq5r4v2ia._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/260106-h4e2maes7f/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
103.85.225.40:8000
127.0.0.1:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62592c7f-2f01-425f-b6d6-65b03dea5936
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9fe5a6bcc4c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9fe5a6bcc4c0aa78ba696cfae414d60b9a022384f2cd663978276ef8763cae90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/47805/

Comments