MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb
SHA3-384 hash: 94e1028e7700aebb3c7d26131b9654264627c697957d416bf927fb3a283afffa5eb20cb851df6060eef0ec04ad3dd19b
SHA1 hash: 22c91915df4b4ee739fb8285beb156b0f73be855
MD5 hash: 00992abb769475dc07597d8e6a900907
humanhash: cup-fillet-harry-freddie
File name:xf2sp044eb.zip
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:876'462 bytes
First seen:2025-06-07 18:05:42 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:BhtMMO2cb0qEhJSrkCerSorUDbZKmS/Jq:BzMLYrSrdH878
TLSH T1E91533FECB5CAA65481427B92F7F244DA285D0385E7D81E12DEEB9CBCC6854347129CC
Magika zip
Reporter GDHJDSYDH1
Tags:backdoor dllHijack SilverFox ValleyRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
US US
File Archive Information

This file archive contains 8 file(s), sorted by their relevance:

File name:ImageRestoreLib8.dll
File size:13'312 bytes
SHA256 hash: 6feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b
MD5 hash: 37aa892a6f35bcbe9b01f0a424f5d4f6
MIME type:application/x-dosexec
Signature ValleyRAT
File name:FourierTransformLib8.dll
File size:22'016 bytes
SHA256 hash: 9bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75
MD5 hash: da08e194f9a7045dbb19f6e5d5d7f609
MIME type:application/x-dosexec
Signature ValleyRAT
File name:wavelet_3_8.dll
File size:36'864 bytes
SHA256 hash: 2514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09
MD5 hash: f0284892937a97caa61afcd3b6ddb6d4
MIME type:application/x-dosexec
Signature ValleyRAT
File name:_8
File size:523'711 bytes
SHA256 hash: 0a856c9a1d7e73d18aeda57d4d63da1f2d814d99e7456f885faa7b7bdd300848
MD5 hash: a8e9d63f62baccca457074e75a1fb004
MIME type:text/plain
Signature ValleyRAT
File name:WsTaskLoad.exe
File size:1'002'224 bytes
SHA256 hash: 4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073
MD5 hash: 8e945aaf7128bb3db83e51f3c2356637
MIME type:application/x-dosexec
Signature ValleyRAT
File name:WS_Log.dll
File size:204'800 bytes
SHA256 hash: ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a
MD5 hash: 078c21b8c91b86999427aa349cf5decf
MIME type:application/x-dosexec
Signature ValleyRAT
File name:dll1.dll
File size:140'800 bytes
SHA256 hash: 1bfc8846c40fd97b3a6f1420c715fa03a53726c5f583b1918e3aeb1348ca1623
MD5 hash: 5f3ffdcf4931a970a4959cb3ed9df393
MIME type:application/x-dosexec
Signature ValleyRAT
File name:libcef.dll
File size:73'728 bytes
SHA256 hash: ce5ca2d486882d70edd74af8a6db179edebab36f1fdf062eea954ba5b10fdeb7
MD5 hash: 52dd9a560f8723b34cfb08cccc503e1a
MIME type:application/x-dosexec
Signature ValleyRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684480148bd5d68a12e65ca8
Tags:
virus madi
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/68447f9ffd02ed5e059d6375/reports/5881da2a-f0a3-4fdc-930b-cfc15bef08f4/overview
Verdict:
Suspicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
91%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2025-06-07 18:00:01 UTC
File Type:
Binary (Archive)
Extracted files:
37
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubgscfsucnpo253u4jkhvqvi4hjx5wkeictyub5yif4irvzanlnq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_upx_packed
Create hunting rule
Author:Reedus0
Description:Rule for detecting UPX packed malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi 090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968

ValleyRAT

zip a04d211654135eed7774e2547ac2a8e1d37ed94440a78a07b8417888d7206adb

(this sample)

  
Dropped by
SHA256 090e306f68ff5d5c0acd3697c9e8fb8e45fc942645d6ff7aeacc4fea6174e968
  
Delivery method
Distributed via drive-by
  
Dropped by
MD5 a5541b69ae11ef1a4c030d3fd1f1a6b2

Comments