MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a329c8db66a6182a8e51eb241c503fa1c8df7e4bff4ceeec2ea3ef29b73d55b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash: a329c8db66a6182a8e51eb241c503fa1c8df7e4bff4ceeec2ea3ef29b73d55b3
SHA3-384 hash: fdba55376a33400aa58fbb5cbe20dac69d9cac19605adbc21e8d4c1ed8ef844ee2d8dfb776650ff15cdf5bf5c2ea1e3f
SHA1 hash: 2c9f490c3bccae8871d7e31da9323d901985f82e
MD5 hash: e42d5ee4de7ac1b19db665eae0bd721b
humanhash: johnny-seven-moon-coffee
File name:1301202616181.png.ps1
Download: download sample
Signature ValleyRAT
File size:287 bytes
First seen:2026-01-13 16:55:20 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6:8SjfPWSBlAfd55iSgD3Lh8JJwoAKItCKMFMLEwwgZ/iSKI7xzi0roa:8cRud58bbG3wbt/MGEwrck7o08a
TLSH T14AD0C22901570610C856C247ACB309CD828AE5E0EC0A7D2DF5AC9AC03202B633DDC108
Magika powershell
Reporter abuse_ch
Tags:ps1 RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
154.36.161.242:12111

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.36.161.242:12111 https://threatfox.abuse.ch/ioc/1731609/

Intelligence


File Origin
# of uploads :
1
# of downloads :
121
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.1%
Tags:
emotet trojan shell agent
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-12T01:41:00Z UTC
Last seen:
2026-01-13T13:36:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.HTTP.C&C Trojan-Downloader.PowerShell.Agent.sb Trojan-Downloader.Agent.HTTP.C&C Backdoor.Agent.TCP.C&C Trojan.Win32.DLLhijack.adil NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
AI detected malicious Powershell script
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Powershell drops PE file
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Powershell download and execute
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Gathering data
Threat name:
Text.Malware.Boxter
Status:
Malicious
First seen:
2026-01-12 03:25:15 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 36 (8.33%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
valleyrat
Similar samples:
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
154.36.161.242:12111
154.36.161.242:12222
154.36.161.242:12333
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments