MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab
SHA3-384 hash: a16a97e93f9b987c7c98bdc0b8ae99bada70361dfebeb584d7af888235d6419b3e17fb9afa2638f3d7721446971c611c
SHA1 hash: 4c71685f49cab4da7f354d2f821b0ed152945fe9
MD5 hash: 3253d8a12e29cc65ed890ba6a01aceb6
humanhash: foxtrot-september-july-yankee
File name:3253d8a12e29cc65ed890ba6a01aceb6.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:3'158'016 bytes
First seen:2025-03-05 22:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73fcaffcf80955c503a71b9af9fbbb68 (1 x ValleyRAT)
ssdeep 49152:2VtOhYlG4EWxActYT62tQyZFEfCEY17yEpg34d0xqPjsb+biuNwx2BESMm:2DOhYlG4NUtQVC97BARssb+bTNwxAESZ
TLSH T14CE51211B6D3C0F2D616193004A6E736CE35BE424639DFC7A769DE791C33282A72F25A
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 6ccc94f0f0d4ccc4 (1 x ValleyRAT)
Reporter abuse_ch
Tags:45-204-194-212 exe ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
45.204.194.212:4212

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.204.194.212:4212 https://threatfox.abuse.ch/ioc/1441697/

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab
Verdict:
Malicious activity
Analysis date:
2025-03-02 08:10:17 UTC
Tags:
silverfox backdoor valleyrat winos rat arch-exec arch-doc
Link:
https://app.any.run/tasks/0d99ec60-212d-4c67-908f-6c8784b099f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.TR.Crypt.XPACK.Gen.11787.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c41267a08f47cf14a3e2fe
Tags:
flystudio autorun emotet farfli
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a process from a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Connection attempt
Forced shutdown of a system process
Blocking the User Account Control
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context farfli fingerprint iceid keylogger krypt microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c8cbfd3c5f644bd944eb7f/reports/7a9f9ba2-2076-417c-8ca8-505b9648f27a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
APT27
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba8dd97f-0881-4883-afa2-9a57532cbd68
Result
Threat name:
GhostRat, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1630476
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates an autostart registry key pointing to binary in C:\Windows
Deletes itself after installation
Disables UAC (registry)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1630476 Sample: cIcErFnPhZ.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 8 other signatures 2->65 9 cIcErFnPhZ.exe 3 8 2->9         started        13 abccxse.exe 2->13         started        15 GFIRestart32.exe 1 2->15         started        17 3 other processes 2->17 process3 file4 51 C:\Users\Public\PfSfvxLe\abccxse.exe, PE32 9->51 dropped 53 C:\Users\Public\PfSfvxLe\ImageMagik.dll, PE32 9->53 dropped 55 C:\Users\user\Desktop\tem.vbs, ASCII 9->55 dropped 87 Disables UAC (registry) 9->87 89 Tries to detect virtualization through RDTSC time measurements 9->89 19 abccxse.exe 9->19         started        22 wscript.exe 9->22         started        91 Writes to foreign memory regions 13->91 93 Allocates memory in foreign processes 13->93 95 Injects a PE file into a foreign processes 13->95 24 cmd.exe 13->24         started        26 cmd.exe 13->26         started        28 cmd.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        signatures5 process6 signatures7 67 Writes to foreign memory regions 19->67 69 Allocates memory in foreign processes 19->69 71 Injects a PE file into a foreign processes 19->71 73 Potentially malicious time measurement code found 19->73 36 cmd.exe 8 7 19->36         started        40 cmd.exe 19->40         started        43 cmd.exe 19->43         started        75 Deletes itself after installation 22->75 process8 dnsIp9 57 45.204.194.212, 4212, 49733, 49734 ITACE-AS-APItaceInternationalLimitedHK Seychelles 36->57 77 Contains functionality to inject threads in other processes 36->77 79 Contains functionality to capture and log keystrokes 36->79 81 Drops PE files to the startup folder 36->81 85 2 other signatures 36->85 45 cmd.exe 36->45         started        49 C:\Users\user\AppData\...behaviorgraphFIRestart32.exe, PE32 40->49 dropped 83 Creates an autostart registry key pointing to binary in C:\Windows 40->83 file10 signatures11 process12 process13 47 conhost.exe 45->47         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-02 08:10:18 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uq5tpljpyc4r2hbkacfapfheblcfz5mofurqtcjxxmypk5z3kkvq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery persistence trojan
Link:
https://tria.ge/reports/250305-13h11a1nw6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
UAC bypass
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
45.204.194.212:4212
Verdict:
Malicious
Tags:
trojan
YARA:
Windows_Generic_Threat_bc6ae28d
Link:
https://app.threat.zone/submission/d2209f05-64ce-4a81-8fb9-d2d19c1ca2a1
Unpacked files
SH256 hash:
a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab
MD5 hash:
3253d8a12e29cc65ed890ba6a01aceb6
SHA1 hash:
4c71685f49cab4da7f354d2f821b0ed152945fe9
Link:
https://www.unpac.me/results/5498710f-49d9-4f45-b400-82642f0a9102/
SH256 hash:
82091d4ff7e1556511faa8fe2be484bed540e02d0b08dca499860c1a60769d5f
MD5 hash:
f4961742a61b22bca4926553764a830c
SHA1 hash:
2fb2bfe48b37ba642edfb5071fbe72721acaf0e4
Link:
https://www.unpac.me/results/5498710f-49d9-4f45-b400-82642f0a9102/
SH256 hash:
ce9b54f237443bb6fffa8b93eb70f155cf90c0dc7153faac75cdf8fa5c056b65
MD5 hash:
b96ba84e837fdf94a0754a41596f55ea
SHA1 hash:
af7ab6b570c4381c7189ae8a74bd5aaff1944a67
Link:
https://www.unpac.me/results/5498710f-49d9-4f45-b400-82642f0a9102/
SH256 hash:
68cd7605a7085950c2effd8ca9cd492082844c2576bbdf0944e93697ab79bd00
MD5 hash:
524daf9326d601706ee5fac8053ac88f
SHA1 hash:
befcd6e2b2f99a18f564f3ed86971c617ef90918
Link:
https://www.unpac.me/results/5498710f-49d9-4f45-b400-82642f0a9102/
SH256 hash:
053188ca88e0b4b7de0e1753e4ce5f837ea0e5a74e661ecb529b94cb5507bf67
MD5 hash:
6c4a0e6fe86ae5cf391fd56e7dff3acb
SHA1 hash:
3cb81ca094a020e55d0817d2f6ac85927f6fc7f5
Detections:
win_valley_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/5498710f-49d9-4f45-b400-82642f0a9102/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a43b37ad2fc0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a43b37ad2fc0b91d1c2a008a0794e40ac45cf58e2d23098937bb30f5773b52ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_bc6ae28d
Create hunting rule
Author:Elastic Security
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments