MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba
SHA3-384 hash: bdb13db852b9d6f11d6c5230eb152f9575d6d2ace41dcef1024abf010b6da29f9f4cf89e4a340bb5c1738dcac58fa4ca
SHA1 hash: 9272ecd42b28182c47b7376c590d4c8b8b7fd790
MD5 hash: 371c5012232b478c8c4f658f5b320dac
humanhash: fish-low-venus-fruit
File name:a-software85659013.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:8'347'648 bytes
First seen:2026-06-26 02:41:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:+Mi8ZQGetd/xM6O7IhP2x9lJVMfo00ET4C6sEwgbz0M:ZdQPkDtrZXET4CDEnt
Threatray 51 similar samples on MalwareBazaar
TLSH T1A5863385BBCA48B9C04FCF76C59B075C30187FC08A694D2776D9770C6EB262859B638B
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter GDHJDSYDH1
Tags:backdoor dropper Gh0stRAT injector msi SilverFox ValleyRAT


Avatar
GDHJDSYDH1
C2:
39.103.20.119
118.178.60.63
47.86.205.97

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
TW TW
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a0f97958-9d20-4958-ad2b-3755d8ff8139/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72009/
Detection(s):
SecuriteInfo.com.FileRepMalware.57456745.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3de4fb86bc95245bf98dfd
Tags:
shellcode spawn hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bankingtrojan CAB emotet installer installer overlay packed packed persistence wix
Link:
https://www.filescan.io/uploads/6a3de7155da5501723c28000/reports/f14dc410-1f7d-43c8-b078-41247d8b15e9/overview
Verdict:
Malicious
Labled as:
W64/ABTrojan.IMLH
Link:
https://www.hybrid-analysis.com/sample/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba
Verdict:
Malicious
File Type:
msi
First seen:
2026-06-25T23:37:00Z UTC
Last seen:
2026-06-25T23:40:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sba HEUR:Trojan.Win32.DLLhijack.pefng HEUR:Trojan.Win32.DLLhijack.pef Trojan-Banker.Win32.Emotet.goym HEUR:Trojan-Banker.Win32.Emotet.gen HackTool.Multi.AmsiETWPatch.sb
Link:
https://opentip.kaspersky.com/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba/results?tab=lookup
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/371c5012232b478c8c4f658f5b320dac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Emotet
Link:
https://tip.neiki.dev/file/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba
Threat name:
Win64.Trojan.Emotet
Create hunting rule
Status:
Suspicious
First seen:
2026-06-25 19:31:51 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxosouhgcjcps5pm56wz54ro45jeg2h4euqkntlm7a7bcl5tzs5a._file
Verdict:
malicious
Label(s):
swordldr
Create hunting rule
Similar samples:
0ecd4eed4e6933a51dbedfb4927b330135e0df7957e4e1eb6c6cee939a5bdec4
ValleyRAT
1516ab566efef411a809b5220ef748c79ee0199e2340b3576168204b59443bae
ValleyRAT
28ad8bea01712d33febdb547e2602d6097e22aad29b35d40059c7ae2f2e05f03
ValleyRAT
542ed599e59e79c0cc6d6add506b993f00b0bd818bc4d4efb86cf0a4d32a4417
ValleyRAT
6f01bc9e92bbf3271bd6e1b113d96a424144cb8fc4584d7f9a2ebff55f49af6a
ValleyRAT
75720cb361eb1ec010439450d71b05809ff7e07d0a72d811ff330e4b3838e8d6
ValleyRAT
c1d77b03a2d57f4ef9670a7569a77b662196cb10c74e303a04626afc49fcfb0d
ValleyRAT
d56867554012ff1dbff99de2d1646f006db083396179f5128152eda36d598c7b
ValleyRAT
efdf5db823eaea4ed3482b497f47663ebbc3294ecf2b99b977293055905be31f
ValleyRAT
error
ValleyRAT
+ 41 additional samples on MalwareBazaar
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5dd2750e612/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba

(this sample)

anyrun
any.run
https://app.any.run/tasks/409f9d2d-cc1b-4775-a77b-c8520821f1e4
  
Link
https://s.threatbook.com/report/file/a5dd2750e61244f975ecefad9ef22ee7524368fc2520a6cd6cf83e112fb3ccba
  
Link
https://tria.ge/260626-c14ypagw7s
  
Link
https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZ8Bxyo9ONZSmF3-tcxU
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72009/

Comments