MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
SHA3-384 hash: b49eed88d7e16f09ebc2616d39d2f8b545e6f61f4da82bd4303e69693b1388b59320ddc9a52db3eb1ac3095dad1cde7e
SHA1 hash: a2919ef2e6634598c472375376d0fe38d0e938c1
MD5 hash: dd1a40abeacdcdef8db863b261a4208a
humanhash: orange-alabama-kentucky-table
File name:2026.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'631'168 bytes
First seen:2026-03-20 06:20:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b9660b6e40d534ce29db960102519907 (1 x ValleyRAT)
ssdeep 49152:md+GuI2h3BlxrwHvyun/ggS76zvJO5WImt0XDR6KG4VqYq:qf5OxlxrwPX/gL7kBO5WIw0XDR6Pkt
TLSH T110C5E03BF28B613EE06A1A397972A210953B7A2165164C1797ECF48CCF261701E3F797
TrID 29.3% (.EXE) InstallShield setup (43053/19/16)
28.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
23.248.202.170:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.248.202.170:6666 https://threatfox.abuse.ch/ioc/1771828/

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
2026.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-20 06:02:17 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/fb743e1a-870c-46a6-b4c5-908281231239

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58282/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bce2e793b644ca466be448
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Running batch commands
Creating a process with a hidden window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd lolbin microsoft_visual_cc packed soft-404 unsafe
Link:
https://www.filescan.io/uploads/69bce759ab95f82184f6f5ce/reports/68b40d34-2c5e-4985-b6a9-3d2492cd6025/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f7302742-2d58-4e8d-81da-b9ba41b973bc
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1886716
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1886716 Sample: 2026.exe Startdate: 20/03/2026 Architecture: WINDOWS Score: 96 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus detection for dropped file 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 3 other signatures 2->52 10 2026.exe 2 2->10         started        13 Wps.exe 1 2->13         started        process3 dnsIp4 42 C:\public\MyApp_Silent.exe, PE32 10->42 dropped 17 cmd.exe 1 10->17         started        44 23.248.202.170, 49726, 6666 CNSERVERSUS United States 13->44 56 Found evasive API chain (may stop execution after checking mutex) 13->56 58 Contains functionality to inject code into remote processes 13->58 60 Unusual module load detection (module proxying) 13->60 file5 signatures6 process7 process8 19 MyApp_Silent.exe 2 17->19         started        23 conhost.exe 17->23         started        file9 32 C:\Users\user\AppData\...\MyApp_Silent.tmp, PE32 19->32 dropped 54 Multi AV Scanner detection for dropped file 19->54 25 MyApp_Silent.tmp 5 12 19->25         started        signatures10 process11 file12 34 C:\public\run.exe (copy), PE32+ 25->34 dropped 36 C:\public\is-V9V58C5QEB.tmp, PE32 25->36 dropped 38 C:\public\is-OX960OE2FM.tmp, PE32 25->38 dropped 40 4 other malicious files 25->40 dropped 28 run.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-20 06:02:20 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7gfb7xwb4w3ijgrohbucqfl5rcg3kxmweebjmws3ctgtn6hoqmq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer
Link:
https://tria.ge/reports/260320-g4e6ysbt7l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
MD5 hash:
dd1a40abeacdcdef8db863b261a4208a
SHA1 hash:
a2919ef2e6634598c472375376d0fe38d0e938c1
Link:
https://www.unpac.me/results/71195e32-c10c-4724-9d3d-921f041d53fc/
SH256 hash:
4467a3f4987e1b7bfba6f3ab436635504331547b853946b69a9cc4db1c571a6c
MD5 hash:
0cc5d6bb0b4919548e11d8d1a0e59fa7
SHA1 hash:
970f0103734b9d40317448b032262b91dda803da
Link:
https://www.unpac.me/results/71195e32-c10c-4724-9d3d-921f041d53fc/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7cc50fef60f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58282/

Comments