MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9
SHA3-384 hash: d8ea245930840afd7983aa093217e8bbd3a71ec6ea072027cb25ada3a0bce78c33b225124d55cd0cf9ed57b308bbfafc
SHA1 hash: a509440a9a8aac800639cb02c993196e32822fe7
MD5 hash: c7b5e6108be7af7c93582382b799fe53
humanhash: seven-orange-ink-oklahoma
File name:C7B5E6108BE7AF7C93582382B799FE53.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:89'474'246 bytes
First seen:2025-07-16 14:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 85ab324a26a79adec77a3fcbbe46e5a1 (18 x ValleyRAT)
ssdeep 1572864:M0sDBSiKV0sM17SGx9GRkT8dPXlgOv4cYKFZ9Mcbfv3O+MkSFL2zJ+SS27/MhqY1:M0sDBG0NlSGWZXVF9ZVb++8gUJ27eZ1
Threatray 57 similar samples on MalwareBazaar
TLSH T15618330ECBE8230AEAF478716BE7876D16A46F420E750F2F7D35B7561E603C9A15108E
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 6064f0c8ecfc4004 (4 x ValleyRAT, 2 x GenesisStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
118.107.43.154:4030

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
118.107.43.154:4030 https://threatfox.abuse.ch/ioc/1557549/

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C7B5E6108BE7AF7C93582382B799FE53.exe
Verdict:
Malicious activity
Analysis date:
2025-07-16 14:13:32 UTC
Tags:
upx
Link:
https://app.any.run/tasks/f0092168-8cde-40da-b5f2-4a476ef9cf87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6877b3012f623871a5ef0a33
Tags:
malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt installer invalid-signature microsoft_visual_cc obfuscated overlay packed packed packed packer_detected signed upx xpack
Link:
https://www.filescan.io/uploads/6877b2eb8a7d628a81b262ec/reports/57c896a8-73dd-4270-8355-66ad77b516c8/overview
Verdict:
Malicious
Labled as:
Backdoor_Win32_Xkcp_aqh
Link:
https://www.hybrid-analysis.com/sample/a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1738127
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potential Renamed Rundll32 Execution
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1738127 Sample: P0DtLgRVvU.exe Startdate: 16/07/2025 Architecture: WINDOWS Score: 100 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 8 other signatures 2->89 9 P0DtLgRVvU.exe 35 2->9         started        12 regsvr32.exe 2->12         started        14 svchost.exe 2->14         started        process3 dnsIp4 55 C:\Users\user\AppData\Roaming\...\intel.dll, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\chrmstp.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->59 dropped 61 3 other malicious files 9->61 dropped 17 chrmstp.exe 9->17         started        20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        24 regsvr32.exe 12->24         started        67 127.0.0.1 unknown unknown 14->67 file5 process6 signatures7 69 Multi AV Scanner detection for dropped file 17->69 71 Contains functionality to infect the boot sector 17->71 73 Injects code into the Windows Explorer (explorer.exe) 17->73 26 explorer.exe 93 4 17->26 injected 30 rundll32.exe 3 2 20->30         started        32 conhost.exe 20->32         started        75 Adds a directory exclusion to Windows Defender 22->75 34 powershell.exe 23 22->34         started        36 conhost.exe 22->36         started        77 System process connects to network (likely due to code injection or exploit) 24->77 79 Writes to foreign memory regions 24->79 81 Allocates memory in foreign processes 24->81 38 cmd.exe 24->38         started        process8 dnsIp9 65 204.79.197.203, 443, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->65 93 Creates a thread in another existing process (thread injection) 26->93 40 UserAccountBroker.exe 1 26->40         started        95 Injects code into the Windows Explorer (explorer.exe) 30->95 97 Writes to foreign memory regions 30->97 99 Allocates memory in foreign processes 30->99 43 cmd.exe 1 30->43         started        101 Loading BitLocker PowerShell Module 34->101 103 Adds a directory exclusion to Windows Defender 38->103 46 powershell.exe 38->46         started        48 conhost.exe 38->48         started        signatures10 process11 dnsIp12 63 118.107.43.154, 18852, 4030, 4031 BCPL-SGBGPNETGlobalASNSG Singapore 40->63 105 Adds a directory exclusion to Windows Defender 43->105 50 powershell.exe 43->50         started        53 conhost.exe 43->53         started        107 Loading BitLocker PowerShell Module 46->107 signatures13 process14 signatures15 91 Loading BitLocker PowerShell Module 50->91
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9
Gathering data
Verdict:
Malicious
Threat:
trojan.xkcp
Link:
https://tip.neiki.dev/file/a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-04 14:39:40 UTC
File Type:
PE (Exe)
AV detection:
12 of 37 (32.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcbtfhioqyk5xwxiujtomsq74atywvq4n2zfocdwrhoht24dldeq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
39fc79efad9b778c9eff391be78e449586590989f227cc8b2fc20d37889f3178
ValleyRAT
5cdff7f64983d581e2ead986ec68272c80f5ba3160d2d5115860cfc6bfe8b3b9
ValleyRAT
7d5ab586d7767bed71b824c104848a449b23ed77da7f3b245875c1291aad2dfc
ValleyRAT
95b8c9613c3e09443e3e846aa1886bf071db4f23f2ef928ae8cf21ba422007ce
ValleyRAT
9c54f6cdf47ed1d27d9a815f000280a02cefa34ba6796f763bb5b6adf2131334
ValleyRAT
9d4811eacddb9a74b1114467ecd10029332cdc400a38df2a397dc450d03ff3ac
ValleyRAT
a252ed81b2a0b15073603841afbd9ebd6cb16843fe62b0f5db7d9ad248dbfb32
ValleyRAT
a883329d0e8615dbdae8a266e64a1fe0278b561c6eb257087689dc79eb8358c9
ValleyRAT
error
ValleyRAT
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer upx
Link:
https://tria.ge/reports/250716-rg5s7svps3/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ae35780-1e0e-4e67-affa-86d489aabb9a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoW
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments