MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
SHA3-384 hash: e98c4ac5200a139884f2293ad187cb5354b4fc155cea8ad811cf806e0883d638e53904d8c0eb6744a403be308f4261f3
SHA1 hash: 2063ffbae67ee2702d413203d5660ce500a8a072
MD5 hash: 8fe5a248b4e13ac0525db9872a0317fd
humanhash: lithium-solar-bacon-oregon
File name:Secur32.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:28'313'176 bytes
First seen:2026-03-16 03:24:31 UTC
Last seen:2026-03-16 04:24:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 246e6d913901a6bb8e7bb9dbb5f8e945 (1 x ValleyRAT)
ssdeep 393216:X3fc4aVvEhOgHv3fB+FDhxnj/iOUQ2AVpatHMA5euFeo+ejy9ueivErV30kdO5g3:nf+KOEvJDSpaiAokZdy9qMrVkkA5rDVu
Threatray 2 similar samples on MalwareBazaar
TLSH T1A0572314BABA0068D437FF753EDCA8A9CCEB2D111745949711950B9BDA23AC0DE3B93C
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec ValleyRAT


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f
File size (compressed) :28'182'616 bytes
File size (de-compressed) :28'313'176 bytes
Format:win64/pe
Packed file: c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
ValleyFall
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0dc54289-314c-498b-aea7-3de050dbd574/
Malware family:
n/a
ID:
1
File name:
_ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500.dll
Verdict:
Malicious activity
Analysis date:
2026-03-16 03:25:53 UTC
Tags:
evasion uac valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/a48c09c0-795f-49ba-ad9e-35294d9a52cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57595/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b7782893b644ca466a7788
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Loading a system driver
Setting a prohibition to launch some applications
Sending a custom TCP request
Running batch commands
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Firewall traversal
Prohibiting to launch files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 cmd evasive evasive exploit explorer fingerprint lolbin masquerade microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/69b77821ab95f82184f667c2/reports/b69ecff7-bf6b-438d-aad4-73eb4484bc7f/overview
Verdict:
Malicious
Labled as:
Agent.Generic
Link:
https://www.hybrid-analysis.com/sample/ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
Verdict:
Malicious
File Type:
dll x64
Detections:
Rootkit.Win64.Agent.gsr Trojan.Win64.Kryplod.sb Backdoor.Win32.Agent.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Inject.sb HEUR:HackTool.Win64.UACme.gen Backdoor.Win32.Xkcp.a Backdoor.Xkcp.TCP.ServerRequest Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Agent.sb VHO:Rootkit.Win64.Agent.gsr
Link:
https://opentip.kaspersky.com/ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500/results?tab=lookup
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1884050
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884050 Sample: Secur32.dll.exe Startdate: 16/03/2026 Architecture: WINDOWS Score: 92 65 ip-api.com 2->65 67 google.com 2->67 75 Suricata IDS alerts for network traffic 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 4 other signatures 2->81 9 loaddll64.exe 1 1 2->9         started        11 explorer.exe 2->11         started        13 explorer.exe 2->13         started        15 3 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 1 9->17         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 1 9->22         started        31 3 other processes 9->31 25 setup.exe 11->25         started        27 setup.exe 13->27         started        29 setup.exe 15->29         started        dnsIp6 71 System process connects to network (likely due to code injection or exploit) 17->71 33 explorer.exe 17->33         started        35 rundll32.exe 1 1 20->35         started        69 ip-api.com 208.95.112.1, 49716, 49717, 49720 TUT-ASUS United States 22->69 38 explorer.exe 22->38         started        73 Multi AV Scanner detection for dropped file 25->73 40 ComputerDefaults.exe 25->40         started        42 winver.exe 25->42         started        44 ComputerDefaults.exe 27->44         started        46 winver.exe 27->46         started        50 2 other processes 29->50 48 explorer.exe 31->48         started        signatures7 process8 file9 61 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 35->61 dropped 52 explorer.exe 35->52         started        54 setup.exe 2 40->54         started        57 setup.exe 44->57         started        59 setup.exe 50->59         started        process10 file11 63 C:\ProgramDatabehaviorgrapholden\Run_09406496.exe, PE32+ 54->63 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8fe5a248b4e13ac0525db9872a0317fd
Gathering data
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 03:25:33 UTC
File Type:
PE+ (Dll)
Extracted files:
33
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmwb2y3mtqpgzxwlslgvbwtgncl2a3ve2syvtupzxwglsurbuuaa._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500
ValleyRAT
c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f
ValleyRAT
error
ValleyRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/260316-dysy3sbt3y/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Executes dropped EXE
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f

ValleyRAT

Executable exe ab2c1d636c9c1e6cdecb92cd50da666897a06ea4d4b159d1f9bd8cb95221a500

(this sample)

  
Dropped by
SHA256 c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f
Cape
Cape
https://www.capesandbox.com/analysis/57595/
  
Dropped by
MD5 6a2e5ff514d338b5696d7a86389fc7d9

Comments