MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5
SHA3-384 hash: 8e75ffeb4f735eecf209e79b760d132c1b77d445d419c91a68a213ce2da46da313acce8d19d4d8b746c785294e8c876a
SHA1 hash: 2c04462953bd7f1661fee70e8abd4d3559957a9a
MD5 hash: b43cb01ef063e5cf1365fe577ea8e9a4
humanhash: item-asparagus-vegan-maine
File name:aliww_win7-11_v1770095297.20619.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:92'632'064 bytes
First seen:2026-02-04 12:27:16 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:laNpLLDdipDcDGAkn1H0MjcyEHNqSQUEd3gzu2assmZMjIODhPtp7D4VhA8oAR:Y3xi5cxy1H07yEtQjazu27TMjZd7EVhZ
TLSH T191183333324D8B3FD58BB875A666AA4E0912FC4A833240C7C38EEC67D1759D354B99D2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi signed ValleyRAT WinosStager

Code Signing Certificate

Organisation:Google LLC
Issuer:Google LLC
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-28T11:46:19Z
Valid to:2026-08-28T11:46:19Z
Serial number: 1eb36dcadb2c3fa843ab38a40094a2d5
Thumbprint Algorithm:SHA256
Thumbprint: 6fdbddf2305823a949c2c1bbfbf6a5e18c75ca580c14571e63a59924f1f04384
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.133.4.99:5555 https://threatfox.abuse.ch/ioc/1626824/

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5711a88a-a2c5-4b2c-a4d9-a86040371176/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69833b456b1af47db72cc405
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd expired-cert fingerprint installer lolbin signed wix
Link:
https://www.filescan.io/uploads/69833b36930564ff3c897516/reports/1bd4eb9c-2a6a-4af2-aa7c-0f0811d51f94/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5/results?tab=lookup
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
3 / 100
Link:
https://www.joesandbox.com/analysis/1863233
Behaviour
Behavior Graph:
n/a
Score:
77%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/b363a303ff19c9371c0a23ebc45b642e05cd9985837b1bdda6d6c3e581d340c5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnr2ga77dhetohakepv4iw3efyc43gmfqn5rxxng23b6laotidcq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260204-pm2mmaaz7e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Badlisted process makes network request
Enumerates connected drives
Loads dropped DLL
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b363a303ff19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments