MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b433ecdf855beaaf91d57522eebe9c9e1c3fc756f711bd79ac1b3ecf6c75016c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash: b433ecdf855beaaf91d57522eebe9c9e1c3fc756f711bd79ac1b3ecf6c75016c
SHA3-384 hash: 591fc75318a4518798d34f30bf00042205b476bc2ee7fb0ec869409d70cbf32efa1c5fc38cf6aeb96f3513881bb48e7f
SHA1 hash: cca9f72a37173b12d4812644dd288909133cf6e4
MD5 hash: 99a4d8df4398e163b45594e6204fd2c3
humanhash: dakota-failed-mockingbird-delta
File name:LetsVPN.zip
Download: download sample
Signature ValleyRAT
File size:29'191'779 bytes
First seen:2026-07-10 12:19:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:KHnTi9j9jG4zU+ocyToF08XOVh301iyNKtKTP:On6jG+ocyE1Q301LsATP
TLSH T1975733157B6EC27CDA99441EFC64B28938A5FAE531BCB048C03E68E904BD0FBB076D55
Magika zip
Reporter smica83
Tags:ValleyRAT zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
209
Origin country :
HU HU
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:KL-X86Gicasc.msi
File size:30'135'808 bytes
SHA256 hash: ee1f25b74bc40c30ef3dac839257e6e75c3ef5e84e6c8b464f1984943132f166
MD5 hash: 94c099726b17e2856c4fabc643d6742d
MIME type:application/x-msi
Signature ValleyRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Tags:
shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint fingerprint lolbin reconnaissance short-lived-cert wix
Verdict:
Malicious
File Type:
zip
First seen:
2026-07-10T10:07:00Z UTC
Last seen:
2026-07-11T21:55:00Z UTC
Hits:
~10
Gathering data
Gathering data
Threat name:
Win32.Trojan.Suschil
Status:
Malicious
First seen:
2026-07-10 12:21:01 UTC
File Type:
Binary (Archive)
Extracted files:
863
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware trojan
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments