MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce
SHA3-384 hash: 9fd80fe2cc5dc05fcd504c7c34743d2f6165a13b51ba1e46d8bdf6eb70f7400c829c547ef3956e575c13f7b1b4c6adbd
SHA1 hash: d0f9ec3ad09b0b9be99677260dae2f172eb87325
MD5 hash: e2511d432eef9fcf66290812f4fdb236
humanhash: don-bacon-georgia-wisconsin
File name:E2511D432EEF9FCF66290812F4FDB236.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:36'976'385 bytes
First seen:2025-07-26 00:32:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep 786432:mX8AoCn8LcI1grGO/b2GENsnz6nxVyLz8pgc1bCERgUR9AbfU:mMAycemvTEyn9z8pgc1bCEKUR6w
Threatray 137 similar samples on MalwareBazaar
TLSH T158872331B24AC43BD66205B11A2C9FDF5128BF6A1BB514C773CC2E6E5BB44C21636E27
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
143.92.48.5:6667

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.48.5:6667 https://threatfox.abuse.ch/ioc/1560770/

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E2511D432EEF9FCF66290812F4FDB236.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 00:52:00 UTC
Tags:
advancedinstaller
Link:
https://app.any.run/tasks/f464cafb-1685-4c95-95b0-711e29b89e55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6884224caf3050dc8d30f956
Tags:
dropper shell sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Loading a suspicious library
Creating a file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin microsoft_visual_cc msiexec obfuscated overlay packed packer_detected runonce
Link:
https://www.filescan.io/uploads/6884222113488cfd44d90377/reports/fa81dba0-53fe-445a-8cc1-4eb872587b85/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.evad.mine
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1744459
Signature
.NET source code contains very large array initializations
Accesses sensitive object manager directories (likely to detect virtual machines)
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to modify Windows User Account Control (UAC) settings
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates multiple autostart registry keys
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Uses ipconfig to lookup or modify the Windows network settings
Uses IRC for communication with a C&C
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744459 Sample: 4ecI1fr11s.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 78 153 ff6288.com 2->153 155 yandex.com 2->155 157 10 other IPs or domains 2->157 193 Suricata IDS alerts for network traffic 2->193 195 Multi AV Scanner detection for submitted file 2->195 197 .NET source code contains very large array initializations 2->197 199 6 other signatures 2->199 14 msiexec.exe 87 35 2->14         started        17 4ecI1fr11s.exe 88 2->17         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 129 kl.late (copy), DOS 14->129 dropped 131 arkHTTPClient.dll (copy), PE32 14->131 dropped 133 WindowsDevic.exe (copy), PE32 14->133 dropped 141 8 other malicious files 14->141 dropped 24 msiexec.exe 1 14->24         started        26 msiexec.exe 14->26         started        135 C:\Users\user\AppData\Roaming\...\kl.late, DOS 17->135 dropped 137 C:\Users\user\AppData\...\arkHTTPClient.dll, PE32 17->137 dropped 139 C:\Users\user\AppData\...\WindowsDevic.exe, PE32 17->139 dropped 143 17 other malicious files 17->143 dropped 28 4ecI1fr11s.exe 1 17->28         started        30 drvinst.exe 19->30         started        34 drvinst.exe 19->34         started        201 Changes security center settings (notifications, updates, antivirus, firewall) 21->201 203 Modifies the DNS server 21->203 36 MpCmdRun.exe 21->36         started        signatures6 process7 file8 38 cmd.exe 1 24->38         started        41 msiexec.exe 28->41         started        145 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 30->145 dropped 147 C:\Windows\System32\drivers\SET7C47.tmp, PE32+ 30->147 dropped 219 Accesses sensitive object manager directories (likely to detect virtual machines) 30->219 149 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 34->149 dropped 151 C:\Windows\System32\...\SET7246.tmp, PE32+ 34->151 dropped 43 conhost.exe 36->43         started        signatures9 process10 signatures11 205 Uses netsh to modify the Windows network and firewall settings 38->205 207 Uses ipconfig to lookup or modify the Windows network settings 38->207 209 Performs a network lookup / discovery via ARP 38->209 45 cmd.exe 1 38->45         started        47 conhost.exe 38->47         started        process12 process13 49 Latest.exe 45->49         started        53 WindowsDevic.exe 45->53         started        55 SetupEx.exe 2 8 45->55         started        57 conhost.exe 45->57         started        file14 117 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 49->117 dropped 119 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 49->119 dropped 121 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 49->121 dropped 123 221 other malicious files 49->123 dropped 175 Bypasses PowerShell execution policy 49->175 177 Modifies the windows firewall 49->177 179 Adds a directory exclusion to Windows Defender 49->179 181 Sample is not signed and drops a device driver 49->181 59 LetsPRO.exe 49->59         started        61 tapinstall.exe 49->61         started        64 powershell.exe 49->64         started        70 8 other processes 49->70 183 Contains functionality to inject threads in other processes 53->183 185 Contains functionality to inject code into remote processes 53->185 187 Contains functionality to modify Windows User Account Control (UAC) settings 53->187 189 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 53->189 67 WindowsDevic.exe 53->67         started        191 Creates multiple autostart registry keys 55->191 signatures15 process16 dnsIp17 72 LetsPRO.exe 59->72         started        125 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 61->125 dropped 127 C:\Users\user\AppData\Local\...\SET70EE.tmp, PE32+ 61->127 dropped 76 conhost.exe 61->76         started        167 Loading BitLocker PowerShell Module 64->167 78 conhost.exe 64->78         started        159 ff6288.com 143.92.48.5, 49722, 6667 BCPL-SGBGPNETGlobalASNSG Singapore 67->159 169 Adds a directory exclusion to Windows Defender 67->169 171 Disables UAC (registry) 67->171 173 Disable UAC(promptonsecuredesktop) 67->173 80 powershell.exe 67->80         started        82 WindowsDevic.exe 67->82         started        84 conhost.exe 70->84         started        86 conhost.exe 70->86         started        88 conhost.exe 70->88         started        90 10 other processes 70->90 file18 signatures19 process20 dnsIp21 161 119.29.29.29, 49726, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 72->161 163 d1dmgcawtbm6l9.cloudfront.net 18.173.242.73, 443, 49727, 49728 MIT-GATEWAYSUS United States 72->163 165 10 other IPs or domains 72->165 211 Creates multiple autostart registry keys 72->211 213 Loading BitLocker PowerShell Module 72->213 92 cmd.exe 72->92         started        95 WMIC.exe 72->95         started        97 cmd.exe 72->97         started        99 cmd.exe 72->99         started        101 conhost.exe 80->101         started        signatures22 process23 signatures24 215 Performs a network lookup / discovery via ARP 92->215 103 conhost.exe 92->103         started        105 ARP.EXE 92->105         started        217 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 95->217 107 conhost.exe 95->107         started        109 conhost.exe 97->109         started        111 ipconfig.exe 97->111         started        113 conhost.exe 99->113         started        115 ROUTE.EXE 99->115         started        process25
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce
Gathering data
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-22 04:39:41 UTC
File Type:
PE (Exe)
Extracted files:
2594
AV detection:
12 of 37 (32.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsq4rzwwmcrrvlfdau4xhrktyyrvjpshnchx2r2jtdynlsxy6dha._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47
ValleyRAT
4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
ValleyRAT
43130df9d6c99e0d01470a57e0a21215a9afbb1c9b191e1b86fcb046316de6d1
ValleyRAT
70dc1b89b608524c98f02a2bd8a0cf162d662841f30b6e622c8fea77dbaae148
ValleyRAT
aa50da2a49089316258540ca5606b7daa77cc9b93a406bff136166882261182e
ValleyRAT
e38e23432813e4eb1ddec51456d1a9bb6f3a3a99cd68e3a130a1622e9d53c54d
ValleyRAT
error
ValleyRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250726-avxw3swsgx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac50ba47-acd2-4057-bdec-5a15aa12ab38
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_valley_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW

Comments