MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34
SHA3-384 hash: c2dfe4e297bdae8a96c36593d3ba699cc4e5a1c9aa2fc1627624b032ce93af99812e66d2f39507ba909b8bc732c22990
SHA1 hash: cf50d96f9fc6701a62aa6f93213ca021dbb92974
MD5 hash: d75c4cafed426167338cd1bc85a3c924
humanhash: xray-venus-rugby-lemon
File name:三角洲解除冻结高危工具.zip
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:9'804'937 bytes
First seen:2026-03-29 12:10:16 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:yN5TVdtNrugDEnsaHu5KIhJ+q8H+rd7AfP0fn3v+mvVolzZAa8b:yN5XtN6gDYsaULUhsd7Af63DAeaG
TLSH T1D0A633971832A114F8D2D87399B9187490975627F9F98E2BFE96333466FB8F7C10E210
Magika zip
Reporter Ling
Tags:backdoor gh0st Trojan:Win32/Vigorf.A ValleyRAT Vigorf zip


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Vigorf.A)

Backdoor IOC (IP 113.44.44.102)

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
US US
File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:avcodec-58.dll
File size:10'752 bytes
SHA256 hash: 7891e16e3fdf4948cc3ab7d008525b4c6fef0bd692ea3c506410145cded844d7
MD5 hash: eaa627538f1bb15766d8cc7a5f8b70de
MIME type:application/x-dosexec
Signature ValleyRAT
File name:解除冻结高危工具.exe
File size:9'994'944 bytes
SHA256 hash: 7113548d5d84090c2cd89b14db573970ddee2f1bf4f568043fe06953e81a90ee
MD5 hash: a630d1904252cadb55b43d1ae712e3f9
MIME type:application/x-dosexec
Signature ValleyRAT
File name:先执行这个安装环境.exe
File size:1'152'005 bytes
SHA256 hash: 665ae61bdecf51af2bd94f9114696f69b61b455db9c520ac508d9596f5eccb40
MD5 hash: d9fcb877ad51b8a215afc219ddb27565
MIME type:application/x-dosexec
Signature ValleyRAT
File name:avutil-56.dll
File size:22'016 bytes
SHA256 hash: 47bf932521d49b5b44d5a6437aa7c558b1ab87f28d024c74545bdfecadda152b
MD5 hash: 54a429080e06fd2b9d8e48ad362523de
MIME type:application/x-dosexec
Signature ValleyRAT
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Encoder.31657.7773.30126.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c888e9635680513cf5284c
Tags:
dropper emotet virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug anti-vm microsoft_visual_cc
Link:
https://www.filescan.io/uploads/69c916b5e2df9aa488bcb1b1/reports/372b443a-3216-4eef-b93b-c3124a6c99a3/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
First seen:
2026-03-29T00:25:00Z UTC
Last seen:
2026-03-29T00:30:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Win32.Sheloader.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34/results?tab=lookup
Score:
92%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34/
Threat name:
Win32.Backdoor.Valleyrat
Create hunting rule
Status:
Malicious
First seen:
2026-03-29 06:19:41 UTC
File Type:
Binary (Archive)
Extracted files:
1724
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w45ejm7gq24vqb6r3womccolp6zgdduifj6z5ilcxnvofazpxy2a._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor persistence pyinstaller ransomware
Link:
https://tria.ge/reports/260329-qt7b5abs2k/
Malware Config
C2 Extraction:
113.44.44.102:6666
113.44.44.102:8888
113.44.44.102:8012
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_miancha_w0
Create hunting rule
Author:Context Threat Intelligence
Description:Bytes inside
Reference:http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

zip b73a44b3e686b95807d1dd9cc109cb7fb2618e882a7d9ea162bb6ae2832fbe34

(this sample)

  
Delivery method
Distributed via web download

Comments