MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2
SHA3-384 hash: f366354204b1801de10f075b03257cc829816858bd704cc4fe24bc269eb15d85fd1ccad279af95b2a5c2a697d8bddb09
SHA1 hash: b239d03ff774e29b1131dace1415d20f96c95f00
MD5 hash: 1f3c2e4c7093ecd75911ad8043bf577c
humanhash: florida-beryllium-missouri-oregon
File name:Captain s Legacy Wealth Strategy.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'996'590 bytes
First seen:2026-06-22 20:28:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (73 x ValleyRAT, 53 x Gh0stRAT, 42 x OffLoader)
ssdeep 49152:o+MRvHoWzdA67MZ2Z9ftchfudg87dqn7iM5d:orO+MYchXqdnM5d
Threatray 34 similar samples on MalwareBazaar
TLSH T15195D023B2CBE43EE05E0B3705B2A26494FB6A256523BD1797E4949CCF760601E3E747
TrID 61.4% (.EXE) Inno Setup installer (107240/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.7% (.EXE) Win64 Executable (generic) (6522/11/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 92b28c8696ba9686 (1 x ValleyRAT)
Reporter smica83
Tags:exe ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7d4f1f4b-ec51-4af2-b4bf-aebd9523cf66/
Malware family:
n/a
ID:
1
File name:
_bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2.exe
Verdict:
Malicious activity
Analysis date:
2026-06-22 20:29:54 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/7f5c9012-f14c-46eb-8e0b-2944c63b4a43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71607/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a399b3286bc95245bf8c49b
Tags:
downloader shellcode dropper emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a process with a hidden window
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic packed reconnaissance
Link:
https://www.filescan.io/uploads/6a399b2c90632a45f733e9fe/reports/44c4c10c-9400-4fc1-94bd-721fe72c777c/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.PowerShell.gen
Link:
https://www.hybrid-analysis.com/sample/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-22T15:48:00Z UTC
Last seen:
2026-06-23T07:04:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.xcekwe Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Multi.Shellcode.gen Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.cyc Backdoor.Agent.TCP.C&C Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0008d18b-de31-4c46-bbf4-06b1a8523ca3
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1932196
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Delayed program exit found
Found malware configuration
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Rundll32 Execution Without Parameters
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1932196 Sample: Captain s Legacy Wealth Str... Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Yara detected ValleyRAT 2->60 62 3 other signatures 2->62 8 Captain s Legacy Wealth Strategy.exe 2 2->8         started        11 mdmerge.exe 1 2->11         started        13 mdmerge.exe 1 2->13         started        process3 file4 38 C:\...\Captain s Legacy Wealth Strategy.tmp, PE32 8->38 dropped 15 Captain s Legacy Wealth Strategy.tmp 23 11 8->15         started        18 rundll32.exe 11->18         started        21 conhost.exe 11->21         started        23 rundll32.exe 13->23         started        25 conhost.exe 13->25         started        process5 file6 40 C:\Users\user\AppData\...\mdmerge.exe (copy), PE32 15->40 dropped 42 C:\Users\user\AppData\...\unins000.exe (copy), PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\is-R9M1G.tmp, PE32 15->44 dropped 46 4 other files (none is malicious) 15->46 dropped 27 mdmerge.exe 1 1 15->27         started        30 notepad.exe 15->30         started        64 System process connects to network (likely due to code injection or exploit) 18->64 signatures7 process8 signatures9 66 Contains functionality to inject code into remote processes 27->66 32 rundll32.exe 3 27->32         started        36 conhost.exe 27->36         started        process10 dnsIp11 48 47.76.51.107, 49683, 49684, 49685 ALIBABA-CN-NETAlibabaUSTechnologyCoLtdCN Hong Kong SAR China 32->48 50 Contains functionality to inject threads in other processes 32->50 52 Contains functionality to capture and log keystrokes 32->52 54 Delayed program exit found 32->54 signatures12
Score:
50%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1f3c2e4c7093ecd75911ad8043bf577c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xp6me7p4xw4exjbzjcbqreyb3ehhvokshyyt6ijt5zn7lzajtora._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
887413b4d3fa8b6b25d87d8979bf17a91c790fe6d3b1a5162484e833dfddb288
ValleyRAT
d93812897d11c4244c8b1720555218d8b910792fadc6fc5ababcd745aec26f4e
ValleyRAT
e306f2ec7aa41e7c60802c8156990b3d9c6949451ae72409646e4a7c15b6ebff
ValleyRAT
e8e9df79257bea763a14fc5493e653f2201a579fb1d7d0e31a56310e41fc5126
ValleyRAT
error
ValleyRAT
ff965cbc39961020fda3eda9aeaf15fe142b729dde4ccbe771bd2b07906366dc
ValleyRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer persistence
Link:
https://tria.ge/reports/260622-y9tpzags3n/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Family: ValleyRat
Malware Config
C2 Extraction:
47.76.51.107:5678
127.0.0.1:80
Unpacked files
SH256 hash:
bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2
MD5 hash:
1f3c2e4c7093ecd75911ad8043bf577c
SHA1 hash:
b239d03ff774e29b1131dace1415d20f96c95f00
Link:
https://www.unpac.me/results/4da5f628-a60d-4a7f-95f9-cb2caf15ff1a/
SH256 hash:
27137eab7cfd951e1ed197bc2211f62df42f9597535e57a22a6a7658c0a7d0c2
MD5 hash:
9d5a7b87a48aafdc6a3ee809f6be184e
SHA1 hash:
853dc42cc1fa3e3431ed2911e50302367add6c35
Link:
https://www.unpac.me/results/4da5f628-a60d-4a7f-95f9-cb2caf15ff1a/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/4da5f628-a60d-4a7f-95f9-cb2caf15ff1a/
SH256 hash:
d2753da9eb66769d99ae73b53b069a3621cdb4cf95cbdecbf7962e5e0f9510a3
MD5 hash:
0a5f9882763739ebf7f1b058a997ad1e
SHA1 hash:
158c19440fdb44bdb3a291d0f4aaf3848b677aaf
Link:
https://www.unpac.me/results/4da5f628-a60d-4a7f-95f9-cb2caf15ff1a/
SH256 hash:
f8287d9d9b2e39dfb570c4a59e6924effb96c5ec3a3302466d83dd26201fa76c
MD5 hash:
fe980df6e0680edc2ef0710fb259ca4f
SHA1 hash:
9358a5e2b42c9546f3e64b31c6968179b99d2cd7
Link:
https://www.unpac.me/results/4da5f628-a60d-4a7f-95f9-cb2caf15ff1a/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbfcc27dfcbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbfcc27dfcbdb84ba4394883089301d90e7ab9523e313f2133ee5bf5e4099ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71607/

Comments