MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 14 File information Comments

SHA256 hash:	bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94
SHA3-384 hash:	56469b807496d9f46370c6d8570dd74de4f72b3aed9542ad69d9ae80c98a8f68ef7b5a2e033ef15ca16ce0445873fb11
SHA1 hash:	232ed11aa93fbc7d75c161c6d3b59f9684fd3a99
MD5 hash:	80ec66bc67c696223954ded7e171c55d
humanhash:	twelve-california-floor-oscar
File name:	2025.09.26 新名单.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	118'272 bytes
First seen:	2025-09-26 09:39:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42520c1a67188645504949010109baf6 (1 x ValleyRAT)
ssdeep	3072:RTUd7+H6TnD6msSi4ybr9UzA10rwX9thw08c+6:eh+aTD6msSi4ybr9UnR08c+6
TLSH	T13CC31907A6E550F5C0BAC43888926A36FBB27C694731A78F6BD05B5B1F327D0AD2D710
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	kafan_shengui
Tags:	exe SilverFox ValleyRAT

kafan_shengui

Targeted Attack.
C&C: hdwyebwfvjs[dot]cn | 18.180.69.63

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2025.09.26.exe

Verdict:

No threats detected

Analysis date:

2025-09-26 09:40:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0cee353e-0a2d-4f5d-886d-2103854a3acc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29150/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d65fa8adb1614b780be342

Tags:

infosteal shell sage remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

alpc anti-debug evasive exploit microsoft_visual_cc

Link:

https://www.filescan.io/uploads/68d65fa674e5a28989947f3e/reports/d9cd4205-fd87-4cad-8ea4-aa529beda497/overview

Verdict:

Malicious

Labled as:

Win64/Agent_AGeneric.HCI trojan

Link:

https://www.hybrid-analysis.com/sample/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-26T00:37:00Z UTC

Last seen:

2025-09-26T00:37:00Z UTC

Hits:

~100

Detections:

Trojan-Dropper.Win32.Injector.sb Trojan.Win32.PoolInject.sba

Link:

https://opentip.kaspersky.com/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cdb653df-286b-4303-9b99-5c2df52549be

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/80ec66bc67c696223954ded7e171c55d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94/

Verdict:

Malicious

Threat:

Trojan.Win32.PoolInject

Link:

https://tip.neiki.dev/file/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvrx564llugwedsnzg6nhvmwxdngquiw3tm2werl5xjwt64rfkka._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/250926-lnmcjsgj5t/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ee40a196-e86f-4460-97a3-cb61d6e9a6c6

Unpacked files

SH256 hash:

bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94

MD5 hash:

80ec66bc67c696223954ded7e171c55d

SHA1 hash:

232ed11aa93fbc7d75c161c6d3b59f9684fd3a99

Link:

https://www.unpac.me/results/fa4e10b9-c9cb-4594-8d5a-b15fa25b8026/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bd637efb8b5d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd637efb8b5d0d620e4dc9bcd3d596b8da685116dcd9ab122bedd369fb912a94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29150/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample