MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b
SHA3-384 hash: 31f32d63785d9b48fcd4a5692f962a88fd76900be0e42f347804c3368cc940b54b8c4092d49fc4243e05721185754778
SHA1 hash: 86978f47750499ce31a0bb26b5b8e495b551a165
MD5 hash: 390cef3f2c122b4ee9d70c213cc1d173
humanhash: lemon-leopard-moon-pizza
File name:win32-googeljie.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:63'576'064 bytes
First seen:2026-04-27 05:07:38 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:QumnD/IqC/25jK4vzWXttFBLbLk1lCdiukrYd0fWymjP:QZnD/a/Ajx6dtFBLU3CbuI
Threatray 1 similar samples on MalwareBazaar
TLSH T156D73351F0CE8731E6AF80346579DB3991F23DD113B280DB93E4C9A65E7EAC24236B52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Ling
Tags:msi SilverFox Trojan/SilverFox.al ValleyRAT


Avatar
CNGaoLing
Trojan/SilverFox.al
IOC (Domain j6fadacai.com) (Domain xiaoshihou37.org) (IP 43.248.172.30)

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3b54266f-78fd-4d71-b611-981f015be2ab/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69eeee4b51cce3ff70305a1e
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b
Verdict:
Malicious
File Type:
msi
First seen:
2026-04-27T00:36:00Z UTC
Last seen:
2026-04-29T03:18:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Qhost.sb Trojan.Win32.Agentb.bxom Trojan-Dropper.Win32.Batut.sb HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Zenpak.sb Trojan-Spy.Win32.Stealer.sb Backdoor.Win32.Gulpix.sb Backdoor.Win32.Farfli.sb HEUR:Backdoor.Win32.Nimpl.a BSS:Trojan.Win32.Generic Trojan.Win32.Yakes Trojan.Win32.Shella.kz Backdoor.Win32.Lotok.sbc Trojan-Spy.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b/results?tab=lookup
Score:
96%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Zenpak
Link:
https://tip.neiki.dev/file/bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-04-27 05:04:21 UTC
File Type:
Binary (Archive)
Extracted files:
989
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4237wzpj7hdp2js2qxo4vllrhaxtheg2ly7t25o5w7kddbyen5q._file
Verdict:
malicious
Label(s):
hiddengh0st
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260427-fstpjaey6n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
HiddenGh0st
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf35bfdb2f4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi bf35bfdb2f4fce37e932d42eee556b89c1799c86d2f1f9ebaeedbea18c38237b

(this sample)

  
Delivery method
Distributed via web download

Comments