MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
SHA3-384 hash: 9821040d9727962161694c35326a6d8444fd0ca8fc82e7950b656affed755af04d6c17190b0efaf4dd3667479b00e23f
SHA1 hash: 06eb6d6d82b02f391ff32a1ce15b1d89ec883186
MD5 hash: 1c5f6fab58c9af235fc22bf361e60ebb
humanhash: tango-magazine-river-delta
File name:letsvp_setup.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:102'305'461 bytes
First seen:2026-03-20 09:15:39 UTC
Last seen:2026-03-20 10:30:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (5 x OffLoader, 3 x Gh0stRAT, 3 x ValleyRAT)
ssdeep 1572864:LeTyd6AsHLnDPG5SBOY9rSwzKrz6YCCQ65lMH9r9Dq9aGxXMcjf3lC:Syd6vPDDrSqKiGdu95EaG1tg
Threatray 132 similar samples on MalwareBazaar
TLSH T12228337FA3AB753DD8355E763730D212887F66A29410CC17C9F48A48DBA85B02E7D392
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon c0c8d4cc64d4ccf8 (11 x ValleyRAT, 8 x Blackmoon, 3 x AsyncRAT)
Reporter Ling
Tags:exe SilverFox Trojan:Win32/Malgent!MSR ValleyRAT


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

SilverFox
IOC (Domain www.2akks6668.com) (IP 43.99.89.13)

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/577cf5a4-0c86-4497-846d-ec9f3dc3d664/
Malware family:
n/a
ID:
1
File name:
_c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
Verdict:
No threats detected
Analysis date:
2026-03-20 09:19:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac8df2cc-5b44-4a79-8210-f34f353713c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bd107893b644ca466beeb8
Tags:
ransomware shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Searching for the window
DNS request
Connection attempt
Creating a service
Launching a service
Launching the process to change the firewall settings
Forced system process termination
Running batch commands
Launching a process
Creating a file in the Windows subdirectories
Launching cmd.exe command interpreter
Possible injection to a system process
Enabling autorun for a service
Firewall traversal
Enabling autorun by creating a file
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypt embarcadero_delphi fingerprint inno installer installer installer-heuristic invalid-signature packed signed soft-404
Link:
https://www.filescan.io/uploads/69bd10694678eefbc7afb0c0/reports/b0c77bb9-4c2f-49b3-8eb6-e7ecbd1c1bb7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
Verdict:
Malicious
File Type:
exe x32
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Yakes Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Packed.Win32.PePatch.dk Backdoor.Win32.Poison.sb
Link:
https://opentip.kaspersky.com/c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84/results?tab=lookup
Score:
26%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
Gathering data
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-03-20 09:06:33 UTC
File Type:
PE (Exe)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd6k2c5jql6zlfmcjddt5yjpc4zcffrs7xux2zc6fzdzzrtex6ca._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
143fa9567ebbccacceb58201dd85b7206fdf22882ff2cea0da994a513572f14e
ValleyRAT
5b7aa8edd23f2df2d6116b047e09746839136d7de33e6260fd4cdcd9eb4b941a
ValleyRAT
6968840ce1b13d50d13f7f0320a2e5d66bfd97073f325231edc58ec85e694b6b
ValleyRAT
6d9cbd7fbf5a266760ff49defe0d47546b035fe1a31ebb134e28a3364b82a84e
ValleyRAT
71f7f0e2f384415cef81e600040bcb40aca574c873c813e8b35589a44f6ab6e8
ValleyRAT
ab2072ea9875d18f277462b80b10835a54c863ef4545a8ba821fff05291bc592
ValleyRAT
c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
ValleyRAT
error
ValleyRAT
+ 122 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution installer persistence privilege_escalation ransomware spyware trojan
Link:
https://tria.ge/reports/260320-k8nknscw7y/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Modifies Windows Firewall
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
www.2akks6668.com:80
www.2akks6668.com:443
www.2akks6668.com:7000
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0fcad0ba982/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84

(this sample)

  
Delivery method
Distributed via web download

Comments