MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash:	c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b
SHA3-384 hash:	2e293fdf7377d9a2cfb1570f711eb3af6dbec912908e6824cfd8e4d1ea5ecda5b7817fc8652ca90c324d6a530e128805
SHA1 hash:	deca32652e83c250baa997415355b2e91d17589a
MD5 hash:	f8f161613ac0bfadbc6320935bcd333c
humanhash:	fish-nebraska-helium-high
File name:	Library-solid-lzma.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	189'322 bytes
First seen:	2025-08-30 05:54:35 UTC
Last seen:	2025-08-30 07:21:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	039d1617d5f0788dacbd04b35a141ebe (28 x ValleyRAT)
ssdeep	3072:RsJY7SurwgsHYiUEZlHcQOgJHlQHMmnb9sKFCFo8lOWkGqjm/GUEIYhDkTYE7:RPKgzEZl82ZlhmnbhCFoY6GqjLUEbi
Threatray	468 similar samples on MalwareBazaar
TLSH	T15C04125282718072DE43067195323B066FAFED1860D9A6839B843E5BB8331D3D57E9F7
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Anonymous
Tags:	exe ValleyRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Library-solid-lzma.exe

Verdict:

No threats detected

Analysis date:

2025-08-30 05:56:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3fe3a347-ed8d-4af3-9335-290be64ffdc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24201/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.68293935.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b29223eb163e0ec1831ee9

Tags:

shellcode emotet virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file in the Program Files subdirectories

Creating a file

Creating a process from a recently created file

Сreating synchronization primitives

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context microsoft_visual_cc obfuscated overlay packed packer_detected

Link:

https://www.filescan.io/uploads/68b2922139a6221faa761b2e/reports/45dfc108-08cc-4a95-91cb-a7eb40de5ee4/overview

Verdict:

Malicious

Labled as:

Trojan.Fsysna.ibyq

Link:

https://www.hybrid-analysis.com/sample/c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b/results?tab=lookup

Malware family:

Winos

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aac76222-3c50-490d-afc1-7f7f5907c148

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/f8f161613ac0bfadbc6320935bcd333c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-08-29 21:30:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yqkx7w6mgn63c5w77srnnwnnyisgqmbkyuhks2cst2bxur6yvrnq._file

Verdict:

malicious

Label(s):

unc_loader_058

winos

ValleyRAT

1b3d01d49abdc244eb20b3a505d439be4e65df9ba52e8de876e70c5b987a403a

ValleyRAT

24be5daba220b38da8686b3211d66c7cfa78185cdddf7cf24d014e7ea1df34a1

ValleyRAT

44e62e4a2b6ce72ff7d58bd772aa1fe7a66a8a6bae8b1cb2c19c9507f16cc225

ValleyRAT

error

ValleyRAT

+ 458 additional samples on MalwareBazaar

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor discovery installer persistence

Link:

https://tria.ge/reports/250830-gl82baar9v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Adds Run key to start application

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

156.226.183.237:2324
127.0.0.1:8888
127.0.0.1:80

Verdict:

Malicious

Tags:

ProcessKiller

YARA:

n/a

Link:

https://app.threat.zone/submission/f062c588-c241-4295-95bb-de1f96148d4f

Unpacked files

SH256 hash:

c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b

MD5 hash:

f8f161613ac0bfadbc6320935bcd333c

SHA1 hash:

deca32652e83c250baa997415355b2e91d17589a

Link:

https://www.unpac.me/results/53d9fb8c-2615-4114-b88c-bce582b1a5ab/

SH256 hash:

a3767d292fd236d324838dfb02a251e0df0ac958f8f1eea04ad78ae64ce53b81

MD5 hash:

25f33fcf0ab54f39dd785b7ed121bd53

SHA1 hash:

9160b6517fba51abd3fc3d60a2332ca622f7e801

Link:

https://www.unpac.me/results/53d9fb8c-2615-4114-b88c-bce582b1a5ab/

SH256 hash:

dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

MD5 hash:

00a0194c20ee912257df53bfe258ee4a

SHA1 hash:

d7b4e319bc5119024690dc8230b9cc919b1b86b2

Link:

https://www.unpac.me/results/53d9fb8c-2615-4114-b88c-bce582b1a5ab/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c4157fdbcc33/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Generic_Threat_4b0b73ce Create hunting rule
Author:	Elastic Security

Rule name:	win_valley_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

exe c4157fdbcc337db176dffca2d6d9adc22468302ac50ea968529e837a47d8ac5b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3614029/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/24201/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample