MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2
SHA3-384 hash: 61e1c3e3caa28ff5afce5b6cbaf008763787c3df47ab0b913b01950760197ca6bbdaaa9512d0daaf4cb34f9bbb3cb4f1
SHA1 hash: 760833d99cf4ebf2c6cf33094428d1bb5acbdef8
MD5 hash: f1357e30d8ab80ecc3334c8928bc82ec
humanhash: grey-video-charlie-happy
File name:安装包F_setup.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:23'079'754 bytes
First seen:2025-07-22 03:28:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7320b3cae0f7c7e579e85728a091f04b (2 x CobaltStrike, 2 x ValleyRAT, 1 x Memento)
ssdeep 393216:0cqwjRe2B4QM8fFEUQQDEvJyRFhUpvQBjF/Gaa/BQM55w1Fg5qeP3DPKDUxM/n:da2BY8fuULAvJyRpF9UX6Lg5zP3p
TLSH T1A53733FB68A50EDCF8A1253AD8838816D537B0451790C61743A85F98BF6B301BCFE676
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter GDHJDSYDH1
Tags:backdoor dropper exe injector SilverFox ValleyRAT


Avatar
GDHJDSYDH1
C2:
47.239.83.181
8.138.164.68
Domain: job2.qaozrzszc.cn

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
47.239.83.181:7777 https://threatfox.abuse.ch/ioc/1559176/

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F_setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-22 03:22:16 UTC
Tags:
python pyinstaller
Link:
https://app.any.run/tasks/1051ff8d-bf99-4168-b195-bc838b154d60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16198/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687f03eb84b37dd61ef07ade
Tags:
emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
compiled-script expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/687f055c5076b202e43e9d36/reports/5d114c44-df4a-48a1-978e-b2687ec4e79e/overview
Verdict:
Malicious
Labled as:
Trojan.ClipBanker
Link:
https://www.hybrid-analysis.com/sample/c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/f1357e30d8ab80ecc3334c8928bc82ec
Gathering data
Verdict:
Malicious
Threat:
Backdoor.Win32.Inject
Link:
https://tip.neiki.dev/file/c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2
Threat name:
Win64.Hacktool.UacMe
Create hunting rule
Status:
Malicious
First seen:
2025-07-22 03:22:18 UTC
File Type:
PE+ (Exe)
Extracted files:
782
AV detection:
9 of 24 (37.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuwebcspd6l3hvegsuso7i4jzcrpr7q5rr7zx5h3guai3evhzxra._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion execution persistence pyinstaller ransomware
Link:
https://tria.ge/reports/250722-d1h7naek6x/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Modify Registry: Disable Windows Driver Blocklist
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
job2.qaozrzszc.cn:7777
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b65667b-0f96-4256-be60-9241a87f37be
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe c52c408a4f1f97b3d4869524efa389c8a2f8fe1d8c7f9bf4fb35008d92a7cde2

(this sample)

anyrun
any.run
https://app.any.run/tasks/1051ff8d-bf99-4168-b195-bc838b154d60
  
Link
https://tria.ge/250722-dw1adaek31
  
Link
https://intelix.sophos.com/report/4a0133a190cb459d88e364f4da27cb9a/dynamic/file
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/16198/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments