MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8
SHA3-384 hash: 1b863e78e8457d9688f6de974774626e592029d90447732f0739e88fee5dd9965e96a7fe589f5533964baddaac3e6e73
SHA1 hash: 558c5bd1a7b85e6b2aeb9d91e18c2566545439f4
MD5 hash: 9e92fc8ac8e578f93582645d499ad198
humanhash: mississippi-thirteen-pizza-don
File name:c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b50.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:368'128 bytes
First seen:2026-04-08 10:00:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13f3c1e33fd6792e7cb512ddb889dd46 (3 x ValleyRAT)
ssdeep 6144:3CZohuFpe8damq5Xey207pw7QRj9z5sc7653gfQ:ioUFpe8kJXe/0ekZ1v653gY
TLSH T1DC74B003A2EC3CEAD0768275A77743C6D72EEC5513A1C69F02D002969E3E693793A7D1
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon f0968ee8aae8e8b2 (12 x ValleyRAT, 9 x Urelas, 5 x HermeticWiper)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
143.92.32.25:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
143.92.32.25:6666 https://threatfox.abuse.ch/ioc/1782859/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8.exe
Verdict:
No threats detected
Analysis date:
2026-04-08 09:43:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fcfacb79-225d-48aa-b5e1-d074a8e665d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60807/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.43164951.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d6234e6a61012f6ad00902
Tags:
autorun emotet
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc unsafe
Link:
https://www.filescan.io/uploads/69d6275b799d5bf325f248d9/reports/98cf75b5-eeba-48ae-9b09-6265f1562fd8/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.MIB trojan
Link:
https://www.hybrid-analysis.com/sample/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-08T04:15:00Z UTC
Last seen:
2026-04-08T08:44:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agent.HTTP.C&C Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan-Downloader.Win32.Agent.sb HEUR:Trojan.Win32.Agent.gen Backdoor.Win32.Xkcp.a Backdoor.Win32.Agentb.sb HEUR:Trojan.Win64.Generic HEUR:Trojan.Multi.ShellCode.gen
Link:
https://opentip.kaspersky.com/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8/results?tab=lookup
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4123197e-e510-46c8-b879-0b0fc7656b09
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895166
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1895166 Sample: c8f77835cbe25f8935d2d5a72bc... Startdate: 08/04/2026 Architecture: WINDOWS Score: 100 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 8 other signatures 2->48 8 c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b50.exe 19 2->8         started        12 pocket.exe 1 2->12         started        process3 dnsIp4 38 23.226.57.69, 49720, 7789 XIAOZHIYUN1-AS-APICIDCNETWORKUS United States 8->38 30 C:\Users\user\AppData\Local\...\c4.0[1].dll, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\pocket[1].exe, PE32 8->32 dropped 34 C:\Users\Public\Downloads\pocketBase.dll, PE32 8->34 dropped 36 3 other malicious files 8->36 dropped 14 pocket.exe 2 1 8->14         started        18 schtasks.exe 1 12->18         started        file5 process6 dnsIp7 40 143.92.32.25, 49721, 49722, 49723 BCPL-SGBGPNETGlobalASNSG Singapore 14->40 50 Contains functionality to inject threads in other processes 14->50 52 Contains functionality to capture and log keystrokes 14->52 54 Contains functionality to inject code into remote processes 14->54 56 3 other signatures 14->56 20 schtasks.exe 1 14->20         started        22 schtasks.exe 1 14->22         started        24 conhost.exe 18->24         started        signatures8 process9 process10 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/9e92fc8ac8e578f93582645d499ad198
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8/
Verdict:
Malicious
Threat:
Backdoor.Win32.Xkcp
Link:
https://tip.neiki.dev/file/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8
Threat name:
Win64.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-08 09:43:46 UTC
File Type:
PE+ (Exe)
Extracted files:
33
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zd3xqnol4jpysnos2wtsxrwknsyqyre4wk2qpvohqg5jqpwpnhea._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery upx
Link:
https://tria.ge/reports/260408-l16xqagx2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8
MD5 hash:
9e92fc8ac8e578f93582645d499ad198
SHA1 hash:
558c5bd1a7b85e6b2aeb9d91e18c2566545439f4
Link:
https://www.unpac.me/results/a8b4e3ef-56b2-42c6-8761-4b18b02eb3d6/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8f77835cbe2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8f77835cbe25f8935d2d5a72bc6ca6cb10c449cb2b507d5c781ba983ecf69c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:win_winos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.winos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60807/

Comments